In April, we traditionally ask our Leading Analyst Sergio Bertoni to share his selection of funny, ridiculous and silly IS incidents.

This digest issue includes: an office paper thief, a museum exhibits sale on eBay, an AI-generated playlist and an employee, who impersonated a hacker, blackmailing his employer.

The irony of fate 

What happened: a famous hacker was held hostage by his own virus.

How it happened: Since 2020, a cybercriminal, known as "La_Citrix" has been hacking companies and selling access to their servers. He also sold sensitive data stolen from victims. Hudson Rock investigators discovered that while infecting his victims' computers, La_Citrix accidentally downloaded the infostealer onto his own PC as well. Apparently, he didn't even notice it, so he sold his own data. 

During the investigation, Hudson Rock experts discovered that the attacker's API was linked to nearly 300 different companies. This happened because the hacker performed attacks via his own PC and saved corporate credentials in browsers, which he used for performing hacks. The experts also managed to reveal La_Citrix's real name, his phone number and home address. They intended to share this information with police enforcements. 

 Sergio Bertoni, the Leading Analyst SearchInform: Even an experienced hacker can fall victim to his own tricks. This case reminds the similar incident that happened to a famous organiser of the largest DDoS attacks. He had remained anonymous for six years. David Bukoski, owner of the DDoS service Quantum Stresser, revealed himself by ordering a pizza online. When ordering the pizza, the hacker inputted the email address he used to sign up for Quantum Stresser. 

By a piece of paper

What happened: an employee managed to steal paper worth €240,000 from the office. She managed to buy property and some other cool things.

How it happened: an employee of the housekeeping department of one organizations had been taking paper out of the office for almost a year and a half. According to the prosecutor's office, the woman stole a total of 112 thousand bundles of office paper, the total value of which exceeded €240,000. With the proceeds from the sale of paper, the employee bought herself a flat and a Mercedes-Benz car.

When the woman found out about the criminal case against her, she sold the property at an undervalue and got lost. As a result, she was put on an international wanted list and a measure of restraint in the form of imprisonment was chosen in absentia.

Sergio Bertoni, the leading analyst at SearchInform:  The incident with paper theft once again reveals in an illustrative manner, what one employee can do. In smaller companies, our analysts often encounter wasteful use of employer’s resources. For example, employees regularly exploit printers for personal use. Recently, in one of our customer’s company it was revealed, that a female employee printed out 1,500,000 pages of school textbooks.

I also recall an incident with the opposite effect. An employee of a small company was stealing coal. The executives were aware of the issue, but, for some reason did not solve the problem (apparently, they had too much coal). After a while the enterprise switched to another type of fuel, and the coal was not needed any more. Disposal would have required additional funds. It is funny, but the employee, who used to steal coal became not a pest, but a helper. The issue of coal utilization was slowly but surely solved with his help.

Art crime

What happened: an employee of London's British Museum sold artefacts on eBay.

How it happened: the museum sued Peter John Higgs, the curator of the Greek collections. It turned out that Peter, who worked at the museum for nearly 30 years, had been selling off artefacts ranging from jewellery to gems from ancient Rome since 2016. The artefacts sold date back to the period of time, lasting from the 15th century BC to the 19th century AD. According to The Times, the damage by ex-employee actions resulted in approximately $102 million.

The employee was caught at the moment when he started to publish advertisings of the items, which were described in details in the museum's digital catalogues. In addition, although the man used a pseudonym, he forgot that his Paypal account was linked to Twitter, where he used to publish posts using his real name.

According to The Daily Telegraph, the museum representatives were acknowledged about the thefts several years ago, but decided not to publicize the incident and fired the curator only in the summer of 2023. It was also claimed that some of the artefacts were not insured, moreover, they were not even registered in digital catalogues.

So, it is almost impossible now to prove that they belonged to the collection of the British Museum.

Sergio Bertoni, the Leading analyst at SearchInform: The incident indicates how important it is to conduct an inventory, including digital archives, as well as to perform the audit of users’ access rights.

It's all hackers

What happened: the information security department employee impersonated the hacker to blackmail his employer.

How it happened: in 2018, hackers attacked an Oxford-based company with the help of ransomware. After the incident, the attackers contacted the organization’s executive and demanded a ransom. The company's IS analyst Ashley Lyles, who was actively involved in internal investigations of the incidents, decided to take advantage of the situation.

Lyles gained access to the company's executive email, changed the content of the original email, sent by the hackers and also changed the address to which it was required to send the ransom. He had been corresponding with management for some time and tried to persuade them to pay the ransom. But eventually the company officials refused to pay, and the investigation led police enforcements to Ashley Lyles' home IP address.

For nearly five years, the employee had been denying involvement in the incident, but in May 2023, Lyles finally did plead guilty.

Sergio Bertoni, the Leading Analyst at SearchInform: This case takes us back to the ever-lasting question, which we are also often asked at various conferences: who controls the controllers? Among IS officers, not everyone is white and fluffy either.

AI playlist

What happened: a scammer made $13,000 from selling fake tracks.

How it happened: a man sold 9 fake tracks. He managed to persuade the customers that those tracks belonged to the famous R&B and Hip-Hop singer and songwriter Frank Ocean. He assured his customers, that those tracks were leaked. The fraudster sold the tracks at the price, ranging between $3,000-$4,000 per unit.  In fact, the user under the nickname "Mourningassassin" simply used the singer's voice and generated new tracks with the help of AI-related technology.

The scammer took advantage of the hype from fans who had been waiting for Frank Ocean’s tracks since 2016. In April, the singer made an appearance at a festival and hinted at the album's imminent release. 

Sergio Bertoni, the Leading Analyst at SearchInform: Incidents like this are interesting to examine in terms of how AI-related technology is changing the crime landscape. My favourite incident so far is the collective deepfake call that resulted into loss of over $25 million.

What time is it?

What happened: the large bank's data center went down due to discharged batteries.

How it happened: One of the UK's largest banks experienced a failure in all information systems, including the data center. The incident was so serious, that employees were unable to work. The IT department rebooted servers and ran diagnostics, but the measures didn't help get the systems back up, as the problem wasn't in the bank's IT systems. The reason for the failures was discharged batteries, which the bank's technical support staff forgot to change. It turned out that the batteries in two radio clocks, which set time in all the bank's information systems, were discharged. The clocks stopped showing the exact time, what caused all devices to automatically roll back to the date of 1 January 1954.

Sergio Bertoni, the Leading Analyst at SearchInform: An exception that confirms the rule "it works - don't touch it". But it's still important not only to build an infrastructure "for the ages". It’s required to periodically perform audit and constantly work on optimisation, otherwise you may find that systems suddenly stop working.