A suspected Russian hacker stole the identities of recipients of the US Congressional Medal of Honor and purchased goods from American military exchanges using the stolen data.
The identities of as much as a third of the living holders of the US Medal of Honor were stolen in the attack.
US Congressional Medal of Honor is US government’s highest and most prestigious military decoration.
Special Agent Matthew O’Neill commented on the incident that the United States Secret Service is currently investigating the case in which “personally identifiable information (PII) of 22 of 75 living Congressional Medal of Honor recipients was used to create fraudulent lines of credit at the Army and Air Force Exchange Service (AAFES) in order to purchase items utilizing the newly created fraudulent lines of credit, all in violation of 18 U.S.C. § 1029 (access device fraud).”
AAFES, an agency of the US Department of Defense founded in 1895, provides quality merchandise and services to authorized customers at low prices and generates additional earnings for US Army and Air Force and its recreation programs.
The threat actor used the stolen identities to purchase such items as luxury watches and Apple products, in total worth of tens of thousands of dollars.
The goods then were shipped to various third-party reshipping companies, at least 5 of them. The products then were shipped to various addresses in Russia.
Besides using private shipping companies, the bad actor hired individuals through online ads.
One such shipper spoke with the US authorities:
“An individual re-shipper named Kiril Motorin, located in Gaithersburg, MD, advised that he became a re-shipper after responding to an employment advertisement on a website used by Russians living in the Washington, DC, area.”
Motorin received e-mails from the threat that were sent from firstname.lastname@example.org and contained instructions as to where to send the merchandise and how he would get paid for re-shipping.
Investigators estimate the threat actor netted $54,530.92 in some 50 fraudulent transactions.
It is unknown at this time, how the hacker stole the identities nor who were the individuals whose personal information was stolen.