A Los Angeles man entrusted with making personal computers safer has admitted to hacking into them to create a rogue network of as many as a quarter-million PCs, which he used to steal money and identities.
Federal prosecutors Friday said that John Kenneth Schiefer, a 26-year-old computer security consultant, used an army of hijacked computers, known as a "botnet," to carry out a variety of schemes to rip off unsuspecting consumers and corporations.
Schiefer agreed to plead guilty to four felony charges in connection with the case and faces up to 60 years in prison and a $1.75-million fine, according to court documents filed Friday in federal court in Los Angeles.
His lawyer, Arthur Barens, could not be reached for comment.
The vast number of computers that Schiefer compromised -- as many as 250,000 -- highlights a stealthy online crime spree on the rise. These botnets, short for "robot networks," remotely harvest personal information, including user names and passwords, to give their operators access to credit card information and online bank accounts.
Federal law enforcement agencies have stepped up their pursuit of botnet operators in recent years as they have drained bank accounts, stolen identities and overwhelmed federal authorities, security experts say.
"We have seen a dramatic uptick in the last few years in the number of botnets being used to give their masters direct financial gain," said Jose Nazario, a senior researcher at online security firm Arbor Networks Inc.
Schiefer, who on the Internet went by the handles "acidstorm," "acid" and "storm," is the first person to be accused under federal wiretapping law of operating a botnet, said Assistant U.S. Atty. Mark Krause in Los Angeles.
By intercepting electronic communications, Schiefer stole user names and passwords for EBay Inc.'s PayPal online payment service to make unauthorized purchases. He also passed the stolen account information on to others.
EBay spokesman Hani Durzy could not be reached for comment.
At one point, according to the plea agreement, a conspirator named "Adam" expressed concern about stealing money. Schiefer responded by reminding Adam that he was not yet 18 and should "quit being a bitch and claim it."
Schiefer's indictment caps a federal investigation that began in 2005 and uncovered a variety of schemes. Prosecutors said Schiefer and his cohorts, who were not named, used illicit software they planted on people's PCs to spirit account information from a storage area in Windows-based computers.
He also was paid by a Dutch Internet advertising company to install its programs on people's computers when they consented, but he installed it on more than 150,000 PCs without permission, earning more than $19,000 in commissions.
In all, the federal indictment includes four counts of accessing protected computers to commit fraud, disclosing illegally intercepted electronic communications, wire fraud and bank fraud. Federal authorities said they were still trying to identify victims and the scope of their losses.
Schiefer carried out the crimes using computers at his home and office, prosecutors said. Henry Park, president of Los Angeles-based 3G Communications, where Schiefer worked, could not be reached for comment.
"John Schiefer was an information security professional who betrayed the trust that both his employer and society placed in him," Assistant U.S. Atty. Krause said.
Krause would not say how federal authorities captured Schiefer or whether they planned to charge others in the case. Schiefer has agreed to make an initial appearance in Los Angeles on Nov. 28 and to be arraigned on Dec. 3.
He could face a long prison stretch. In May 2006, a Downey man, Jeanson James Ancheta, was sentenced to almost five years in federal prison after pleading guilty to four felony charges for using botnets to spread spyware and send spam.