Brazilian Man Charged with Extortion After Major Corporate Data Breach

The US Department of Justice (DoJ) charged a Brazilian man for his alleged involvement in orchestrating a high-profile stolen data extortion scheme.

The indictment, unsealed earlier this week, alleges that 29-year-old Junior Barros De Oliveira is accused of breaching a company’s network, exfiltrating sensitive data, and demanding payment in Bitcoin to prevent its public release.

Network breach and data theft

The charges stem from a security incident in March 2020, when cybercriminals attacked a Brazilian subsidiary of a New Jersey company.

During the attack, perpetrators exploited unauthorized access to the company’s network and stole sensitive customer data on at least three separate occasions.

The stolen trove reportedly included personal and financial information from approximately 300,000 company customers.

Ransom demands

Six months after the incident, De Oliveira allegedly used a moniker to contact the company’s chief executive officer and demand a ransom of 300 Bitcoin, worth approximately $3.2 million at the time, in exchange for not selling the stolen data.

In October, the hacker escalated his threats by forwarding the ransom demand to another company representative in the Brazilian subsidiary.

De Oliveira offered to “help solve the security flaw” he exploited but stipulated a “consulting fee” of 75 Bitcoin (roughly $800,000 at the time), providing detailed instructions for transferring the payment to a crypto wallet.

Legal consequences

According to the unsealed indictment, charges brought against De Oliveira include four counts of extortionate threats involving information obtained from protected computers and four counts of threatening communications.

“Each of the four counts of making extortionate threats in relation to information obtained from protected computers carry a maximum prison term of 5 years, and a maximum fine of $250,000 or twice the value of any gain or loss, whichever is greater,” reads the DoJ’s press release. “Each of the four counts of threatening communications carry a maximum prison term of 2 years, and a maximum fine of $250,000 or twice the value of any gain or loss, whichever is greater.”

If convicted on all counts, De Oliveira could face decades in prison and significant financial penalties.