Taking down a ransomware hacker

In the early morning hours of Jan. 27, 2021, two police forces descended on a snowy cul-de-sac in Gatineau, Que., each tasked with an important role in one of the largest-ever ransomware takedowns in Canada.

Members of the RCMP, led by the cybercrime unit, were executing a search warrant at a white brick house on the street, while the Gatineau police service was on hand to make an arrest on behalf of the FBI. The codename for the operation was Project Olunar.

They had reason to believe the man inside was User ID 128 one of the most successful hackers in NetWalker, a criminal ransomware group thought to be tied to Russia.

• Watch Hunting the Hacker of Gatineau on The Fifth Estate on CBC-TV Thursday at 9 p.m. or stream on CBC Gem.

There was a huge urgency to proceed to apprehend him and stop him because the time was ticking and every day was a new victim, said Const. Francois Picard-Blais, a cybercrime investigator for the RCMP.

Around the same time, thousands of kilometres away in Isperih, a town in northeastern Bulgaria, authorities were taking down a computer server.

We knew that once we took that server down, then NetWalker ransomware would essentially cease to operate, said Carlton Gammons, a U.S. federal prosecutor based in Tampa, Fla.

The operations were co-ordinated to avoid tipping off the target or other NetWalker affiliates.

Back in Canada, police had entered the home, and Lieutenant Det. Denis Simard of the Gatineau police was making his move. He had been in the house before.

Never in my career [did I think] I will be involved in the FBI case and a big file like this, Simard told The Fifth Estate.

Simard was there to arrest 33-year-old Sbastien Vachon-Desjardins, an IT analyst for the federal government turned ransomware hacker.

He was alone with all those police officers, so was kind of lost, said Simard.

Simard told Vachon-Desjardins he was executing a warrant for his arrest as part of an extradition order on behalf of the FBI.

His expression was like someone was asking for help, said Simard. He was very down. And he wanted me to stay with him. He [needed] me like a friend. But I [couldnt] stay with him. Its not my case, said Simard, who had arrested him on two other occasions.

RCMP officers had begun their search of the house, uncovering a goldmine of evidence.

The RCMP found $300,000 in cash in a shoebox under a pair of slippers in a bedroom closet, keys to safety deposit boxes with $400,000 cash inside, cellphones, computers and hard drives with enough terabytes of data to fill a hockey arena if it was printed out and security keys to crypto wallets holding a current value of $21 million US in bitcoin.

At the time, it was the largest seizure of cryptocurrency made by Canadian police, according to the RCMP.

Though already months into the investigation, that morning was only the beginning of what police would uncover, and the end of Vachon-Desjardinss days as a hacker.

Ransomware is a form of malicious software used by hackers to take control of a victims computer or network and then demand payment in exchange for decryption.

It was first seen as early as 1989 and has become the most common cyber threat Canadians face, according to the Canadian Centre for Cyber Security.

The agency estimates that worldwide ransomware attacks increased by 151 per cent in the first half of 2021 when compared to the same period the year before.

The problem with cybercrime is it doesnt just grow a little bit. It grows exponentially. Its a huge business, said Insp. Lina Dabit, head of the RCMPs cyber crime investigative team in Ontario.

The NetWalker ransomware group became highly active during the COVID-19 pandemic, targeting hundreds of victims, including schools, municipalities, health-care institutions and businesses.

But it first landed on the FBIs radar in September 2019 when a company in Tampa, Fla., was attacked. Thats when Carlton Gammons, assistant attorney for the U.S. Department of Justice in Tampa, became the lead prosecutor on the NetWalker file.

This is the biggest ransomware investigation that Ive worked on in my career, said Gammons.

According to investigators in Canada and the United States, NetWalker, previously called Mailto, was created by a Russian-speaking group of hackers.

At the time, there were other types of ransomware syndicates, but NetWalker stood out for its ransomware-as-a-service model.

Its developers created the malware and affiliates were recruited to use it to attack victims and demand ransoms paid in cryptocurrency.

If victims didnt pay, affiliates would often post sensitive data, such as financial records and client information, on the NetWalker blog located on the dark web. Its known as double extortion.

If the ransom was paid, the two would split. Generally, between 70 to 80 per cent would stay with the affiliate and the other portion go back to the developer, said Michael McPherson, a former special agent in charge of the FBIs Tampa field office.

NetWalker was only active for about a year and a half, but according to Gammons, in that time, victims paid about 5,058 bitcoin in ransom the equivalent of about $40 million US at that time.

During the course of the investigation, we found just a very, very high number of [victims], said Gammons. There were about 400 victims located across the world in 30 different countries.

An ad in cyrillic letters recruiting affiliates to NetWalker was posted by the groups spokesperson on a hacker forum back in March 2020. It said it was looking for highly skilled applicants who had experience with other ransomware variants.

According to Gammons, Vachon-Desjardins became active with NetWalker a month earlier, in February. But he first appeared on the FBIs radar in late spring of 2020.

In May 2020, a telecommunications company in Florida reported to the FBI in Tampa it was attacked by NetWalker ransomware.

Later that month, an educational institution in California and a transportation logistics company headquartered in France were also attacked.

