We continue last week’s story of Alberto Daniel Hill (@ADanielHill), who was arrested by the Uruguayan police in September 2017 after conducting a spontaneous website security assessment a few years earlier.
Alberto thought he was doing the right thing and he had duly reported his findings to the national CERT.
He found himself detained and questioned in police custody – but the worst was yet to come…
Continuing the story where we left off last week – I am guessing that the next step in the police investigation was the execution of a search warrant at your home address. How did that happen?
Three police officers from the Uruguayan Interpol office brought me to my apartment on the 10th of September 2017. I was still in custody.
Contrary to the subsequent media reports, the police knew nothing about me, my background, my work or my hobbies.
They were surprised by what they found at my place. I guess if they had done their homework, they would have known what to expect at the dwelling of somebody who spent most of their life in IT security.
When we entered my apartment, the police officers could not believe the amount of devices, computers, gadgets, digital storage media, computer parts and other things that they saw.
And for the majority of those, they did not have a clue what they were looking at.
What kind of electronic equipment did you have at home and what was seized?
I probably had anything you could imagine.
I love all computer gadgets, in particular those related to security. If I remember correctly, I had every device that was available at the Hak5 Store at that time.
So a total of 7 laptop computers of varying age and specs, 5 mobile phones and SIM cards, some Arduino single-board micro controllers, a few Raspberry Pis, tons of hard disks, a lot of ancient tech. I even had the 3-inch diskettes, the ones used by the Amstrad in the 1980s.
And a Spectrum Plus 3, a couple of Sinclair computers, all sorts of floppy disks, SanDisk compact flash drives – basically any piece of technology that was used throughout the last few decades.
The police even seized an Iomega zip drive 250. I don’t know how they planned to analyse that.
They probably even considered taking the old Blonder Tongue modulator for television transmissions, but left it be as they could not figure out what it was for…
You mentioned at the end of our Part 1 interview that you had some bitcoin. What was the deal with that?
I had some bitcoins, but they were not all mine. Some belonged to my ex-girlfriend. I stored our bitcoin private keys in a Ledger Nano S hardware wallet.
I had numerous Ledger Nano S hardware cryptocurrency wallets, a box of them actually, due to the fact I was working with Ledger, the French company that produced them. I was an approved distributor for Ledger products in Uruguay and in Argentina.
Information to that effect was on Ledger’s website. And as you know, bitcoin is not illegal, even though it is being abused by criminals, like any other tech – smartphones, cars, Internet in general.
So far, everything had an explanation and nothing could have been explicitly linked to illegal activities.
The problem however was that the police officers did not want to listen to any explanations. For them everything had a link to criminality.
And bitcoin was mentioned in the extortion letter to Circulo Catolico.
So the cops put two and two together and made five.
So what was the legal basis for the search?
The police had a court warrant for search and seizure of “electronic media”. They interpreted that definition very liberally and selectively.
I later realised that the search warrant was severely flawed.
It actually named the defendant as “Alvaro Daniel Hill”, instead of Alberto.
The court authorised date for the search was wrong, it was the 7th of September instead of the 10th.
Effectively, there were so many irregularities around this search that I don’t believe anything that was taken during could have been used as legally admissible evidence. It was based on completely flawed legal documentation.
And it was a joke, the way the search was conducted. Because the police guys arrived unprepared and were overwhelmed by the amount of computer equipment they found, they had a problem with packing it all and removing it from my place.
They had no means of storage, no evidence bags, nothing. I think they were just expecting to find a desktop PC in my apartment that one could carry away under their arm. So they started taking bags, backpacks and cardboard boxes from my apartment to load all the seized equipment into.
Can you imagine this level of ineptitude? Sending people on that job who haven’t a clue? Not a single evidence bag, not a single anti-static bag for hard drives, not a single Faraday bag for mobile devices.
This proves gross incompetence, I think; this and the seizure of random unrelated items like bitcoin stickers, physical collectable bitcoin coins, a plastic Anonymous mask, a guillotine to cut paper, an LED torch, a paper shredder…
What happened after the search?
We went back to the Interpol offices for more questioning.
During the search the cops also found over a hundred blank magnetic cards and a card writer / reader device.
So straight away they were absolutely sure that I was in the business of carding, which means I was cloning people’s credit cards and using them to steal money from people’s bank accounts.
They did not consider, even for a second, that there could be other explanations.
And were there?
Absolutely! If the police did any profiling or any research at all, they would have discovered that I was the distributor of Uquid debit cards for Latin America.
Uquid is a cryptocurrency payment system project that at the time I was involved in.
I won’t get into the details here not to detract from my story, but you can take a look at the project’s whitepaper here.
So these Uquid cards, you could charge them with cryptocurrencies which you could then use as universal means of payment.
All the card-related equipment that I had was for research purposes. I needed to understand how the cards worked and also test their security features. Blank magnetic cards are not illegal to have, and the card reader / writer device can be bought openly on the Internet.
I experimented a good bit with this equipment and that is also why the police found a number of real credit and debit cards. All were valid and all were under my name.
The police prepared a press release related to the investigation, which influenced what was later published in the news. This included the most important newspaper in Uruguay, which ran the story accompanied by a photograph of the cards, the card equipment and the description:
“The hacker was also involved in cloning credit cards”.
Publishing this stuff and doing it in such way was so irresponsible and unethical.
Basically, a trial by media before anything was proved or disproved. A conclusive statement that you cannot debate with or show your side of the story. With no way for me to clear my name.
