A cybercriminal who hacked and illegally obtained details of over thousands of people’s data from websites of companies in order to sell them on the darknet, has admitted to his crimes.
30-year-old Grant West hacked the websites of 17 companies including Groupon, Uber, Argos, Asda, Ladbrokes, T Mobile, Nectar, Sainsbury and Just Eat by “brute force attacks” with the aid of the specialist software Sentry MBA.
West also admitted to illegally obtaining details of 165,000 accounts of customers of the online takeaway service Just Eat, with the intent to sell them on darknet marketplaces for bitcoin.
Although there were no financial records obtained, it is said that the five-month long scam left Just Eat a bill of £210,000 alone in mitigation costs.
West lived in a caravan in Minster-on-sea, appeared at the Southwark Crown Court on Thursday and pleaded guilty to an offense of conspiracy to defraud Just Eat together with its customers along with series of other charges in relation to his darknet webshop.
He also tried to obtain customer information known as “Fullz,” from companies. These fullz include customer data such as names, addresses, passwords, email addresses and credit card CVV numbers. They may even include bitcoin debit card details. He used them to sell under his online identity ‘Courvoisier’. It was later revealed that West wasn’t only selling computer access credentials but also selling drugs which were posted on another shelf for interested customers.
Grant’s first arrest came in May but then he denied being involved in any kind of illegal actions, including conspiracy to defraud Just Eat. He received bail after coming out clear following a home search.
It seems that didn’t stop him from reverting back to his old ways of running dubious and illicit schemes. According to the Southwark Crown Court, he even tried selling cannabis online while he was still on bail awaiting trial for the Just Eat fraud.
West’s house was searched again by the police between August and September and this time they found £25,000 in cash, and a stash of cannabis. This led to his subsequent arrest where he admitted to all his crimes.
Further investigations revealed that West had multiple bitcoin wallets and was involved in laundering large amounts of Bitcoin internationally from January to September 2017. It is unclear if he was using any bitcoin mixer to keep the money clean.
He showed up at the dock dressed in a grey tracksuit and a grey Puma jumper. Anna Mackenzie, his barrister, stood close by as he entered multiple guilty pleas for 10 charges.
West’s charges were two counts of conspiracy to defraud, four related charges to the possession and supply of cannabis, one charge of computer hacking, one count of laundering money by bitcoin, and two counts of possessing criminal property.
Prosecutor Kevin Barry, speaking in court stated that it’s just computer hacking and associated fraud.
“His acquiring, obtaining, using and supplying false customer credentials, is everything one needs in order to manipulate identities alone. “The particular type of computer misuse was an activity which required details which could then be used and supplied onwards,” he said.
He continued that Mr. West was on bail and there were further arrests. Prosecutor Barry added that they carried out an online surveillance which exposed that West was allegedly carrying out similar attacks.
West also pleaded guilty to conspiracy to defraud “corporations, companies, partnerships, firms and persons,” which sell online, by obtaining, using and supplying data known as “Fullz”.
He also admitted attempting to supply cannabis on the 21st of March of this year, and offered to supply the Class B drug between 1st October 2015 and 30th September 2017.
West again pleaded guilty to possessing 123.05g of cannabis on the 16th of August this year, alongside having 181.56g of cannabis and cannabis resin on September 30 this year.
He was remanded into custody by Judge Joanna Korner QC with his sentencing adjourned to a later date.
The spokesman for Just Eat, speaking after the hearing noted that they were informed about a phishing scam which happened in 2015 and took measures to reduce the damages at that time.
He added that the attack affected Just Eat customers as well as non-customers.
“We do not store customer card details on our website or app and all payments are managed securely by an independent, external payment service provider,” he stated. He concluded by saying that protecting their brand and their customers from online fraud and related attacks were of huge importance to them.