a.k.a Umbreon

[Lord777]

The hacker "Umbreon" turned out to be an employee of an information security company. He refused bail to continue working with a prison psychiatrist.

Known primarily for "RaidForums" and "BreachForums", the hacker, hiding under the nickname "Umbreon", was arrested in the Netherlands in January 2023 on charges of hacking, extortion and money laundering. Together with him on the case are two of his accomplices. It turned out that "Umbreon" is a 21 — year-old Dutch citizen from the city of Zandvoort Pepein Van der Stap.

What is surprising in this story is that Van der Stap was an employee of the information security company Hadrian Security, and he also worked very actively with the Dutch Vulnerability Disclosure Institute, helping organizations that applied to it to find vulnerabilities in their infrastructure and eliminate them.

"The assumptions of the Dutch police that I was a white hacker during the day and a black hacker at night are fundamentally wrong. Most of my criminal activities were carried out during the period preceding my entry into legal activity. Moreover, I started fighting cybercriminals even before I became a white hacker. In the last 16 months before my arrest, I did not engage in illegal activities," Van der Stap said.

In addition, "Umbreon" said that for a long time he struggles with post-traumatic stress disorder, which is accompanied by migraines and panic attacks. At the peak of his symptoms, he slept no more than two hours a day, but a prison psychiatrist helps him overcome his problems. The therapy seems successful to Van der Stap.

Now he is accused of hacking the servers of at least 11 companies, extortion, intimidation, laundering 2.5 million euros in cryptocurrency. However, not so long ago, Van der Stap decided to confess to all the attacks in which he was involved, the hacker described their number with the phrase "more than ten, but less than a hundred". The other day, "Umbreon" was present at the preliminary hearing on his case, despite the opportunity to apply for release.

***

In Amsterdam, the trial ended, in the center of which turned out to be 21-year-old Pepein Van der Stap, a former ethical hacker. Pentester was found guilty of committing a series of cyber attacks against more than 10 companies in the Netherlands and abroad,as well as blackmail and money laundering.

Van der Stap's total sentence is 4 years, of which he must actually spend 3 years in prison, and the last year is suspended. That is, if the defendant shows good behavior and does not commit new crimes during the 3-year probation period, then he will not have to serve the fourth year in prison.

The decision was the result of an investigation by the Dutch Prosecutor's Office, which revealed that the young man was engaged in hacking, extortion and laundering of cryptocurrencies in the amount of more than 2.6 million euros.

According to the investigation, from August 2020 to January 2023, Van der Stap, along with his accomplices, attacked the systems of companies, threatening to publish stolen data for purposes and extorting money from victims. During the searches, various hacking tools and stolen personal data of millions of people were found in Pentester's computer. Information was actively sold and exchanged on hacker forums, including RaidForums and BreachForums, where Van der Stap was known under various pseudonyms.

The scandal became particularly acute after it became known that Van der Stap worked as a cybersecurity researcher at the Dutch Institute for Vulnerability Disclosure (DIVD) and had access to confidential information. Moreover, Van der Stap was involved in confidential DIVD investigations. Such details added ambiguity to his identity, as during the day he helped protect information systems, and at night he was engaged in cybercrime activities.

In an interview with the site DataBreaches.net Van der Stap claimed that most of his illegal activities occurred before he began his career in cybersecurity and that he had practically stopped engaging in criminal activities 16 months before his arrest. However, according to him, it was not easy to completely get out of the underground world.

The investigation against Van der Stap began after the Amsterdam-based company filed a complaint in March 2021. At the moment, not all affected organizations have published information about the extent of damage and the fact of attacks. The case opened up a discussion about the importance of integrity checks, even among information security professionals.

 

[Man]

Digital Soul Collector: The Story of the Genius Who Became the Netherlands' Ultimate Cyber Thief

In early 2023, police arrested 20-year-old Pepijn van der Stap in his beachfront apartment in Zandvoort, the Netherlands. About a dozen officers broke into his home, surrounding the young man, known in professional circles as a highly qualified specialist. However, van der Stap's detention was the result of a two-year investigation: behind the façade of an expert who had protected hundreds of companies from cyberattacks, there was a master hacker and the largest "collector" of stolen data.

