Skip to main content

Rutherford Man Admits His Role in Computer Hacking, Spamming Scheme That Targeted Millions

Rutherford

Two men today admitted their roles in a computer hacking and identity theft scheme that hijacked customer email accounts, stole personally identifiable information (PII) from millions of people, and generated more than $2 million in illegal profits, U.S. Attorney Paul J. Fishman announced.

Tomasz Chmielarz, 33, of Rutherford pleaded guilty to count one and count three of an indictment charging him with conspiracy to commit fraud and related activity in connection with computers and conspiracy to commit fraud and related activity in connection with electronic mail.

Devin James McArthur, 28, of

Ellicott City, Maryland, pleaded guilty to count two of the indictment charging him with conspiracy to commit wire fraud.

Both defendants pleaded today before U.S. District Judge William J. Martini in Newark federal court.

According to documents filed in this case and statements made in court:

Beginning as early as 2011, Timothy Edward Livingston, 30, of Boca Raton, Florida, and others allegedly operated A Whole Lot of Nothing LLC — a business that specialized in sending unsolicited, or “spam,” emails on behalf of its clients. Livingston’s clients included legitimate businesses, such as insurance companies that wished to send bulk emails to advertise their businesses, as well as illegal entities, such as online pharmacies that sold narcotics without prescriptions. Typically, Livingston charged $5 to $9 for each spam email that resulted in a completed transaction for a client.

Many internet service providers use filters to prevent spam from reaching their customers’ email accounts. Chmielarz admitted that beginning in January 2012, Livingston solicited him to write computer programs that send spam in a manner that conceals the true origin of the email and bypasses spam filters. In addition, Livingston and Chmielarz used proxy servers and botnets to remain anonymous, hide the true origin of the spam, and evade anti-spam filters and other spam blocking techniques. Livingston also allegedly registered certain websites used in the spam campaigns in the name of his alias, “Mark Lloyd,” to avoid detection.

Chmielarz admitted that he and Livingston hacked into individual email accounts and seized control of corporate mail servers to further their spam campaigns.

For instance, they created custom software designed to hack into the customer email accounts of a company identified in the indictment as “Corporate Victim 1.” Once their email account software gained access to a Corporate Victim 1 user’s account, it created sub-accounts and used them to send out spam. By using proxy servers and Corporate Victim 1’s customer accounts, Livingston and Chmielarz were able to send out massive amounts of spam without identifying themselves as the senders.

Chmielarz also admitted that he and Livingston created custom software that exploited vulnerabilities in a number of corporate websites, including one identified in the indictment as “Corporate Victim 2,” which allowed Livingston and Chmielarz to use Corporate Victim 2’s email servers to send out spam that appeared to be from Corporate Victim 2, but in reality was from Livingston and his conspirators.

Livingston, Chmielarz and McArthur also worked together to steal databases containing the PII of millions of Americans for use in spam campaigns. In May of 2013, Livingston and Chmielarz discussed stealing confidential business information from “Corporate Victim 3,” as identified in the indictment. In an online chat, Livingston told Chmielarz, “here is the site I need scrapped (sic),” and provided Chmielarz with an address for Corporate Victim 3’s website and the login credentials for an employee. “Scraping” is a technique employed to extract large amount of data from websites.

In another online chat, Livingston told Chmielarz that the database they were going to steal from Corporate Victim 3 contained 10 million records. Livingston subsequently paid Chmielarz to write a computer program to steal the database.

From February 2014 through February 2015, McArthur worked as a sales representative at a corporation identified in the indictment as “Corporate Victim 4.” In a series of online chats in August 2014, Livingston, Chmielarz, and McArthur discussed using McArthur’s position at Corporate Victim 4 to steal confidential business information, including the PII of millions of the company’s customers.

McArthur admitted that on Aug.11, 2014, he gave Livingston unauthorized access to a remote administration tool on a computer connected to Corporate Victim 4’s network. Livingston and Chmielarz used the access to steal the names, addresses, phone numbers, and email addresses of potential, current, and former Corporate Victim 4 customers for use in spam campaigns.

In an online chat dated Sept. 3, 2014, Livingston and McArthur discussed the contents of the database that they had stolen from Corporate Victim 4. McArthur estimated that they had succeeded in stealing 24.5 million records.

The charges of conspiracy to commit fraud and related activity in connection with computers and conspiracy to commit fraud and related activity in connection with electronic mail to which Chmielarz pleaded guilty each carry a maximum potential penalty of five years in prison and $250,000 fine, or twice the gain or loss from the offense.

The conspiracy to commit wire fraud charge to which McArthur pleaded guilty carries a potential penalty of 20 years in prison and a $250,000 fine, or twice the gain or loss from the offense. Sentencing for both defendants is scheduled for Sept. 13, 2016.

Livingston is scheduled for trial on Oct. 13, 2016, before Judge Martini.

1,000