Attribution & Consequences: When You Get Caught
Every hacker thinks they won't get caught. Many are wrong. This chapter covers how attackers are identified, the legal consequences they face, and the OPSEC failures that lead to prison sentences. Understanding this completes the attack lifecycle story.
The cases in this chapter are real. Real people made real mistakes and are serving real prison sentences. This isn't theoretical - it's the end of the story that starts with "I'll just try this one thing..."
How Attribution Works
Attribution is the process of identifying who conducted an attack. It combines technical forensics, intelligence gathering, and often old-fashioned detective work.
┌─────────────────────────────────────────────────────────────────────────────┐
│ ATTRIBUTION CHAIN │
├─────────────────────────────────────────────────────────────────────────────┤
│ │
│ TECHNICAL OPERATIONAL HUMAN │
│ INDICATORS PATTERNS INTELLIGENCE │
│ ────────── ────────── ────────────── │
│ │
│ • IP addresses • TTPs (tactics) • Informants │
│ • Malware samples • Working hours • Undercover ops │
│ • Infrastructure • Language clues • Seized systems │
│ • Code similarities • Target selection • Cooperative witnesses │
│ • Certificates • Tool preferences • Financial trails │
│ • Domains • Mistakes repeated • Social media OSINT │
│ │
│ ↓ ↓ ↓ │
│ └────────────────────┴─────────────────────┘ │
│ │ │
│ ▼ │
│ ┌──────────────────────────┐ │
│ │ SUSPECT IDENTIFIED │ │
│ │ │ │
│ │ Often: OPSEC failure │ │
│ │ connecting persona to │ │
│ │ real identity │ │
│ └──────────────────────────┘ │
│ │
└─────────────────────────────────────────────────────────────────────────────┘
Technical Attribution
| Evidence Type | What It Reveals | Limitations |
|---|---|---|
| IP Addresses | Geographic location, ISP, VPN provider | Can be spoofed, VPNs, Tor |
| Malware Code | Developer habits, language, reused code | Can be false flags |
| Infrastructure | Registrant info, payment methods, hosting | Privacy services, cryptocurrency |
| TLS Certificates | Creation patterns, reuse across campaigns | Easy to generate new ones |
| Timestamps | Working hours, timezone of attacker | Can be manipulated |
| Language Artifacts | Native language, keyboard layout | Can be planted |
The OPSEC Failure Pattern
Almost every attribution success comes from an OPSEC failure - a moment where the attacker connected their anonymous persona to their real identity.
COMMON OPSEC FAILURES THAT LEAD TO ATTRIBUTION:
1. ACCOUNT REUSE
├── Same username on hacking forum and personal social media
├── Same email for criminal and personal activities
├── Same cryptocurrency wallet across identities
└── Same SSH key or PGP key
2. TIMING CORRELATION
├── Activity patterns match timezone
├── Offline during local holidays
├── Activity stops when real person is arrested
└── Pattern matches work schedule
3. TECHNICAL LEAKS
├── Logging into personal account from attack infrastructure
├── Testing malware from home IP
├── VPN disconnects exposing real IP
├── Metadata in documents (author name, location)
└── Debug strings with username/path
4. FINANCIAL TRAILS
├── Cryptocurrency to exchange requiring KYC
├── Using personal credit card for hosting
├── Money trail to bank account
└── Living beyond legitimate means
5. HUMAN SOURCES
├── Bragging to friends/associates
├── Co-conspirators who get caught first
├── Informants in criminal communities
└── Undercover law enforcementCase Studies: How They Got Caught
Ross Ulbricht (Silk Road) - "Dread Pirate Roberts"
The Operation: Created and operated Silk Road, the first major dark web marketplace.
OPSEC Failures:
- Used his real name email (rossulbricht@gmail.com) to promote Silk Road on forums early on
- Asked Stack Overflow question about Tor hidden services using "Ross Ulbricht" then changed to "frosty"
- Connected from a San Francisco public library (FBI watched him log in)
- Saved incriminating journal on his laptop
Lesson: Early mistakes persist forever on the internet. You can't un-post.
Hector Monsegur (LulzSec) - "Sabu"
The Operation: Led LulzSec, responsible for Sony, PBS, FBI affiliate hacks.
OPSEC Failures:
- Connected to IRC without VPN/Tor one time - real IP logged
- IP traced to his grandmother's apartment in NYC housing project
- Once caught, cooperated and wore a wire for 10 months
- Led to arrests of other LulzSec members
Lesson: One slip is all it takes. And your co-conspirators might be informants.
Jeremy Hammond (AntiSec) - "Anarchaos"
The Operation: Stratfor hack, released 5 million emails via WikiLeaks.
OPSEC Failures:
- Sabu (Monsegur) was already an FBI informant when Hammond joined
- FBI provided the server Hammond used to store stolen data
- Every message to "Sabu" was read by FBI
- Arrested at home in Chicago
Lesson: You never know who's already cooperating with law enforcement.
Marcus Hutchins (WannaCry Stopper) - "MalwareTech"
The Operation: Famous for stopping WannaCry, but earlier created Kronos banking malware.
OPSEC Failures:
- Used same online personas for legitimate security research and criminal activity
- Arrested at DEF CON in Las Vegas (entered US jurisdiction)
- Earlier forum posts linked his handles
- Co-defendant cooperated
Lesson: Past crimes don't disappear. Becoming famous brings scrutiny.
Evgeniy Bogachev - "Slavik" (GameOver Zeus)
The Operation: Created Zeus/GameOver Zeus, stole hundreds of millions.
