Hacker arrested for blackmailing StudiVZ and other social networks

vz-netzwerke[Germany] Berlin police have arrested a man who apparently tried to blackmail VZ-Netzwerke, the holding company for the successful Facebook clone StudiVZ and other German social networks.

The man had used crawler software to harvest detailed user information (residence, date of birth, relationship status, hobbies, favourite music, favourite movie, …) not only only from the group’s networks for adult people, StudiVZ and MeinVZ, but also from Germany’s biggest social network for pupils, SchülerVZ. The 20 year old man asked for €80,000. Kind of a pathetic amount, don’t you think?

If the company had refused to pay, he threatened to sell the information to gangs in Eastern Europe. The true number of the stolen records remains unclear. But in a blog post from May he had already bragged how his bot could copy 48,000 profiles in just four hours and even posted a video on Youtube.

The case developed very fast since last weekend, as you can see in the post at the StudiVZ company blog which is full of strike-throughs and updates. What started as a white hat attack on SchülerVZ, a network with 5m members from 12 to 21 years, turned into a crime story.

At Friday the whistleblower blog Netzpolitik.org received data of more than 1m minors from another anonymous source that only wanted to point at a security hole in SchülerVZ. He had no intentions to sell the records and also has used a crawer software to obtain these data. No hacker skills were necessary, although IP number checks and the website’s Captchas should have prevented the harvest.

The Netzpolitik.org post about this leak drew out the other hacker, known only as Mathias L., who obviously had less noble intentions. He bragged in his now defunct blog that his bot “sVZ Crawler”, based on PHP, JS, Ajax and different shell scripts, was better and that he could download much more detailed user information. As a proof, he uploaded some of the data to a Hacker and Cracker internet forum where at least 17 other users downloaded it.

On Sunday he paid a visit to the social networks’ office in Berlin upon invitation by VZ-Netzwerke, and was welcomed by the waiting police. He has already admitted the attempted extortion, the public prosecutor’s office declared on Tuesday.