Updated with Vodafone statement.
A federal grand jury indicted Paige Thompson, a former Amazon engineer, on multiple counts of wire fraud and computer fraud on allegations that she not only stole data but also mined cryptocurrency after infiltrating the cloud servers of Capital One and more than 30 other companies.
While the alleged incidents of data theft have been widely documented, the indictment marks first time that prosecutors have publicly alleged that Thompson also illicitly used her access to the servers to mine cryptocurrency, a practice commonly known as cryptojacking.
The indictment alleges that Thompson illegally accessed data from customers of a cloud computing company by exploiting misconfigured web application firewalls on their cloud servers. The cloud computing provider was not named, but Amazon has been sued in lawsuits related to the breach that allege the tech giant is also culpable for the breaches.
Cryptocurrency miners are compensated for using computing power to verify blocks of cryptocurrency transactions. Cryptojacking is a way to earn money for mining cryptocurrency by using somebody else’s computing power.
There had been previous hints that Thompson was engaged in cryptojacking as part of the alleged scheme. In a previously reported Slack message, Thompson wrote, “I’ll be employed again soon and if I had a partner I could have them take over my cryptojacking enterprise and be a stay at home.”
In addition to Capital One, other hacking victims include a state agency, a foreign telecommunications conglomerate, and a public research university. Neither the state agency or the university are located in Washington state. Israeli security company CyberInt has suggested that Michigan State University, Vodafone and the Ohio Department of Transportation may be among the victims, based on file names referenced in Thompson’s online messages.
Thompson allegedly used software to identify companies whose firewalls were vulnerable to outside commands. She then sent requests that returned the security credentials of customers with access to data on the servers. The indictment says Thompson concealed her location and identity using virtual private networks and The Onion Router, aka Tor, software for anonymous online communication.
Through these methods, the indictment says, Thompson gained access to information on 100 million customers who had applied to Capital One for credit cards. Thompson does not appear to have sold or shared the information, according to investigators. Thompson appeared in court in Seattle last week for a detention hearing, during which her request to be released pending trial was denied.
Authorities say Thompson faces up to 25 years in prison if found guilty of the charges. The case is being prosecuted by assistant U.S. attorneys Steven Masada and Andrew Friedman.
Update, Aug. 29: Vodafone, believed to be the unnamed telecommunications conglomerate identified in the indictment as “Victim 3,” issued this statement in response to GeekWire’s inquiry: “Our investigation has found no impact on Vodafone customer data or other personal data in connection with this incident. We will continue to work with the relevant authorities to support their investigation.”
Read the full indictment below.