Threat Management

FBI arrests alleged NullCrew member, faces maximum of 10 years in jail and $250K fine

A 20-year-old man believed to be a member of high-profile hacker group NullCrew was arrested by the FBI at his Tennessee home on June 11 and charged on Monday for his alleged role in cyber attacks against two universities and three companies.

Timothy French is charged with conspiracy to commit computer fraud and abuse and will be prosecuted at an unscheduled date in U.S. District Court in Chicago, according to a Department of Justice release posted on Monday.

If convicted, French faces a maximum penalty of ten years in prison and a $250,000 fine.

French was allegedly involved in five cyber attacks dating back to July 19, 2013, including one against a large Canadian telecommunications company, one against a large mass media communications company, another against a California-based company, and two against unnamed universities, according to the release.

Information allegedly stolen in each of the aforementioned attacks – which includes thousands of usernames and passwords – was posted on the internet, typically to Pastebin, according to the release, which adds that NullCrew often announced its attacks on Twitter.

A confidential witness aided the FBI in identifying French as a participating member in those five attacks – French allegedly operated under the names ‘Orbit,' ‘Orbit_g1rl,' ‘crysis,' ‘rootcrysis,' and ‘c0rps3' – by joining in NullCrew conversations on Skype, Twitter and CryptoCat, according to the release.

In one Skype conversation on Feb. 8, 2013 between Orbit and the confidential witness, Orbit claimed to have been in an accident while driving a 1996 Chevrolet Camaro, according to a copy of the affidavit posted Monday to Scribd. A public records search indicated that French had been in a Feb. 7, 2013, accident involving a 1996 Chevrolet Camaro.

“…Timothy Justin French and others have conspired to knowingly cause the transmission of a program, information, code, or command, and as a result of such conduct, intentionally causing damage without authorization, to a protected computer, which offense caused a loss aggregating at least $5,000 in value to one or more person during a one-year period…,” according to the affidavit.

Get daily email updates

SC Media's daily must-read of the most current and pressing daily news

By clicking the Subscribe button below, you agree to SC Media Terms and Conditions and Privacy Policy.