A former Dutch cybersecurity professional was sentenced to four years in prison after being found guilty of hacking and blackmailing more than a dozen companies in the Netherlands and worldwide.
The suspect, a 21-year-old man from Zandvoort named Pepijn Van Der Stap, has been convicted on multiple charges, including hacking into victims' computers, extortion, and laundering at least 2.5 million euros in cryptocurrency.
The court sentenced him to four years of imprisonment, with one year being conditional, accompanied by a three-year probationary period. The verdict follows an extensive investigation conducted by the Dutch Public Prosecution Service, which asked for a six-year prison sentence.
Van Der Stap, along with his accomplices, was involved in a series of cybercrimes that targeted both domestic and international companies and institutions between August 2020 and January 2023, according to the Dutch Public Prosecution Service.
The group resorted to blackmail as a means of extorting large amounts of money from targeted companies, threatening to leak the stolen data online unless a ransom was paid. Additionally, Van Der Stap infiltrated various networks, stealing sensitive data from compromised companies and organizations.
When searching his computer, law enforcement agents found various malicious tools and personal information stolen from millions of individuals, acquired through hacking, purchases, or exchanges with other cyber criminals, and put up for sale on various hacking forums.
The Dutch Public Prosecution Service also revealed that Van der Stap helped other criminals by selling or trading this stolen sensitive data, causing millions in damages to the affected organizations.
The investigation into Van der Stap's cybercriminal activity commenced in March 2021 following a report from an Amsterdam-based company. Despite ongoing legal proceedings, not all organizations have reported being targeted and the extent of their losses.
Whitehat during the day, cybercriminal at night
At one point, Van der Stap worked for Hadrian Security and volunteered at the Dutch Institute for Vulnerability Disclosure (DIVD), as first reported by DataBreaches.net.
He was also a member of the now-defunct RaidForums and BreachForums, as well as other hacking forums like Sinister[.]ly, HackForums, Leakforums, and Maza, using multiple nicknames, including Espeon, Umbreon, Lizardom, Egoshin, Togepi, OFTF, and Rekt.
BreachForums (aka Breached) was seized in June 2023, three months after the arrest of its owner, Conor Fitzpatrick (aka Pompompurin).
RaidForums was shut down in April 2022 after its founder and admin, Diogo Santos Coelho, was apprehended in a coordinated action involving law enforcement agencies in several countries.
Both were considered the biggest hacking forums before their seizure, with hundreds of thousands of users employing them as online platforms for trading and selling stolen databases.
"The majority of my criminal hacking activities took place before I started doing lawful work. I had already started cutting back on blackhat hacking before I started working for whitehat entities. Once I began working in legitimate jobs, I really started dedicating my skills to ethical purposes," Van der Stap told DataBreaches.net in an interview.
"For about 16 months before my arrest, I was not engaged in much illegal activity and wanted to get out altogether. But as much as I wanted to get out, it felt impossible at times."
