This is the third and final instalment of the Alberto Hill story – a Uruguayan infosec enthusiast and an ethical hacker who discovered and reported security vulnerabilities on a website belonging to a medical care provider.
Three years later he found himself arrested and subsequently imprisoned after being the target of Operation Bitcoins – a joint operation of the Uruguayan police and the national CERT, aimed at bringing the suspect for the hacking attack to justice.
Except, it did not happen that way…
This story finale took much longer to complete than Part 1 and 2 because, as Alberto told me, he spent some time dealing with his PTSD and depression issues that arose as result of what happened to him.
He said he could not get out of bed for days and also spent some time in a clinic, receiving treatment.
To me, this is the true aftermath of Operation Bitcoins – whatever the legal outcome is, there is the human drama and the personal tragedy of somebody who was not afforded the due process and whose name, reputation, health and wellbeing were irreparably affected…
What was the first impression of prison like for you? For somebody who was never incarcerated before?
It was bad.
“This is going to be complicated…” I told to myself as I entered the cell where I spent the first days.
After the court ruled my incarceration, I spent 5 days in a local jail where I underwent the various processes of evaluation, profiling, medical check up, etc.
Then my case was reviewed by the “comite de transferencia”, a committee that decides what prison to send you to. I ended up being sent to “INR UNIDAD 18 DURAZNO”, a small prison outside a city called Durazno, 200km away from Montevideo. It is a minimum security prison.
My first impressions were that of a person who is 40 years old and is taken to the sea for the first time in his life. You knew the sea was something that existed, you saw it many times in the movies. But the reality stills hits you and it’s overwhelming.
Prison, even the minimum security one, is a nightmare.
The cell I was first in had 12 other inmates, there was no available bed for me so I had to sleep on the floor initially. It wasn’t nice, and I knew I had to adapt myself to that place and those people. I did not belong there. This was their world, they were not going to change to suit me.
The prison was depressing, it was not dirty or anything, but I felt very uncomfortable. I did not feel much fear initially, but any fear I could have had of that place disappeared when I was released.
I would like to include a message for those reading this article. I lived this story, I went to prison.
For me it’s over, I survived, but it is not a place for you, if you are smart, skilled, use that to be productive, and help your family and your local community. Do not be tempted to take the path of easy money and crime, either cyber crime or traditional crime.
It is not worth it.
Of course, more than anything I feel such frustration because I was condemned to imprisonment as an innocent person. There was no need and no purpose for me to spend any time behind bars.
How did you spend your time in jail?
First thing I did was… I made a mistake, as another inmate later explained to me.
I used to count the hours until reaching the 2 months my lawyer told me he would wait before requesting my release on bail. The anxiety, the desire to be outside was so huge that I just wanted to end the nightmare of personal freedom deprivation.
Then I followed a piece of advice from Eduardo, an inmate who had been in the worst prisons of Uruguay in the past, he had previously served two sentences. He basically told me to live day by day, and not to desperately count the hours, nor days.
Anyway, I was used to being active all day, performing various tasks all the time, mostly anything that involved technology. But being there felt empty; days were dragging on endlessly and I only wanted them to be over so I could sleep. It might sound stupid, but this is how I looked at things.
Nobody starved in prison. The food was okay and there was food for everybody. Also you were allowed to receive food from your family so most of us did get one package with food, clothes and other items every week. We shared and helped those who did not get anything just because they had nobody outside to help them or their family couldn’t afford to send anything.
Cell phones without cameras were allowed, that really helped me a lot as I could spend hours on the phone with my mother. She was unable to visit me due to serious health problems she has.
We also had satellite TV and an old Playstation 2. After my first week where I had to sleep on the floor with inmates that were violent or volatile, I was transferred to a cell equipped with all the things I just mentioned. For me it was like transitioning from living on the street to moving to a 5-star hotel.
