In the early morning hours of January 20, 2023, a doctor's user account logged onto the Hawaii Electronic Death Registration System from out of state and certified the death of a man named Jesse Kipf. The death certificate listed the cause of death as “acute respiratory distress syndrome” caused by the new coronavirus infection a week ago. As a result, Kipfu was randomly registered as a deceased person in several government databases.
On the same day, a hacker nicknamed “FreeRadical” posted the same death certificate on a hacking forum in an attempt to monetize access to the system. “The access level is Medical Authenticator, which means deaths can be created and authenticated with this panel,” the hacker wrote.
The hacker attached some screenshots of the fake death certificate to the post, but also made a critical mistake. Free Radical forgot to edit the person's birth status on the death certificate, leaving a small portion of the state government seal visible in the corner of the screenshot.
On the other side of the country, in Colorado, Austin Larsen, a senior threat analyst at Google's cybersecurity firm Mandiant, and colleagues are conducting online surveillance as part of their regular threat intelligence collection, which includes monitoring cybercrime forums. Found this post. Larsen and colleagues focused on improperly cropped screenshots of fake death certificates and found that the forum posts were evidence that free radicals had hacked the U.S. state government of Hawaii.
Three days after discovering the hacking forum post, Larsen notified Hawaii state authorities that the government system had been hacked.
“An attacker may have compromised a medical authenticator's account,” the notification read, according to a screenshot of Larsen's message, which he shared with TechCrunch in an interview in early September.
Larsen's warning sparked a federal investigation that revealed that the doctor's user account used to file the death certificate had been compromised by none other than the deceased Jesse Kipf himself. It will be. Prosecutors later claimed in court documents that Kipf faked his own death to avoid paying his ex-wife about $116,000 in child support for their daughter.
Kipfu, who prosecutors later described as a “serial hacker” with “sufficient technical knowledge to steal from others for a living,” used his home internet from Somerset, Kentucky, to connect directly to Hawaii's death registry. He made a series of mistakes, including: This system eventually led to federal agents arriving directly at his home.
As a result, the U.S. Department of Justice filed criminal charges against Kipf in late November 2023 for a series of hacking crimes. Prosecutors allege that Kipf hacked into computer systems belonging to vendors in three U.S. states and two major hotel chains. The indictment, released at the same time as the Justice Department's press release, did not include many of the details that prosecutors alleged Kipf had committed. Forbes reported a few days ago that Kipfu is suspected of hacking the Hawaii Department of Health.
In early September, Mandiant's Larsen spoke with TechCrunch, along with FBI Special Agent Andrew Saturnino and Assistant U.S. Attorney Kate DiRuff of the Eastern District of Kentucky, explaining how they found Kipf and brought him to justice. It was revealed that Tanaka. The three spoke to TechCrunch ahead of their presentations at the Mandiant cybersecurity conference mWISE.
Kipf was a prolific hacker with multiple identities, according to court documents in Larsen, Saturnino, Dirouf and his case.
Saturnino said Kipf is an “initial access broker,” a hacker who attempts to break into systems and sell access to those systems to other cybercriminals. In an affidavit supporting the search warrant against Kipf, an FBI special agent wrote that Kipf committed credit card fraud to purchase food from a food delivery service and was arrested in 2022. He used a fake Social Security number to apply for loans and had more than a dozen U.S. driver's licenses stored on his computer. And he claimed to have hacked a Marriott hotel vendor.
Kipfu likely obtained the credentials he used in the Hawaii hack from information-stealing malware that infected an anonymous doctor's computer, which may have been forwarded to a Telegram channel for hackers. Larsen said Kipf himself operated a credential theft service using the nickname “GhostMarket09.”
Apart from GhostMarket09, Mandiant identified several other nicknames that Kipf used on various hacking forums and Telegrams, including “theelephantshow,” “yelichanter,” and “ayohulk,” Larsen said. Ta. Mr. Larsen, who has this list of nicknames, examined a database created by Mr. Mandiant by collecting hacking forums, “semi-public chats” and Telegram channels, and found that Mr. Larsen, who has this list of nicknames, was sent to him by Mr. Kipf under various online personas. He said he manually reviewed thousands of messages.
Larsen said Mandiant has ties to the FreeRadical and GhostMarket09 personas to the prolific hacking and cybercrime group allegedly behind the MGM Resorts hack, which the company calls UNC3944 (Scattered Spider). , said it had identified links to a broader criminal underworld behind a series of violent crimes. It is known as “The Com”.
