Student Hacker Faces 10 Years in Prison For Spyware That Hit 16,000 Computers
A 21-year-old from Virginia plead guilty to writing and selling a keylogger used to spy on more than 16,000 victims.
A 21-year-old from Virginia plead guilty on Friday to writing and selling custom spyware designed to monitor a victim's keystrokes.
Zachary Shames, from Great Falls, Virginia, wrote a keylogger, malware designed to record every keystroke on a computer, and sold it to more than 3,000 people who infected more than 16,000 victims with it, according to a press release from the U.S. Department of Justice.
Read more: The Motherboard Guide to Not Getting Hacked
Shames, who appears to be a student at James Madison University, developed the first version of the spyware while he was still a high school student in 2013, "and continued to modify and market the illegal product from his college dorm room," according to the feds.
There's very little other information about the case, as the indictment or criminal complaint are not posted online, likely still under seal, according to the court's clerk office. The only relevant public document is the one posted below, which says Shames aided and abetted computer intrusions by marketing and selling "certain malicious keylogger software, knowing that the software was going to [...] intentionally cause damage without authorization."
While the feds only vaguely referred to it as "some malicious keylogger software," it appears the spyware was actually called "Limitless Keylogger Pro," according to evidence found by a a security researcher who asked to remain anonymous.
A user named "Mephobia" advertised it on Hack Forums, a popular hacking messaging board, on March 14, 2013, asking for a $35 "lifetime" subscription, asking for payments via PayPal and bitcoin.
In 2011, Mephobia also advertised a bot programmed to spread itself through Omegle, a chat service popular with teenagers, claiming it was made by ROCKNHOCKEYFAN. A profile on Quizlet, an e-learning website, under the name of, an e-learning website, under the name of "rocknhockeyfan" appears to be owned by Shames. Moreover, in another Hack Forums thread, the same user who advertised the spyware posted a chat log that revealed his real name as Zach Shames.
According to what appears to be Shames Linkedin page, he was an intern for the defense contractor Northrop Grumman from May 2015 until August 2016.
I tried calling a number associated with Shames but he did not return the call, he also didn't respond to a Facebook message. His lawyer also didn't respond to a phone call and an email. After leaving a voicemail, the U.S. Attorney's Office for the Eastern District of Virginia did not respond to a request for comment made via email and voicemail.
Shames will be sentenced on June 16 and faces a maximum of 10 years in prison.
Get six of our favorite Motherboard stories every day by signing up for our newsletter.