The Metropolitan Police has won a confiscation order against prolific hacker Grant West. The order means that the Met has seized just over £1 million in different cryptocurrencies. In its press release, the Met says that: “Taking currency fluctuations into account the currency is today valued at £922, 978.14.”
Head of the Met’s Cyber Crime Unit, Detective Chief Inspector Kirsty Goldsmith, said: “The MPS is committed to ensuring that individuals who are committing criminality on the Dark Web are identified, prosecuted and their criminal assets are seized.
“I wish to thank our partners within the MPS and in both public and private industry who have all assisted with this investigation which was incredibly complex and lengthy. I am very proud of my team for bringing this offender to justice and ensuring we have secured this order.”
Why has it taken so long to seize the cryptocurrency?
West was sentenced on May 25 to 10 years and 8 months in jail. This confiscation of assets order, which West did not oppose, brings an end to an operation that started in 2015. The cryptocurrency was originally seized by the Met when West was arrested in 2017. In December 2017, West pleaded guilty to 10 separate charges.
One of the questions that will be asked is why it took so long to put the confiscation order under the Proceeds of Crime Act to the court. The order was not opposed by West which suggests that it could have been made much earlier. We have emailed the Met press office to ask why the delay. If we receive a reply, we will add it as a comment.
Who will see the money?
Another serious question to be resolved is who will actually see any of this money. West attacked over 100 companies worldwide. The Met named 17 major firms whose websites West compromised. They include: Sainsbury’s, Nectar, Groupon, AO.com, Ladbrokes, Coral Betting, Uber, Vitality, RS Feva Class Association 2017, Asda, the British Cardiovascular Society, Mighty Deals Limited, Truly Experiences Ltd, T Mobile, M R Porter, the Finnish Bitcoin exchange, and Argos.
In addition to these companies, over 165,000 people were victims of a phishing scam around Just Eat. Dealing with that scam cost the food delivery service over £200,000.
A laptop recovered from West’s girlfriend had highly complete details of over 100,000 people. These details were sold by West to other cyber criminals. There was also an SD card with the credit and debit card details of 63,000 victims and files containing over 78 million usernames and passwords.
The problem here is deciding who should get what portion of the £922k. Should it go to the companies? What about those people whose credit cards West used to buy holidays, goods and even food? Even if they have been compensated by their card provider or bank (no guarantee), they will still have had losses due to dealing with identity theft.
Enterprise Times: What does this mean
On one level this is a good news story. Prolific hacker caught, records recovered and, more importantly, proceeds of crime seized.
But there it ends. The delay in sentencing West is the likely cause for the Met not applying earlier to the court for a confiscation order under the Proceeds of Crime Act. Given that it already had control of the cryptocurrency, it could have cashed it in earlier at a much higher valuation.
There also appears to have been little effort to contact everyone whose personal details West was selling. This means that many victims will not know what details were sold on. As a result, they will not be able to calculate their risk or exposure. They are unlikely to see any of the money and even if they do, it will be so little that it won’t make any impact on their losses.
The large companies affected will all be able to make their claims against this money. How it will be split is anyone’s guess. Will it be a simple share option? Will they get a percentage based on the costs they incurred dealing with the attacks from West?
The use of confiscation orders has been stepped up by UK police forces recently. There have been several high profile seizures. What needs to happen in cases like this, is a transparent mechanism for people to make a claim and priority given to individuals not companies when payments are made.