Three caught in extensive extortion case; Data of millions stolen, including most Dutch people

Police arrested three men in the Netherlands suspected of hacking the computer systems of organizations, extorting their management, making threats, and trading in stolen data. Private data belonging to tens of millions of people was stolen, including millions of people in the Netherlands. The suspects caused millions of euros worth of damage, police alleged.

The stolen data includes names, addresses, phone numbers, dates of birth, bank account numbers, credit card numbers, passwords, license plates, citizen identification numbers, and passport information. All types of organizations were affected, including social media firms, webshops, education and training institutions, hospitality businesses, and software companies. In some cases, the victims shelled out as much as 700,000 euros.

A 21-year-old from Zandvoort was identified as the prime suspect, and he was allegedly working with a 21-year-old from Rotterdam. They were being kept in restricted custody, and were not allowed to have contact with anyone other than their attorneys. An 18-year-old with no fixed address was also arrested in Naaldwijk, police said. They were arrested on January 23, police said. Because of the restrictions imposed, and to maintain the integrity of the investigation, the arrests could not be announced before Thursday.

The Zandvoort man was caught with 550,000 euros worth of bitcoin, and 45,000 euros in cash. He allegedly laundered 2.5 million euros in bitcoin, police told RTL Nieuws.

Their arrests were linked to the arrest of a 25-year-old man from Almere late last year. He was held on cybercrime charges after he was caught with personal data from Gebühren Info Service GmbH, which handles broadcast fees in Austria. The stolen data likely included the information of all residents of Austria, which was likely stolen and offered for sale, Dutch police said.

The Amsterdam police cybercrime team launched the investigation announced on Thursday nearly two years ago after a large, unnamed Dutch company reported data theft. The company said it also received threats, police claimed. "During the course of the investigation, it became clear that probably thousands of small and large companies and institutions, both national and international, have fallen victim to computer intrusion -hacking- in recent years, and subsequently theft," which resulted in the data being sold. "Tens of millions of privacy-sensitive personal data fell into the hands of criminals as a result of this theft and trade," police said.

Once the data was access, the organizations would then receive threats by email, with an extortion attempt demanding payment in bitcoin. The suspects threatened to destroy the organization's digital infrastructure or make the stolen data public if their demands were not met.

"Many companies felt compelled to pay in hopes of protecting their data. The total damage for the companies runs into the many millions. As far as is known, the ransom demand per company rose to more than 100,000 euros, with a peak of more than 700,000 euros," police alleged.

Even when the companies paid money, the stolen data was often sold, authorities said.

Police said that the suspects caused direct financial damages, and indirect damage by affecting the organizations' public image. Many people were also negatively impacted on a personal level. "For example, an employee of an affected company explained to the police how he is constantly afraid that the stolen data will still be traded and is afraid of personal threat as a result of speaking to the police."