Why Still Free:
- Lives in Anapa, Russia - no US extradition
- Allegedly provides services to Russian intelligence
- Protected by Russian government
- Cannot travel to countries with US extradition treaties
Lesson: Jurisdiction matters. But you're confined to safe harbors forever.
Legal Consequences
United States (CFAA)
The Computer Fraud and Abuse Act (18 U.S.C. § 1030) is the primary federal hacking law. Penalties are severe.
| Offense | First Offense | Repeat Offense |
|---|---|---|
| Unauthorized access to protected computer | Up to 1 year | Up to 10 years |
| Unauthorized access + obtaining information | Up to 5 years | Up to 10 years |
| Damage to protected computer | Up to 10 years | Up to 20 years |
| Fraud in connection with computers | Up to 5 years | Up to 10 years |
| Extortion involving computers | Up to 5 years | Up to 10 years |
| Trafficking in passwords | Up to 1 year | Up to 10 years |
Prosecutors often stack multiple charges. A single intrusion can result in charges for unauthorized access, wire fraud, identity theft, money laundering, and conspiracy. Each charge carries its own sentence, often served consecutively.
Additional US Laws
OTHER LAWS COMMONLY APPLIED:
Wire Fraud (18 U.S.C. § 1343)
├── Up to 20 years per count
├── 30 years if affecting financial institution
└── Broad interpretation - any scheme using electronic communication
Identity Theft (18 U.S.C. § 1028A)
├── Mandatory 2-year consecutive sentence
├── Added to other charges
└── Using any stolen credential triggers this
RICO (18 U.S.C. § 1962)
├── Up to 20 years
├── Asset forfeiture
└── Used for organized cybercrime groups
Economic Espionage Act (18 U.S.C. § 1831)
├── Up to 15 years
├── Up to $5 million fine
└── Stealing trade secrets
Conspiracy (18 U.S.C. § 371)
├── Up to 5 years
├── Applied to group activities
└── Planning counts even if attack failsInternational Laws
| Country | Primary Law | Maximum Penalty |
|---|---|---|
| UK | Computer Misuse Act 1990 | 10 years (14 for national security) |
| Germany | §202a-c StGB (Computer Crime) | Up to 10 years |
| Australia | Criminal Code Act 1995 | 10 years |
| Canada | Criminal Code §342.1 | 10 years (indictable offense) |
| EU | Directive 2013/40/EU | 2-5 years minimum across EU |
Extradition
EXTRADITION REALITY:
Countries that WILL extradite to US:
├── UK, Canada, Australia, most of EU
├── Japan, South Korea
├── Most of Central/South America
└── 100+ countries with treaties
Countries that WON'T extradite to US:
├── Russia (many hackers' safe haven)
├── China
├── Iran, North Korea
├── Belarus, Cuba, Venezuela
└── Some Middle Eastern countries
THE CATCH:
├── You can never leave the safe country
├── Any travel to extradition country = arrest
├── Even layover in airport can trigger arrest
├── Interpol Red Notices follow you globally
└── Living as a fugitive is not freedomThe Investigation Process
┌─────────────────────────────────────────────────────────────────────────────┐
│ INVESTIGATION TIMELINE │
├─────────────────────────────────────────────────────────────────────────────┤
│ │
│ DETECTION INVESTIGATION LEGAL PROCESS │
│ [Days-Months] [Months-Years] [Months-Years] │
│ │
│ ┌─────────┐ ┌─────────────┐ ┌─────────────┐ │
│ │ Attack │ │ FBI/Secret │ │ Grand Jury │ │
│ │detected │────────►│ Service │───────►│ Indictment │ │
│ │ │ │ investigates│ │ │ │
│ └─────────┘ └─────────────┘ └─────────────┘ │
│ │ │ │
│ ▼ ▼ │
│ ┌─────────────┐ ┌─────────────┐ │
│ │ Subpoenas │ │ Arrest │ │
│ │ Warrants │ │ Warrant │ │
│ │ MLAT │ │ │ │
│ └─────────────┘ └─────────────┘ │
│ │ │ │
│ ▼ ▼ │
│ ┌─────────────┐ ┌─────────────┐ │
│ │ Evidence │ │ Arrest │ │
│ │ collection │ │ 6am raid │ │
│ └─────────────┘ └─────────────┘ │
│ │ │
│ POST-ARREST ▼ │
│ ─────────── ┌─────────────┐ │
│ │ Trial or │ │
│ • Devices seized │ Plea deal │ │
│ • Accounts frozen │ │ │
│ • 95%+ cases plea │ 95% plea │ │
│ • Cooperation = less time └─────────────┘ │
│ │ │
│ ▼ │
│ ┌─────────────┐ │
│ │ SENTENCING │ │
│ │ │ │
│ │ Prison + │ │
│ │ Restitution │ │
│ └─────────────┘ │
│ │
└─────────────────────────────────────────────────────────────────────────────┘
What Happens at Arrest
THE 6AM KNOCK:
Typical federal arrest:
├── Early morning (5-6am) at residence
├── Multiple armed agents
├── Search warrant executed simultaneously
├── All electronic devices seized
├── Vehicles may be seized
├── Bank accounts frozen
└── Family members questioned
What they seize:
├── All computers, phones, tablets
├── External drives, USB sticks
├── Gaming consoles (can store data)
├── Smart home devices
├── Routers (may have logs)
├── Printed documents
├── Cryptocurrency hardware wallets
└── Notebooks, sticky notes
What happens next:
├── Transported to federal facility
├── Bail hearing (often denied for flight risk)
├── Discovery process (see the evidence)
├── Plea negotiations (95% of cases)
└── Trial or sentencingThe Cooperation Calculation
Most cyber criminals face a choice: fight the charges or cooperate. Cooperation dramatically reduces sentences but comes with costs.