FBI investigators determined that the companies virtual private networks (VPN) their connections from a remote device to a computer network had been accessed by an unauthorized IP address they traced to a server in Poland.

Then on June 1, 2020, NetWalker hit the University of California San Franciscos school of medicine, a research facility working to develop a COVID-19 vaccine. Suddenly part of its systems were paralyzed.

The hackers demanded $3 million in bitcoin. A conversation between a negotiator working on behalf of the university and NetWalker shows how hackers pressured their victims.

Our investigation later revealed that [the university] paid approximately a $1.14 million ransom to regain access to their data, said Gammons.

It was through this attack that the FBI identified email addresses connected to a second server in Poland.

In September, the FBI received what they had been waiting for from Polish authorities copies of the two servers that contained a large amount of evidence, including a number of email addresses that would lead them closer to a suspect.

FBI investigators also received the contents of a server located in Bulgaria that they linked to NetWalker around the same time. On it they found detailed information about affiliates including their user IDs.

User ID 128 appeared to be the most profitable and ranked second in number of attacks it built, according to a statement of facts produced by the FBI.

Evidence on the server indicated the user was responsible for the attacks on the victims in Florida, California and headquartered in France.

So, who was User ID 128?

FBI identified a number of email addresses, including one that they tied back to the two Poland servers.

From there, they connected the account holder to an address in Gatineau.

But they needed to confirm User ID 128 was a real person, so in August 2020, the FBI notified the RCMP about their investigation. They provided a swath of information, including IP addresses connected to Bell Canada.

RCMP began to run surveillance on that house in Gatineau and in December, confirmed the user of those IP addresses was 33-year-old Sbastien Vachon-Desjardins, a federal government IT worker for Public Services and Procurement Canada.

We didnt anticipate that at all hackers, you know, the image you have is a teenager in his parents basement. But, no, it was totally the opposite, said Picard-Blais.

In conversations the RCMP documented, Vachon-Desjardins mentioned going to Russia, including one with NetWalkers alleged spokesperson who used the moniker Bugatti over the platform Jabber in November 2020 and one with his girlfriend over Messenger in December.

We were worried that with his background and a large amount of money that was yet unaccounted for, that he would flee the country and that we wouldnt be able to apprehend him, said Gammons.

U.S. authorities believed they had enough evidence to pursue an indictment and extradition, according to Gammons, but they didnt have the local jurisdiction to make the arrest, so Gatineau police was called in for help.

Simard had arrested Vachon-Desjardins twice before, the first time in 2015.

Simard was working in the drug section of the Gatineau police force when he got a tip about bags and boxes being moved in and out of the house where Vachon-Desjardins lived.

Vachon-Desjardins was known in Quebecs criminal community as gteau because he shared the same surname as the maker of the popular Jos Louis cakes.

Simard and his team found drugs with a street value of $500,000 in an upstairs bedroom.

Speed, marijuana, hashish it was a lot of drugs. So, it was a stash, said Simard.

As part of his surveillance, Simard followed Vachon-Desjardins to work, and was shocked to learn he was a computer technician for the federal government at the National Research Council of Canada in Ottawa.

Vachon-Desjardins was arrested in March 2015 on four counts of drug trafficking and was given a 3 1/2-year prison sentence.

When he got out of prison, still under conditional release, Public Services and Procurement Canada (PSPC) hired him in October 2016.

When asked, the department of the federal government responsible for employee payroll and purchasing, would not say whether it ran a background check on Vachon-Desjardins before hiring him.

Three years went by, and then Simard got a tip that Vachon-Desjardins was allegedly trafficking drugs again.

WATCH | Police see drugs moved from vehicle:

This time, Vachon-Desjardins was transporting drugs throughout Quebec. Simard arrested him a second time.

He told me he was having an addiction to money. He always wanted more and more and more. He [didnt] know where to stop, said Simard .

Vachon-Desjardins was released from custody, and it would be months before he would be officially charged with trafficking meth, cocaine, MDMA and marijuana.

It was around this time, in February 2020 while working from home and awaiting drug charges, that the FBI believed he first became active with NetWalker.

In January 2021, following his third arrest by Simard, this time on behalf of the FBI for alleged ransomware crimes in the United States, Vachon-Desjardins was taken to the Hull detention facility in Gatineau to await extradition.

He applied for bail in May. In his application, he said he was still employed by the federal government, but that his security clearance had been suspended pending an investigation by PSPC.

PSPC told The Fifth Estate in an email that as of Jan. 13, 2021, Mr. Vachon-Desjardins was no longer a PSPC employee, but would not confirm whether Vachon-Desjardins quit or was fired, citing privacy reasons.

It also said it took swift action to safeguard PSPCs employees, information and assets once PSPC was made aware of adverse information, and following an internal investigation, it found no evidence of a security breach or compromise to government information or assets.

Before Vachon-Desjardins could be extradited, his pending drug charges and the RCMPs ransomware case in Canada needed to be resolved.

Once we had his actual devices, we were able to get a far more clear picture of what he was doing. We were able to see, sort of with more clarity, the number of victims that he was victimizing, said Gammons.

