Some items on our site have recently moved. Visit our News Hub for selected articles, special reports, podcasts and other resources.
US jury deliberates on fate of accused Capital One hacker
17 June 2022 22:01 by Amy Miller
Accused Capital One hacker Paige Thompson has been described as many things during her two-week US trial in Seattle: cryptojacker, white-hat hacker, troubled, braggart.
But the former Amazon Web Services employee who went by the handle “erratic” never testified about why she downloaded massive amounts data from about 30 companies from March to August of 2019.
Now, the critical question for jurors as they deliberate is: Does the government’s evidence prove that Thompson illegally tricked AWS security systems to get that data? Or was she trying to warn them after the companies let her in through their own negligence?
Thompson, 36, faces nine counts of computer fraud, wire fraud and identity theft in a federal trial that began June 7 in Seattle. She’s accused of violating the Computer Fraud and Abuse Act, an anti-hacking law that forbids accessing computers without authorization.
At closing arguments on Thursday, US Attorney Andrew Friedman made his final pitch to the jury that Thompson was a “cryptojacker” in search of money and fame. The government’s witnesses, forensic evidence, and her own words prove that Thompson had no authorization to gather all that data, which she planned to use for identity theft, he said.
The companies’ security experts and agents from the US Federal Bureau of Investigation laid in minute, technical detail how Thompson exploited a security vulnerability on AWS security systems to access corporate servers and mine for cryptocurrency, Friedman said.
Security experts from AWS and Capital One testified that their systems were protected and designed to exclude outsiders, he said.
But because Thompson used to work for AWS, she knew how to scan millions of its clients' computers looking for firewalls that would allow her to relay her messages to something called the Instance Metadata Service, Friedman said.
“Ms. Thompson shouldn't have been able to communicate with the Instance Metadata Service, and it shouldn't have answered her questions, but it did because of how she had approached it, how she tricked it,” Friedman said.
He pointed to testimony from FBI computer scientist Waymon Ho, who explained how Thompson evaded firewall protections, and how he could see her code evolving over time as she ran into roadblocks.
Ho also found several folders with data from AWS clients on her computer, Friedman said. There was also a folder with all of the tools Thompson used to plant cryptocurrency mining software on companies’ computers, Friedman said.
“She must have spent hundreds of hours on this exploit,” Friedman said.
Secret Service Agent Ken Henderson testified that the data-set Thompson took would probably be worth $500,000 or more on the black market, Friedman noted. Meanwhile, Thompson’s Internet searches show that she was looking for ways to sell that data on the black market, including renting servers in Russia, Friedman said.
But Kat Valentine, a compliance expert from Northern California, spoiled Thompson’s plan by reporting her to Capital One after Thompson reached out to her on Twitter to brag about her exploits, Friedman said.
Friedman also pointed jurors to Thompson’s own words to friends and on social media.
"Just living with a friend and hacking EC2 instances and getting access to some AWS accounts and using them to mine crypto,” she said in one instant message to friend.
"Like I've straight up gone to my counselor, told her I was hacking stuff and stealing CPU time to mine crypto, and buying new things for myself and wearing new designer clothes,” she said in an online chat room.
"I have about $5,000 a month coming in now, but it's all in Ethereum, and I have to find a safe way to convert, because I'm hacking AWS accounts to get it, using EC2 GPUs miners,” she said in another text.
“Ms. Thompson's motivation was not to be a white hat hacker,” Friedman said. “Nothing in the evidence suggests it was. You haven't seen anything that suggests that benign motive. What you've seen as evidence is that she wanted data, she wanted money, she wanted to brag.”
Defense attorney Mohammad Ali Hamoudi downplayed Thompson’s most inflammatory online statements in his closing argument. She may have possessed data from AWS clients, but she never actually shared or sold it it, Hamoudi said.
But she liked to exaggerate and brag, according to testimony from a long-time friend, Tim Carstens, who testified about Thompson’s unstable family life and her personal and professional struggles as a transgender woman, Hamoudi said.
“She's known to say troubling things that she doesn't truly mean in order to get attention, to get a response,” Hamoudi said.
The government is trying to make what Thompson did “seem alarming and frightening,” when in fact what she did was “quite simple,” Hamoudi said.
The only proof that matters is how the computers were configured at the time of access, and they were set up to give someone like Thompson access, he said. Capital One set up its firewall and chose to allow external requests, he said, and it was alerted about potential vulnerabilities more than once, but never found them.
“Ms. Thompson is here because she read the instruction manual, and Capital One did not,” Hamoudi said.
Defense witness Alex Halderman, a computer science professor at the University of Michigan, testified that Thompson was authorized to access the computers, Hamoudi said.
“Ms. Thompson used publicly known commands recognized and authorized by AWS computers, because that is how the companies configured them to run the commands,” Hamoudi said. “There was no trick."
And Hamoudi pointed jurors to a mysterious note passed to an Amazon engineer in May 2019 at a conference alerting the company to a security breach. Evidence and testimony show that note could have been a message from Thompson to help Capital One fix the problem, an argument the government rejects, he said.
The trial is taking place because Capital One needs a scapegoat, and Thompson, a troubled transgendered woman who made inflammatory statements, was an easy target, Hamoudi said.
“A person's statements, even erratic statements suggesting criminality, do not make you a criminal,” Hamoudi said. “Actions speak louder than words, and Ms. Thompson’s actions here, or her lack of actions with the data, are the evidence of intent you should rely on.”
No results found