Within the early hours of January 20, 2023, a health care provider’s person account logged onto the Hawaii Digital Dying Registration System from out of state to certify the demise of a person named Jesse Kipf. The demise certificates listed the trigger as “acute respiratory distress syndrome” as a consequence of COVID-19 every week earlier. And with that, Kipf was unceremoniously registered as deceased in a number of authorities databases.
On the identical day, a hacker nicknamed “FreeRadical” posted the identical demise certificates on a hacking discussion board in an try and monetize the entry they needed to the system. “Access level is medical certifier which means you can create and certify a death in this panel,” the hacker wrote.
Within the publish, the hacker included a partial screenshot of the pretend demise certificates, however in addition they made a important mistake. FreeRadical forgot to redact the purported state of delivery of the particular person within the demise certificates and left a small a part of the state authorities’s seal displaying within the nook of the screenshot.
On the opposite aspect of the nation in Colorado, Austin Larsen, a senior menace analyst at Google’s cybersecurity agency Mandiant, alongside along with his colleagues, noticed the publish on-line as a part of their routine menace intelligence gathering, which incorporates monitoring cybercrime boards. By homing in on the badly cropped screenshot of the pretend demise certificates, Larsen and his colleagues realized the discussion board publish was proof FreeRadical had hacked the U.S. state authorities of Hawaii.
Three days after discovering the hacking discussion board publish, Larsen notified Hawaii state officers that its authorities techniques had been hacked.
“It is likely the actor compromised a medical certifier account,” the notification learn, in line with a screenshot of Larsen’s message shared with TechCrunch in an interview earlier in September.
Larsen’s warning set in movement a federal investigation that will reveal that the physician’s person account used to file the demise certificates was compromised by none apart from Jesse Kipf himself, the one that had supposedly died. Prosecutors would later allege in a court docket doc that Kipf faked his personal demise to keep away from paying his ex-wife round $116,000 owed to help their daughter.
Kipf, whom prosecutors later known as a “serial hacker” with “ample technical knowledge towards making a living by stealing from others,” had made a collection of errors, together with utilizing his dwelling web from Somerset, Kentucky, to instantly hook up with the Hawaii demise registration system, which finally led federal brokers proper to his door.
Consequently, the U.S. Division of Justice criminally charged Kipf in late November 2023 with a collection of hacking crimes. Kipf, prosecutors alleged, had hacked laptop techniques belonging to a few U.S. states, in addition to two distributors of enormous resort chains. The Division of Justice’s press launch, in addition to the indictment printed on the identical time, didn’t embody lots of the particulars that prosecutors had claimed Kipf had accomplished. Forbes had reported just a few days earlier that Kipf allegedly hacked the Hawaii Division of Well being.
Earlier in September, Mandiant’s Larsen, together with FBI Particular Agent Andrew Satornino, and Assistant U.S. Legal professional for the Japanese District of Kentucky Kate Dieruf, sat down with TechCrunch to disclose how they discovered Kipf and introduced him to justice. The three spoke to TechCrunch forward of a chat they gave on the Mandiant cybersecurity convention, mWISE.
Kipf, in line with Larsen, Satornino, and Dieruf, in addition to the court docket paperwork of his case, was a prolific hacker with a number of identities.
Satornino mentioned Kipf was an “initial access broker,” that means a hacker who breaks into techniques after which tries to promote entry to these techniques to different cybercriminals. In affidavits supporting search warrants in opposition to Kipf, the FBI particular agent wrote that Kipf had dedicated bank card fraud to buy meals from meals supply providers — and was arrested for it in 2022; used pretend Social Safety numbers to use for loans; had greater than a dozen U.S. driver’s licenses on his laptop; and had hacked Marriott resort distributors.
Kipf seemingly received the credentials he used within the Hawaii hack from an information-stealing malware that contaminated the unnamed physician’s laptop, which then ended up on a Telegram channel for hackers. Kipf used the nickname “GhostMarket09” to function a credential stealing service, Larsen mentioned.
Other than GhostMarket09, Larsen mentioned that Mandiant recognized a number of different monikers that Kipf used on totally different hacking boards, in addition to Telegram, which included: “theelephantshow,” “yelichanter,” and “ayohulk.” Having that record of monikers, Larsen mentioned he manually reviewed hundreds of messages despatched by Kipf below his varied on-line personas, going via a database that Mandiant created by scraping the hacking boards, “semi-public chats,” and Telegram channels.
Larsen mentioned that Mandiant recognized the FreeRadical and GhostMarket09 personas as being related to what the corporate calls UNC3944, or Scattered Spider, a prolific hacking and cybercrime group allegedly behind the MGM Resorts hack, and linked to the broader felony underworld behind a string of violent crimes often known as “the Com.”
Based on Larsen, Kipf — as GhostMarket09 — offered stolen credentials for the delivery large UPS to an alleged member of the Com who makes use of the moniker “lopiu” or “lolitleu.” Larsen mentioned that Kipf was not a part of the Com, however a part of the cybercriminal ecosystem enabling it.