Summer was cruel, due to the heat. In the middle of the summer in 2018, to keep myself busy, I started to give basic computer classes to almost 50 inmates. It was a nice experience but not only that.
The implicit message that the prison authorities sent me, which was “we trust you”, meant a lot to me.
What is the legal process in Uruguay when somebody is in prison awaiting a court trial? What is usually going on in the background?
My prison detention was a preventative measure while the police continued their investigation. My lawyer was of the opinion that it was an evil tool, used to make you pay in advance for the crime you have not been found guilty for.
I might be wrong, but I think that about 70% of the inmates in Uruguay are not sentenced. They spend time in prison on remand, awaiting trial.
The theory is that while you sit in prison, the police work on your case, they keep collecting evidence, etc.
Well, that is just the theory and my lawyer put it clearly in one of his applications presented to the judge.
“The police in Uruguay only wants to have somebody behind bars for a crime, that is all they want, after that, they forget about the person, they forget about the case” – this is what my lawyer argued.
To have any chance at all, you should be able to pay for a lawyer. If you can’t afford one, you will get one provided by the government. Then you are in deep trouble.
One fellow inmate told me that he never had a conversation with the lawyer that was assigned to defend his case in about a year that he spent in prison.
In my particular scenario, after I left prison the case against me was exactly the same as it was the day I was sent to prison. Absolutely no progress had been made.
Understandably, this made me really upset and furious.
When did you eventually get out of detention in prison and how?
At the end of May 2018. After finally appealing the judge’s order and having received a negative answer to each of my 3 release requests prior to that.
But I was not a free man yet.
I could only get released on bail, which was set to an equivalent of USD 10.000. A significant amount of money for somebody like me.
So basically I spent 8 months of my life rotting in prison, in a potentially unsafe environment, for nothing.
I often wondered what would have happened if I got seriously injured or maybe even died as result of a fight between inmates or a prison riot.
I can’t explain how good it felt to hear the guards call your name to tell you that you could leave the prison without handcuffs. I was really happy.
If you were to prepare a list of everything that you think went wrong with this investigation from the point of view of preserving digital evidence in a suspected cyber crime, what would be on the list?
OK, this could be a long list!
1) No evidence of any connection from my home IP address to the victim’s website other than on one count, on 31/01/2017. So years after the insinuated crime. The firewall of Circulo Catolico apparently rejected that connection, so nothing happened on that occasion. As an analogy, it would be as if Shodan was used to scan their IP address. No intrusion!
In the investigation file there is no evidence or statement from anybody from my ISP.
2) Circulo Catolico tasked an employee with gathering server logs and sending them to CERT UY.
It should have been the other way around, it should have been somebody from CERT UY or the police that went to the facilities of the medical provider in order to obtain a witness statement and secure any potential digital evidence.
3) Server logs were exchanged in plain text via emails between Circulo Catolico and CERT UY. These email exchanges were deemed sufficient from the evidential point of view. They should not have.
4) Police officers were not adequately prepared to execute a search warrant in my house.
They were untrained, ill-equipped, not competent, they built no intelligence profile and did not know what to expect once they gained entry. They could not and did not secure digital evidence properly and left a lot of potential evidence behind.
5) The police communicated the arrest of a cyber criminal to the state prosecutor and also to the press.
One thing that was wrong was the trial by media before any proceedings started, but more importantly I was portrayed to the prosecutor as somebody who not only committed extortion but also was into carding or hacking banks accounts.
That chain of communication between the police and the state prosecutor was full of noise and bias.
In September 2019 a judge ordered that all the items seized during the search had to be returned to me. None of them were identified as tools or products of any crime.
So basically all the things displayed in a nice array as evidence on that table photograph, ready for the media to take pictures of, had to be returned.
You know, ironically this fact did not appear on any media, for whom I will always be the cyber criminal.
I guess judicial mistakes do not make for great newspaper stories.
6) The extortion email that was sent to Circulo Catolico had no bitcoin address for the ransom payment. The police knew this from the beginning.
