The computer server was in Bulgaria. The victims ranged from a law firm in Ontario to the union representing members of the Quebec provincial police. And the suspected hacker was someone initially known as “User ID 128.”
A joint investigation by the FBI and the RCMP eventually connected User ID 128 to a former federal government IT employee living in Gatineau, Sébastien Vachon-Desjardins, who is alleged to be one of the most prolific affiliates of a cybercrime group called Circus Spider.
After pleading guilty last month to charges relating to online extortion against 17 Canadian victims, Mr. Vachon-Desjardins was extradited this week to Florida to face four criminal counts for computer fraud.
American authorities have also moved to make him forfeit about $35-million in bitcoin and $790,000 in Canadian currency that were seized when he was arrested. About $300,000 was found in his residence, and the rest of the cash sat in bank deposit boxes.
There is “probably cause” to believe that those assets are proceeds of fraud, FBI special agent Daniel M. Sirmons said in a court affidavit.
Security researchers first discovered Netwalker in September, 2019. Like other ransomware, it locks down a victim’s computer data. If the victim doesn’t pay a ransom, the stolen data is leaked online.
Netwalker is believed to be operated by a cybercrime group known as Circus Spider, according to a September, 2020, PowerPoint briefing by the U.S. Health Sector Cybersecurity Coordination Center.
A key change in Netwalker’s activities took place in the spring of 2020, when it shifted to a model known as ransomware-as-a-service, or RaaS, in which the original developers made it available to affiliates responsible for identifying and attacking “high-value victims,” the FBI affidavit said, alleging that Mr. Vachon-Desjardins is one of those affiliates.
“For us this is just business,” said one ransom note quoted in the FBI affidavit.
The ransom notes provided victims with an access code to a website on a part of the internet that isn’t indexed by search engines. There, they would receive instructions to pay their ransoms.
In mid-April, 2020, however, an FBI employee working undercover accessed the website and found that it was run by a server in Isperih, a northeastern Bulgarian town, Mr. Sirmons said in his sworn statement.
Records on the Bulgarian computer showed that, in a span of a year, about 100 affiliates had extorted the equivalent of US$200-million. And the affiliate who had collected the largest amount in ransoms, US$60-million, was User ID 128.
Mr. Vachon-Desjardins was arrested in late January, 2021.
A year later, on Jan. 31, he appeared before Ontario Court Justice G. Paul Renwick and pleaded guilty to mischief, extortion and participating in a criminal organization.
The Association des policières et policiers provinciaux du Québec, which represents Sûreté du Québec officers, was among Mr. Vachon-Desjardins’ victims. Spokeswoman Annik Bousquet said the APPQ’s computer supplier had to pay a ransom – more than $1-million, according to Justice Renwick.
Other victims included Cégep de Saint-Félicien, a junior college that had to pay nearly $1-million; a law firm in the Waterloo, Ont., region; and the city of Montmagny, Que. Goodfellow Inc., a flooring company, didn’t pay and its data was leaked online, Justice Renwick said.
Our Morning Update and Evening Update newsletters are written by Globe editors, giving you a concise summary of the day’s most important headlines. Sign up today.