AFP charges man with creating global spyware tool

An Australian man, 24, who sparked a global law enforcement operation for allegedly creating and selling spyware purchased by domestic violence perpetrators and other criminals, has been charged by the AFP.

The man, who was 15 years old when he allegedly created the Remote Access Trojan (RAT), was scheduled to appear in Brisbane Magistrates Court yesterday (29 July, 2022). The matter was adjourned until 19 August 2022.

In a world first for any law enforcement agency, the AFP was not only able to identify the alleged Australian offenders who bought the RAT but also identified the Australian victims who were targeted.

AFP investigators served a summons on the man at his Melbourne home on 6 July, 2022, to face six charges for his alleged role in creating, selling and administering the RAT between 2013 and 2019.

A woman, 42, who lives at the same Frankston home as the man, was served a summons to face one count of dealing with the proceeds of crime. She also faced Brisbane Magistrates Court yesterday (29 July, 2022).

It will be alleged the Frankston man engaged with a network of individuals and sold the spyware, named Imminent Monitor (IM), to more than 14,500 individuals across 128 countries.

The AFP identified there were 201 individuals in Australia who bought the RAT. A statistically high percentage of Australia-based PayPal purchasers of IM RAT (14.2%) are named as respondents on domestic violence orders. Additionally, one of these purchasers is also registered on the Child Sex Offender Register.

Of the 14 individuals, 11 bought the RAT during the active period of their domestic violence order (DVO) or within two years a DVO was issued.

Once the RAT was installed on a victim’s computer, users could control a victim’s computer; steal their personal information or spy on them by turning on webcams and microphones on devices – all without their knowledge.

It could also log key strokes – meaning users could see what was being written in emails and other documents – such as the home address of a victim.

The spyware could be installed a number of ways, including phishing (duping a victim into opening an email or text message).

The AFP believes there were tens of thousands of victims globally.

In Australia, the AFP identified 44 victims. In October 2019, the AFP released an intelligence bulletin to Australian state and territory partners about a number of suspects in their jurisdictions.

AFP investigations are ongoing and it would be inappropriate to elaborate further.

The RAT cost about AUD$35 (US$25) and was allegedly advertised on a forum dedicated to hacking. It will be alleged the man made between $300,000 and $400,000 from selling the malware.

Financial analysis showed that most of the money raised from allegedly selling the RAT paid for the man’s food delivery services and other consumable and disposable items.

Operation Cepheus began when the AFP received information from cyber security firm Palo Alto Networks and the FBI about a suspicious RAT in 2017.

The information sparked a global investigation, which included more than a dozen law enforcement agencies in Europe.

Eighty-five search warrants were executed globally, with 434 devices seized and 13 people arrested for using the RAT for alleged criminality.

A team of five AFP cybercrime investigators worked on gathering critical intelligence as well as shutting down the RAT. Once the AFP shut down the RAT in 2019, it stopped operating on all devices across the globe.

The same year, the AFP received admissible evidence from overseas law enforcement agencies that enabled the Australian man to be arrested.

The AFP-led investigation executed two search warrants in 2019 at the man’s then home in Brisbane. Investigators seized a number of devices including a custom-built computer containing code consistent with the development and use of the RAT.

The man was charged with:

  • One count of producing data with intent to commit a computer offence, contrary to section 478.4(1) of the Criminal Code Act 1995 (Cth);
  • Two counts of supplying data with intent to commit a computer offence, contrary to section 478.4(1) of the Criminal Code Act 1995 (Cth);
  • One count of aiding, abetting, counselling or procuring the commission of an offence, namely the unauthorised modification of data to cause impairment, contrary to sub-sections 11.2(1) and 477.2(1) of the Criminal Code Act 1995 (Cth); and
  • Two counts of dealing in the proceeds of crime to the value of $100,000 or more, contrary to section 400.4(1) of the Criminal Code Act 1995 (Cth).

The maximum penalty for these offences is 20 years’ imprisonment.

The 42-year-old woman has been charged with dealing in the proceeds of crime to the value of $100,000 or more, contrary to section 400.4(2) of the Criminal Code Act 1995 (Cth).

The maximum penalty for this offence is 20 years’ imprisonment.

AFP Commander Cybercrime Operations Chris Goldsmid said cyber jobs could often be abstract for many in the community but this operation provided clear and real examples of how dangerous tech-enabled crime could be.

“These types of malware are so nefarious because it can provide an offender virtual access to a victim’s bedroom or home without their knowledge,” Commander Goldsmid said.

“Unfortunately there are criminals who not only use these tools to steal personal information for financial gain but also for very intrusive and despicable crimes.

“One of the jobs for the AFP is to educate the public about identifying and protecting themselves from spear-phishing attacks or socially-engineered messaging – essentially emails or texts messages that trick individuals into uploading malware.”

Commander Goldsmid said the AFP was a global leader in fighting cybercrime and worked closely with its international partners to ensure that developers and users of insidious malware would be brought to justice.

“This outcome is the culmination of years of collaboration between the AFP and its international partners, trawling through thousands of pieces of data to bring to account those who are responsible for breaching the privacy of innocent people,” he said.

While it was not unlawful to buy the RAT, it is a crime to install the spyware on a victim’s computer without their consent.

Tips to protect yourself from remote access trojan malware:

Be aware of the infection signs:

  • Your internet connection is unusually slow;
  • Unknown processes are running in your system (visible in the Process tab in Task Manager);
  • Your files are modified or deleted without your permission;
  • Unknown programs are installed on your device (visible in the Add or Remove Programs tab in the Control Panel).

Protect yourself:

  • Ensure that your security software and operating system are up to date;
  • Ensure that your device’s firewall is active;
  • Only download apps and software from sources you can trust;
  • Cover your webcam when not in use;
  • Regularly back up your data;
  • Be wary while browsing the internet and do not click on suspicious links, pop ups or dialogue boxes;
  • Keep your web browser up to date and configured to alert new window is opened or anything is downloaded;
  • Do not click on links and attachments within unexpected or suspicious emails.

What to do if infected with the malware:

  • Disconnect your device from the network as soon as possible, in order to prevent additional malicious activity;
  • Install security software from a trustworthy source;
  • Run a full scan of your device and remove threats by using a security software;
  • Once you think the infection has been removed, change the passwords for your online accounts and check your banking activity. Report anything unusual to your bank and, as needed, to the Report Cyber website;
  • Learn how to protect your computer from future infections and avoid data loss.

Breakdown of PayPal purchases in Australia

State/Territory

Respondent to domestic violence orders

Child Sex Offender Register record

Total number of IM purchasers

ACT

2

NSW

7

30

Qld

2

20

SA

1

6

Tas

1

Vic

3

1

23

WA

1

15

Unknown location

1

Total

14

1

98

/Public Release. View in full here.