Pepain was fond of computers from a young age. Previously, he was known in the Netherlands for his achievements in the field of security, presenting the results of his work at specialized conferences. But his passion for data collection proved stronger than ethical norms. As it turned out, by the age of 20, van der Stap had already accumulated the personal data of hundreds of millions of users - probably almost all residents of the Netherlands. Court documents claim that the country has not previously known such a scale of crimes.

For two years, police monitored van der Stap's activities using listening devices and programs on his computer. He accumulated data by creating his own "archive" on encrypted hard drives, both from his hacks and from other hackers. According to investigators, the data was stored in thousands of folders organized with meticulous precision. He himself has repeatedly said that he collected information to be the first in the hacker environment. Police believe that such data collections have often been used to threaten companies.

The amount found in the hacker's possession exceeded 600 thousand euros, which indicates the scale of his activities. Despite possible financial motives, van der Stap continued to work officially, paying for his apartment and living expenses through his legal work in cybersecurity. According to him, money was not important to him: his "trophies" were data.

From an early age, Pepain showed unusual interests. At school, he stood out for his craving for programming and from the age of 10 he studied the PHP language on his own. He spent most of his time at the computer, avoiding the usual children's entertainment. By his teenage years, his passion had moved to the online world, where he began to interact with other hackers and eventually immersed himself in the world of cybercrime. Van der Stap's first major hack was an attack on the servers of an educational institution he attended. For this incident, he underwent a rehabilitation program Hack_Right, aimed at preventing hacking offenses among young people. Pepijn later took a job at a Dutch and British cybersecurity company, where he was known as an outstanding specialist.

Nevertheless, in 2021, he returned to criminal activity. Among its targets were universities, companies, and even cryptocurrency exchanges. He stored the data that he managed to steal on servers outside the jurisdiction of the European authorities, and also did not miss the opportunity to threaten the owners for their return. In one of the cases, having hacked into the systems of the Ticketcounter company, he demanded 7 bitcoins for the safety of data, which caused concern and a police appeal.

However, by 2022, van der Stup, exhausted by a double life, decided to "come out of the shadows". He approached several companies to help fix their vulnerabilities and began working with the Netherlands Institute for Vulnerability Detection. Soon he received arecognition for helping the cybersecurity community. But in March of that year, an old friend convinced him to carry out another attack on Virgin Media O2, gaining access to the data of 49 million users. Van der Stup demanded $750 thousand for the return of the data, of which he later received $764,450 in cryptocurrency.

A lengthy police investigation led to Pepain's arrest in January 2023. The police got on the trail of the criminal thanks to the analysis of IP addresses, emails, phone numbers and cryptocurrency wallets used in attacks since March 2021. They found its vaults with 33 terabytes of stolen data, divided into more than 4,000 folders. The discovered data was striking in scale: the investigation was not even able to determine the exact number of victims.

Against the backdrop of the proceedings, van der Stap's entourage expressed shock and disappointment. His colleagues in cybersecurity couldn't believe that the one who was fighting hackers was one of them. One of his former employers called it a "betrayal," while another expressed regret that such a brilliant mind was on the path of crime. Van der Stap's fellow students from Hack_Right were also deeply disappointed. The arrest also dealt a blow to the reputation of the Netherlands Institute for Vulnerability Disclosure, which lost funding and narrowly avoided bankruptcy.

In November 2023, a court found Van der Stup guilty of hacking into computer systems, extortion, theft of non-public data, distributing ransomware, and laundering at least 1.5 million euros. Taking into account his age and admission of guilt, the hacker received four years in prison with the possibility of release after three years and a subsequent suspended sentence of three years.

Van der Stap is currently serving his sentence in a prison on the outskirts of Amsterdam. The young man undergoes psychological therapy and admits that he is glad to end an exhausting double life. After his release, he plans to change his field of activity and study biochemistry and medicine.

Source