It was either a bad joke or a blackmail attempt by an amateur cyber criminal. Nobody pointed that out during the investigation.
So 6 months after I was released from prison I went to court with my lawyer and only then was this fact mentioned for the first time. Even if the company wanted to pay the extortionist, there was no way they could have done it.
7) The logs produced by the company in a paper format showed an IP address that connected to the Circulo Catolico website transferred out about 150MB of information as result of the connection.
What would be the size of a database of your average medical provider? I have no clue, but let’s say perhaps 1 TB? 100GB? Maybe only 10GB or less?
I don’t know, but I know that 150 MB of information is not the size of a “stolen database” from a medical provider. That’s an equivalent of 15 or fewer high definition photographs or maybe 2 or 3 relatively short audiobooks…
8) No traces of malware, ransomware or any other malicious software were found in the systems of the medical provider. So this is another thing suggesting the whole extortion was a hoax and an empty threat. Nobody would have been able to destroy the medical company’s database.
What was your trial like?
I have NOT had a trial yet.
Since the 1st of November 2017 the justice system in Uruguay is more like the American model where trials are oral and conducted in public courtrooms. I was arrested earlier than that date so in my case the old criminal code applies, which is I think at least 50 years old.
Under those rules, the “trial” is done completely in a document-based format. A file is assigned for every case and that includes all the various evidence, like transcripts of interviews, photographs, forensic analysis documentation, legal requests filed throughout the process, etc. It also includes the judicial orders and whatever requests the prosecutor makes in each case.
The truth is that it is an endless process and it takes years. With the changes made in 2017 there is an option of a plea like in the USA. You plead guilty, you avoid the trial, and you might receive a reduced sentence if this is applicable to the case and the charges against you.
After so much energy and so many efforts spent during the last few years, I would seriously consider a plea in my case. The system I think is so diabolic that it can make an innocent person admit to having committed a crime because when you calculate the options, this is the best one you might have.
I would rather limit my prison time to the 8 months I already spent in prison and spend another 2 years under house arrest or obeying a curfew with a GPS on my ankle.
The alternative is not taking the plea, waiting for the legal proceedings (and so far I have been waiting 2.5 years) and then, if found guilty instead of doing the 8 months in prison, I could be sentenced to up to 5 years. I have no doubt that any innocent person would accept this, based purely on a calculation and estimation of risk that is very real if you lose your case in court.
What impact did all of this have on your personal life and your relationship with the girlfriend?
My girl broke up with me after almost 8 years of being together.
She was really badly affected by this whole situation, which created a deep division between the two of us that I don’t believe will ever get fixed.
Losing her was the worst outcome of this whole story.
Other than that, it seriously affected my health both physically and mentally, as it did my mother’s.
I am broke, both financially and emotionally.
It’s humiliating but I have to say that my mother pays my bills as my income equals zero right now.
There were several other factors that generated a lot of negative emotions in me, like anxiety, anger, fear, and so on. I mentioned in Part 1 that I was diagnosed with PTSD.
Last month I spent some time in a clinic as part of an unplanned therapy.
This is how I live now.
How does the story of Alberto “the hacker” end? How would you like it to end?
You will have to buy the book or go to see the movie about it to find out. No spoilers here!
I am just kidding.
One day all of this, all the negative feelings and experiences will vanish. They will stop being relevant.
A person cannot live with all that inside, you must learn to let go.
Obviously, I would like to be found not guilty and clear my name.
The only thing that I know for a fact is that regardless of me being found guilty or not, I will not return to prison. If I decide to take a guilty plea, I expect to be subject to a curfew and remote monitoring by a GPS bracelet or some tag. I feel like I served my time in jail already.
If the judge decides to give me a sentence nonetheless, I will appear to international courts.
I would like to put a happy ending to this story and that is one of the reasons I am spreading it all around the world.
Maybe there is a way to turn this bad experience into something positive.
I guess we will have to find out.