The RCMP discovered some of those victims included Canadian educational institutions and businesses.

Investigators reached out to some victims they had identified, including Amacon, a real estate development firm in Vancouver that had been attacked in August 2020.

We had kept good logs and we were able to provide them IP addresses and timestamps, access logs, scope, and we were able to tie all of that together, working together with the RCMP to try to help put together a charge, said Arthur Keech, the firms IT manager.

Amacon didnt pay the $10,000 ransom.

I have a very strong position that you should never communicate or sort of consider any ransom with these individuals, said Keech

But six Canadian victims did give in to demands that allegedly came from Vachon-Desjardins, paying ransoms totaling $1.6 million, according to the agreed statement of facts filed in Ontario provincial court. Still, RCMP said few were keen to talk to them.

It was very hard to get the story, to get the information from them, because they were trying to protect their reputation, said Picard-Blais.

Most of the victims feel ashamed to come out in public or report it to the police.

Picard-Blais and his colleagues continued their investigation throughout 2021.

Then came a huge turning point in the investigation the RCMP got a call from Vachon-Desjardinss lawyer. He wanted to co-operate with police.

We had lots of evidence against him. And at that point, he probably felt stuck and that it was in his best interest to co-operate with us, said Picard-Blais.

Over two days in November 2021, Vachon-Desjardins gave a statement to the RCMP detailing his criminal activities involving Canadian victims.

I could feel that he was very proud of his work, said Picard-Blais.

WATCH | Sbastien Vachon-Desjardins tells police how he chose NetWalker victims:

Vachon-Desjardins confirmed that between May 2020 and January 2021, he targeted at least 17 Canadian victims, including a school in Quebec called Cgep de St. Flicien, the College of Nurses of Ontario, the town of Montmagny, Que., and his own former college, La Cit, in Ottawa.

The Fifth Estate/Enqute obtained part of Vachon-Desjardinss confession video, recorded at the Hull detention facility, from the RCMP.

Then were targeting the Canadian victims. We had like more than 15 to 20,000 networks of VPN access ... which was all the credentials, name and passwords, Vachon-Desjardins told police.

And we were going from there, one by one. We were starting to think: Is this network worth it? Are we [going] to the next one?

Weeks before his arrest, Vachon-Desjardins had transferred millions of dollars out of his bitcoin wallet. During his confession, he said it was to help fund a bigger and better version of NetWalker ransomware.

In January 2022, after he pleaded guilty to drug trafficking charges in Quebec provincial court, for which he received a 4 year sentence, Vachon-Desjardins was sentenced in Ontario provincial court to seven years in prison for his ransomware-related offences in Canada.

But it wasnt over yet. A few months later, he was extradited to face four counts in the U.S. including conspiracy to commit wire fraud, conspiracy to commit computer fraud, intentional damage to a protected computer and transmitting a demand in relation to damaging a protected computer.

Mark OBrien, a criminal defence lawyer in Tampa, was retained by Vachon-Desjardins. He remembers their first conversation.

Sbastien said, Mark, I did wrong. I want to accept responsibility for doing that wrong I want to tell the judge that I committed this crime and that Im sorry, said OBrien.

And that was his goal from the very beginning, which is unusual.

In June 2022 in the U.S. district court in Tampa, Vachon-Desjardins pleaded guilty to the four charges related to ransomware attacks in the United States.

I think Mr. Vachon Desjardinss motivation purely was greed. I think Mr. Vachon-Desjardins wanted to make as much money as fast as he could, and he had made millions and could have stopped. But he didnt, said Gammons.

Four months later, wearing an orange jumpsuit with a buzzcut, Vachon-Desjardins appeared in court to learn his sentence.

OBrien and Gammons had agreed on a joint sentencing submission of 13 to 14 years the lower end of the sentencing guidelines.

While Vachon-Desjardins was co-operative, according to Gammons, there werent any factors weighing in his favour that could further downgrade his sentence.

There was really nothing that I know about him that kind of led you to believe that he would commit crimes of this nature, said Gammons. He grew up living a very normal life [he] had two loving parents. He was gainfully employed.

Visibly outraged by the crimes, Justice William Jung gave Vachon-Desjardins 240 months in prison or 20 years, the highest sentence he could deliver, for what he called the worst case hed ever seen. Vachon-Desjardins will serve his Canadian sentences concurrently.

Jung said he would have given Vachon-Desjardins life had he gone to trial and lost.

He was disappointed but accepting, said OBrien of his client.

The FBI believes Vachon-Desjardins was one of 100 affiliates working with NetWalker.

International cyber cases, especially ransomware cases, are very hard to investigate, said Gammons.

And I think that a lot of individuals who commit these crimes dont think that theyll ever stand trial in the United States. I think that the 20-year sentence was a very good deterrence piece to prevent others who might consider committing this type of conduct, that maybe they should think twice.

Vachon-Desjardins remains in Pinellas County Jail in Clearwater, Fla., as he awaits his next hearing set for January, when restitution for his victims will be decided. He will then be assigned to a federal prison.

Top image: RCMP/CBC | Copy editing: Janet Davison