UK Man Blackmailed Law Firm, Allegedly Hacked Pippa Middleton’s iCloud Account
A British man who was initially arrested on suspicion of hacking Pippa Middleton’s iCloud account has been sentenced to serve a three-year prison sentence after he pleaded guilty to a number of unrelated fraud and blackmail offenses.
See Also: Effective Cyber Threat Hunting Requires an Actor and Incident Centric Approach
Nathan Wyatt, 36, of Wellingborough, England, appeared at Southwark Crown Court on Sept. 14, where he pleaded guilty to 20 counts of fraud by false representation, two counts of blackmail and one count of possession of an identity document with intent to deceive. His offenses included using malware to steal files from a British law firm then trying to ransom them back for €10,000 ($12,000) in bitcoins.
His ransom demand was signed “The Dark Overlords,” Britain’s Daily Mail reports, in apparent reference to the extortion shakedown gang known as “The Dark Overlord” (see UK Cybersecurity Center Issues ‘The Dark Overlord’ Alert).
At Southwark Crown Court on Friday, Judge Martin Griffiths sentenced Wyatt to serve a three-year sentence.
“A rather more skeptical mind would say there was a great deal more to this behavior than there is in these counts,” the judge told Wyatt during the sentencing hearing, the Daily Mail reports. “I consider this was a sophisticated piece of offending by you.”
As part of this investigation, police also charged Wyatt’s live-in partner, Kelly Walker, 35, with handling stolen goods and encouraging or assisting other offenses. But the prosecution offered no evidence to substantiate these charges and she was acquitted.
First Arrest Leads to Second
Police first arrested Wyatt in September 2016 for what they say was an unrelated matter involving suspected violations of the Computer Misuse Act.
At the time, Wyatt was named in multiple news reports as being the suspect behind the hack of English socialite Pippa Middleton’s iCloud account and theft of approximately 3,000 photographs. She is the younger sister of Kate Middleton, now officially known as Catherine, Duchess of Cambridge, following her marriage to Prince William. The stolen photographs allegedly included images of the heir to the British throne as well as his family, the Guardian reports.
In September 2016, a judge extended an injunction barring any media outlets from publishing the photographs stolen from Pippa Middleton’s iCloud account (see Is Apple iCloud Safe?).
Earlier that month, British tabloid The Sun reported that an unnamed individual calling himself “Crafty Cockney” had approached its reporters via encrypted messaging using the Jabber chat service, seeking £50,000 ($66,000) for the photographs, and sharing two photographs of Pippa Middleton to substantiate his claims.
The newspaper said it reported the offer to police, and in later reporting named Wyatt as being the suspect.
Wyatt was released without being charged.
Digital Forensic Investigators Find New Clues
But police say they continued to conduct a digital forensic analysis of Wyatt’s computer and other devices seized when he was arrested, and found that Wyatt had stolen information from and attempted to blackmail an unnamed law firm in Humberside, England, in December 2016. “Using malware, Wyatt had managed to steal around 10,000 files and documents from the firm and then twice tried to blackmail the company into paying him €10,000 worth of bitcoins for the safe return of the data,” according to London’s Metropolitan Police Service.
“We are ready to now use or sell all of your data on the dark net markets … we make a single offer to you to prevent this data being used or sold to Russian and Chinese buyers,” according to an email that Wyatt sent to the law firm that was read out in court, which included copies of stolen scans of passports and driver’s licenses.
Prosecutors told the court that it wasn’t clear if Wyatt first hacked into the law firm himself or whether he used access credentials obtained by others, the newspaper reports (see Hackers Exploit Weak Remote Desktop Protocol Credentials).
Police also found that following the death of Wyatt’s father’s in April 2016, Wyatt made £4,750 ($6,300) in purchases using a credit card issued to his father and said that debt remained unpaid. The purchases included mobile phones, hair straighteners, Guitar Hero games and a Disney “Frozen” toy, the Daily Mail reports.
Police say Wyatt also attempted to obtain a prepaid cash card using false identity documents, but noted that this request had been objected.
Police arrested Wyatt in January in relation to the fraud and false identity document offenses and then again in March 2017 in relation to the blackmail offenses.
Wyatt has pleaded guilty to those charges. His attorney, Mark Gatley, told the court that his client’s “enormously stupid strategy” resulted from pressure he felt to obtain money for Christmas presents for his children, the Daily Mail reports.
Connection to The Dark Overlord?
What remains unclear is if Wyatt might be connected to The Dark Overlord, a.k.a. TheDarkOverlord, which many security experts believe is not one individual but a hacking collective. The shakedown group courts publicity and its extortion victims have included health clinics, Hollywood studios and schools (see Cyber Ransom Group Hits Soft Targets: US Schools).
As noted, Wyatt signed one ransom demand to the unnamed British law firm: “Regards, The Dark Overlords.” But does that make him a member of the group or just a copycat seeking to capitalize on the fear that name might create?
“It is difficult to imagine the hacking group getting their name wrong, so if that was not a typo by the news outlet, then there may be some reason to wonder whether the extortion attempt really was by the TheDarkOverlord or if it was just Wyatt trying to capitalize on any fear their brand might generate,” the privacy blogger known as “Dissent” says in a blog post.
But Dissent says that Wyatt claimed to be planning to call and shake down an unnamed Georgia clinic – potentially the Athens Orthopedic Clinic – on behalf of The Dark Overlord (see Athens Orthopedic Clinic Confirms ‘Dark Overlord’ Attack).
The Dark Overlord had been publicly touting a database, believed to have been stolen from Athens Orthopedic Clinic, containing plaintext data for 397,000 patients.
Wyatt also told Dissent that he was the caller on an audio clip – a threatening phone call containing strong language that is not workplace-friendly – uploaded to YouTube on July 10, 2016. Dissent said Wyatt also linked to the phone call in a post he made to the now-shuttered darknet marketplace Alphabay.
Athens Orthopedic Clinic warned in July 2016 that it had been breached on June 14, 2016, and apologized for “the stress and worry this situation is causing our patients and their families.”
U.S. prosecutors have not named Wyatt in any public indictments.