Industry News

20 month prison sentence for British hacker who made fortune helping SIM-swap fraudsters

20 month prison sentence for British hacker who made fortune helping SIM-swap fraudsters

A teenage British hacker has been sentenced to 20 months in prison after pleading guilty to selling hacking services and stolen personal data for cryptocurrency.

19-year-old Elliott Gunton was no stranger to the authorities, having previously been convicted in December 2016 for his role in the infamous hack of the telecoms firm TalkTalk.

Gunton, 17 years old at the time, avoided a prison sentence in relation to the TalkTalk breach, but was given a 12-month youth rehabilitation order.

You would like to think that such a close call would teach Gunton to keep on the straight and narrow in future, but unfortunately it did not.

On September 8 2017, Gunton hacked Australian designer Phil Darwen, who runs the “A Designer’s Mind” Instagram account with more than 1.4 million followers.

Gunton seized control of the Instagram account for two weeks, setting up an auto-reply that sent “grotesquely offensive” messages to Darwen’s customers.

At the time Gunton was being monitored by police under a sexual harm prevention order (SHPO), after he had been found to be in possession of indecent images.

Under the terms of the SHPO, police checked Gunton’s laptop every six months to check that he was complying. The SHPO banned Gunton from using incognito mode to hide his browsing activity, delete his browser history, or do anything else that prevented police checking his laptop from determining what sites he had been visiting.

However, police readily admitted that their checks would not actually determine if internet browsing histories had been deleted.

“Our unit does not have specialist software for home visits and we have to rely on the honesty of the offender. It would be impossible for us to know if he has deleted any history.” The Eastern Daily Press reported Detective Constable Jamie Hollis, of the public protection unit at Norfolk Police, as saying.

It was only in April 2018, when authorities learnt that Gunton was planning to appeal his SHPO that they seized his computer for a “thorough search”, and found software had been installed to wipe his internet history and activities.

In a subsequent search of Gunton’s home, police seized an iPhone and a £10,000 Rolex watch hidden in a safe. In addition, investigators discovered that Gunton had received significant deposits in his Bitcoin wallet, including over $100,000 on just a single day.

Police were suspicious of his earnings, and Gunton claimed he had amassed a cryptocurrency fortune worth more than $380,000 through online trading.

However, police found evidence on his computer that Gunton Gunton had offered to supply compromised personal identifiable information (PII) of individuals to third-parties, to assist fraudsters in hijacking mobile phone numbers through SIM swap fraud.

And despite Gunton’s attempts to wipe any evidence of wrongdoing from his computer, the authorities discovered “fragments” of conversations where he discussed criminal activity with others.

Bizarrely, despite attempting to wipe digital evidence from his hard drive, Gunton was not afraid to brag on his @Gambler Twitter account about his money-making activities:

Gunton received a 20 month prison sentence at Norwich Crown Court last week, but was immediately released due to having already served his sentence while on remand.

He has, however, been ordered to pay back £407,359, and has been issued with a three and a half year Community Behaviour Order which – amongst other restraints – limits his access to the internet, requires him to share his browsing history and any passwords with the police, and forbids him from deleting his internet history or using VPNs or proxies.

“Gunton was exploiting the personal data of innocent businesses and people in order to make a considerable profit but he did not succeed in hiding all of his ill-gotten gains which enabled us to seize hundreds of thousands of pounds worth of Bitcoin,” said Detective Sergeant Mark Stratford of the Norfolk constabulary.

About the author

Graham CLULEY

Graham Cluley is an award-winning security blogger, researcher and public speaker. He has been working in the computer security industry since the early 1990s, having been employed by companies such as Sophos, McAfee and Dr Solomon's. He has given talks about computer security for some of the world's largest companies, worked with law enforcement agencies on investigations into hacking groups, and regularly appears on TV and radio explaining computer security threats.

Graham Cluley was inducted into the InfoSecurity Europe Hall of Fame in 2011, and was given an honorary mention in the "10 Greatest Britons in IT History" for his contribution as a leading authority in internet security.

1 Comment

Click here to post a comment

This site uses Akismet to reduce spam. Learn how your comment data is processed.