DoJ indicted California resident Tassilo Heinrich, charging him with aggravated identity theft and conspiracy to commit wire fraud.
According to DoJ, The Victim Company was an e-commerce platform for online stores that offered services to online merchants, including payments, marketing, shipping, and customer engagement tools. Press reporting identifies the company as Shopify. (See https://techcrunch.com/2021/04/05/shopify-breach-hacker-indicted/) (See also: https://techcrunch.com/2020/09/23/shopify-data-merchant-breach/)
Un-indicted Co-Conspirator 1 (‘UCC1’) was a Philippines-based employee of a third-party contractor who provided customer support services for the Victim Company.
UCC1 was authorized to access certain portions of the Victim Company’s internal network solely for the purpose of performing customer service work for the Victim Company; UCC1 was not authorized to access any portions of the Victim Company’s internal network for any other purpose.
UCC1 would fraudulently gain access to data relating to merchants who used the services offered by the Victim Company, as well as to customers of those merchants, without authorization.
UCC1 would steal the merchant and customer data from the Victim Company’s internal network by either taking screenshots of the data or uploading the data to Google Drive; the stolen data would include, without limitation, merchants and customers’ names, customers’ billing and shipping addresses, customers’ email addresses, items the customers purchased from the merchants, and customers’ payment methods.
UCC1 would transmit the stolen data to defendant HEINRICH and UCC2.
In exchange for the stolen data, defendant HEINRICH and UCC2 would either pay UCC1 or provide UCC1 false positive reviews by impersonating merchants to whom UCC1 had provided customer service, but who had not given UCC1 a review.
Defendant HEINRICH and UCC2 would use the stolen data for their personal benefit, including (a) by setting up merchant pages that were similar to the pages of the real merchants whose data had been stolen in order to take business away from those merchants, and (b) by selling the data to other co-conspirators who would use the data to commit fraud against the merchants and their customers.