Now that I got my card equipment back, do you know how many fraudulent cards were found?
If there were, the police would have never returned any of this to me. I never cloned people’s credit cards.
From looking at the documentary evidence from the search, available here, I noticed the police found a lot of cash in your apartment. How do you explain that?
I had the following amount of money in the apartment, which as you said has been documented:
- 8,000 euros;
- 1,400 US dollars;
- 3,000 Uruguayan pesos;
- 150 Brazilian reals.
I also had some smaller amounts of Argentinian, Paraguayan and Chilean currencies. This money was not seized for some reason, it was left behind in the apartment.
I had this cash from the photo as result of buy / sell transactions with people on Local Bitcoins.
Once again, there was a perfectly normal explanation to this money and I tried to communicate that to the police.
Here are my profiles from Local Bitcoins I used at the time:
That cash in my apartment was not some huge amount. Most of my money I had was in Bitcoin and other cryptocurrencies, in secure wallets or on cryptocurrency exchange accounts.
The police did not even think about researching this and understanding the mechanisms of storing value on the blockchain.
They did however cause irreparable harm to me – I lost a lot of money from the exchange wallets after my cellphone with 2 factor authentication for those online accounts was seized.
I offered them all my PIN codes, credentials and so on.
I had plenty of proof that my money was legitimate. Again, nobody wanted to listen.
I only recovered my cellphone with 2FA in November 2019. Sadly, the exchange I kept my cryptocurrencies on closed the previous year, along with every account that existed on it.
The phone itself is currently held by a notary as a piece of evidence for any further legal actions against the police or the justice department.
I don’t know exactly what happened to the phone while the police had it, but I know it was still turned on while in the police evidence deposit. So much for preserving digital evidence…
The phone was seized on the 10th September, but from the 11th September to the 15th September 2017 it was still on and connecting to Google. I took a screenshot from my Google account’s timeline:
How long were you in police custody for, in total?
Almost 48 hours, two long days.
During that time I was not given any of the medication I take – tablets for anxiety, antidepressants, and medication for the ADHD disorder, all of which made me be in a state of confusion.
The lack of medication really made me anxious and I could not think clearly.
I just wanted all of that to end. The questioning continued.
What kind of questions were you asked during the police interviews?
Mainly about the hack of Circulo Catolico and the extortion email.
The police relied on the report from the Uruguayan CERT. The email was presented only in a paper format, with no details about how they retrieved the email, when, from where, who did it and what tools they used.
No measures of any kind were taken to ensure a forensically sound process and to guarantee the integrity of the information. Same story as the firewall logs from Circulo Catolico that were not acquired digitally, but printed out on sheets of paper.
The police, CERT UY or the company could have at least computed a hash of the email as a digital file to show that was the original one. No chain of evidential custody, nothing.
The most relevant part of the email, which is in Spanish, reads:
ALL THE MEDICAL RECORDS WERE COPIED AND SEVERAL KINDS OF MALWARE HAD BEEN INSTALLED, AND THEY CAN ACTIVATE ANYTIME TO ENCRYPT THE SYSTEMS SO YOU WON’T BE ABLE TO ACCESS THEM.
IF YOU WANT US TO REMOVE ALL MALWARE SEND US WITHIN 24 HOURS 15 BITCOINS TO THE FOLLOWING ADDRESS:
And the address part is missing. I can’t explain why, maybe the criminal forgot to copy and paste it there?
It was impossible for me to explain anything to the police officers during the questioning, they were clearly not the right guys for the job. They had no knowledge or understanding of technology.
Their other questions were something along the lines of:
“Where did you get all the money?”
“Why did you have so many computers?”
“Why did you have so many monitors?”
“Did you work for the Russian / Argentinian mafia?”
So what happened then? I mean, after a certain period of time they either had to release you from detention or charge you with something, right?
On Monday morning I was taken to court again. Luckily, my mother was able to get me a great lawyer who was confident everything was going to end that day. This was the first time I had access to legal representation.
My lawyer used to be a criminal judge himself, but he had left his judicial job 2 months before my case.
I was his second client as a private lawyer.
He knew how the system worked, he knew the other judges, so I was hopeful.
During the court sitting the prosecutor pulled out some notes from the file and asked me why did I have a device called USB killer. I can’t remember what I told him, I was probably trying to explain what the device was, but it was like talking to a wall.
Then he produced another page with the picture of a USB drive next to a ruler and asked me was I aware the USB drive had 12 viruses on it. He said it in such way that I was not sure was he asking me if this was correct or was he making a factual statement.
I tried telling him that i worked with Metasploit, which is a popular penetration testing framework.
Part of that includes creating payloads for exploits that could be detected as viruses.
But honestly, I was so tired and weary that all I only wanted was to go to my bed and sleep.
My reply was an inarticulate and an underwhelming one:
What did that court procedure look like? Was it a bail hearing?
It lasted a couple of hours. My lawyer was enumerating all the reasons as to why prison was not an appropriate measure for my case. So yeah, it was like a bail hearing.
I had no criminal record, I was not a dangerous or violent person, I did not fit the profile of somebody who was going to abscond. I was not being accused of violent crimes. I was not even officially charged with anything at that stage of the process.
But the judge did not listen to any of these arguments.
She said I was at flight risk and due to my knowledge of computers I could potentially affect the ongoing investigation. She said she would send me to prison as a preventative measure.
It felt as if somebody closed a steel trapdoor over my head.
My eyes were full of tears and it felt like the world has come to an end for me.
I was going to prison.