“I would say he’s a run-of-the-mill hacker. It felt like he didn’t have fear of consequences either,” mentioned Larsen. “He was adjacently involved in other parts of the criminal community, but really, where he came into play was selling credentials to enable other intrusions.”
In parallel, and unbeknownst to Mandiant, the FBI had acquired a report from the Nationwide Cyber Forensics Coaching Alliance, a nonprofit that screens the darkish net and collaborates with legislation enforcement and the non-public sector, which included a collection of nicknames used on the darkish net by a hacker positioned in Kentucky.
The investigation led to Kentucky as a result of Kipf had apparently forgotten to make use of a VPN at the least as soon as when accessing the Hawaii demise registration techniques, exposing his Somerset, Kentucky, dwelling IP deal with, in line with Larsen and court docket paperwork.
Then, in Might 2023, Hawaii’s Legal professional Common’s Workplace, which was investigating the hack of its demise registry, alerted the Kentucky Legal professional Common’s workplace that somebody within the southeastern state used the login credentials of an actual physician, who had “system level entitlements to input death worksheets,” to entry the Hawaii demise registration system and file a demise certificates for a person named Jesse Kipf, in line with a court docket doc.
On July 13, 2023, U.S. federal brokers arrested Kipf at his dwelling in Somerset and took him into custody. In a later interview with the authorities, Kipf confessed to a collection of cybercrimes, which he mentioned allowed him to not have a daily job for 5 years.
“How did you let your IP slip?” the interviewers requested Kipf, referring to the house IP deal with Kipf used to hook up with the Hawaii system. “Just laziness…I just super didn’t care anymore,” Kipf responded, in line with a partial transcript of the interview. Kipf mentioned that he “quit giving a f—.”
In reality, later within the investigation, the authorities discovered that Kipf had used his identical dwelling IP deal with to aim to “visit, and extract data from Marriott internet domains and internal servers” between February 9 and Might 22, 2023 — a complete of 1,423 occasions. The objective there, in line with Satornino, was to promote entry to these networks to different hackers on boards utilized by cybercriminals.
Kipf additionally mentioned within the interview that he had accessed the demise registration techniques of Arizona, Connecticut, Tennessee, and Vermont, simply to see how straightforward it will be, the court docket paperwork say. In Arizona’s demise registry system, Kipf efficiently filed a demise certificates the place he put the title “Crab Rangoon” — a sort of cheese-filled crisp Chinese language wonton — because the title of the deceased, in line with a screenshot of the certificates seen by TechCrunch.
He did, nonetheless, have some semblance of a plan. Kipf advised interviewers that he had created a cast credit score profile with a false Social Safety quantity with a view to use it after he faked his demise, in line with court docket paperwork.
The hacker additionally confessed to promoting the non-public info of hacking victims to individuals in Algeria, Ukraine, and Russia, and offering entry info for a Marriott vendor system to Russians, court docket paperwork present.
As soon as the FBI was in a position to undergo Kipf’s units, they discovered previous Google searches in his shopping historical past suggesting he was looking for info on easy methods to keep away from paying youngster help, mentioned Satornino.
Lastly, Kipf was additionally accused of hacking into GuestTek and Milestone, two distributors who labored with Marriott inns. In these hacks, too, Kipf used his dwelling IP deal with.
Maybe due to all of the proof Mandiant and the FBI had gathered on Kipf’s historical past of cybercrime, and his confession within the interview with the authorities, the hacker reached a plea cope with prosecutors. Kipf formally admitted to inflicting near $80,000 in damages to the federal government and company networks he hacked, and $116,000 for the unpaid youngster help for his ex-wife. He additionally admitted to id theft, for utilizing physician’s stolen credentials within the Hawaii hack to create the demise certificates.
“The Defendant is a serial hacker, stealing personal identifying information and infiltrating protected computer networks of businesses and governmental entities with abandon,” Dieruf wrote in a memorandum asking the court docket to condemn Kipf to seven years in jail. “He caused significant damage, both monetarily and in the form of technological responses, to his corporate and governmental victims.”
Dieruf added: “By attempting to kill himself off to avoid child support obligations, [Kipf] continues to re-victimize his daughter and her mother, who are owed more than $116,000 in child support obligations.”
Within the sentencing memorandum filed by Kipf’s lawyer, Thomas Miceli, the lawyer conceded that Kipf “understands and does not deny the seriousness of his conduct.” Miceli, who didn’t reply to TechCrunch’s request for remark, wrote on the time that Kipf was identified with paranoid delusions and schizophrenic tendencies, and that his “mental health spiraled after the conclusion of his military service” in Iraq, which “increased his drug addiction.”
Kipf was sentenced to jail for 81 months, simply shy of seven years. Based on the Division of Justice press launch saying his sentencing in August, Kipf should serve at the least 85% of his jail sentence — greater than 5 years — below federal legislation.