Larsen said Kipfu provided stolen credentials for shipping giant UPS to an alleged member of the com, who goes by the nicknames “Lopiu” or “Lolittle,” as GhostMarket09. Larsen said Kipf is not part of Com, but part of the cybercrime ecosystem that enables it.
“I think he's an average hacker. He didn't have any fear of the consequences,” Larsen said. “Although he was adjacently involved in other parts of the criminal community, his real breadth was selling credentials to enable other infiltrations.”
Photo of the fake death certificate submitted by Jesse Kipf using a doctor's stolen credentials. Image credit: Mandiant (Provided)
In parallel, unbeknownst to Mandiant, the FBI had received a report from the National Cyber Forensic Training Alliance, a nonprofit organization that monitors the dark web and works with law enforcement and the private sector. Dark web by hackers in Kentucky.
Larsen and court documents say Kipfu forgot to use a VPN at least once when accessing Hawaii's death registration system, exposing his home IP address in Somerset, Ky. It is said that it is connected to the state.
And in May 2023, the Hawaii Attorney General's Office, which was investigating the death registry hack, told the Kentucky Attorney General's Office that someone in the southeastern state “had system-level entry authority. “I used the login credentials of a real doctor.” According to court documents, he used a “death worksheet” to access the Hawaii Death Registration System and submit a death certificate for a man named Jesse Kipfu.
On July 13, 2023, U.S. federal agents arrested Kipf at his home in Somerset and took him into custody. In a subsequent interview with authorities, Kipf confessed to a series of cyber crimes, which he said had kept him from holding a regular job for five years.
“How did you leak your IP?” the interviewer asked about the home IP address Kipf used to connect to the Hawaii system. “It's just laziness…I just don't care anymore,” Kipf said, according to a partial transcript of the interview. “I quit AF,” Kipf said.
In fact, later in the investigation, authorities discovered that Kipf used the same home IP address to access a total of 1,423 “Marriott Internet domains and internal servers between February 9, 2023 and May 22, 2023. I found out that you tried to “extract data”. times. The goal, Saturnino said, was to sell access to these networks to other hackers on forums used by cybercriminals.
Kipf also said in an interview that he accessed the death registration systems in Arizona, Connecticut, Tennessee and Vermont just to see how easy it was, according to court documents. Kipfu died in Arizona's death registration system, which listed the deceased as “crab rangoon” (a type of crispy Chinese wonton filled with cheese), according to a screenshot of the certificate seen by TechCrunch. The certificate was successfully submitted.
But he had some kind of plan. According to court documents, Kipf told an interviewer that he created a false credit report using a false Social Security number to use after faking the death.
According to court documents, the hackers also admitted to selling hack victims' personal information to people in Algeria, Ukraine and Russia, and providing the Russians with access to Marriott's vendor systems.
Saturnino said the FBI searched Kipf's device and found past Google searches in his browsing history that suggested he was trying to find information on how to avoid paying child support. .
Finally, Kipf was also suspected of hacking GuestTek and Milestone, two vendors affiliated with Marriott Hotels. In these hacks, Kipf also used his home IP address.
Perhaps because of all the evidence Mandiant and the FBI gathered regarding Kipf's cybercrime history and confessions in interviews with authorities, the hacker reached a plea deal with prosecutors. Kipf formally acknowledged that he caused nearly $80,000 in damages to the government and corporate networks he hacked, and nearly $116,000 in unpaid child support to his ex-wife. He also admitted identity theft for using doctor's credentials stolen in the Hawaii hacking incident to prepare death certificates.
“The defendant is a serial hacker who steals personally identifying information and freely infiltrates the protected computer networks of businesses and government agencies,” Dirouf told the court, sentencing Kipf to seven years in prison. It was written in a memorandum asking them to do so. “He caused significant harm to corporate and government victims, both financially and in the form of technical responses.”
Ms Dirouf added: “By attempting suicide to avoid child support obligations, [Kipf] Continues to re-victimize daughter and mother who owe over $116,000 in child support. ”
In a sentencing memorandum filed by Kipf's attorney, Thomas Miceli, he acknowledged that Kipf “understands the gravity of his actions and does not deny them.” Miceli, who did not respond to TechCrunch's request for comment, said at the time that Kipf had been diagnosed with paranoid delusions and schizophrenic tendencies, that his “mental state deteriorated after his military service” in Iraq and that he was “subject to drug use.” The amount has increased,” he wrote. addiction. ”
Kipfu was sentenced to 81 months in prison, short of seven years. Under federal law, Kipf must serve at least 85 percent of his sentence (not less than five years), according to a Justice Department press release announcing the sentence in August.