Hieu Ngo, an ex-cybercriminal and now cybersecurity consultant, offers a glimpse into his former life of illicit business
By the time he was 25, Vietnamese hacker turned-cyber security consultant Hieu Ngo had earned more than US$3 million by selling stolen identities to cybercriminals on the dark web. He had also already spent the first two of a seven-year stint in the US federal prison system.
What started in his middle-school days as hobbyist hacking had escalated in seriousness over several years, and Ngo would finish high school selling customer data stolen from online shopping sites.
In 2010, in his early 20s, Ngo launched an online business that turned big profits selling identities he had hacked from the databases of various US organisations. Three years later he was arrested in something of a sting operation orchestrated by the US Secret Service.
Ngo, who will be a speaker at CISO Sydney 2022, spoke with Business of InfoSec to talk through just a few details of his intriguing story, from his early days to making money, his arrest and subsequent release.
“It all just started as a hobby,” Ngo says. “When I first started, I was in middle school. I was hanging out on the dark web and getting on hacker forums in Vietnam, chatting with others. In the beginning, we just did it for fun; stealing identities and other sensitive information and sharing it for free on the internet.
“It was just a hobby, we were so young we were just kind of showing off, you know?”
Ngo says it wasn’t until he was in high school, at around age 16, that he started to make money after being told by friends about the paid market for stolen identities.
“I started hacking into online shopping websites and stealing their customer databases, then I’d use that for other criminal activities and sell it to other hackers,” he says.
“I’d sell credit card details, bank accounts, social security numbers, drivers licence numbers, stuff like that.”
Ngo saved money from these sales and travelled to New Zealand to study. He was under pressure from his family to go straight and pursue a legitimate career. However, he soon found himself resuming his hacking, which almost led to him being caught by authorities in Auckland. He made a hasty exit back to Vietnam.
“I told my parents that I would really try to change and be a better person, but I was still too young and too dumb and stubborn. That’s one of the key things, and selfish,” he says.
Escalating crime and apprehension
Back in Vietnam, Ngo put the brakes on hacking and resumed university studies at his parents’ request, but it was a short-lived hiatus.
“I followed my parents’ advice again, but it was only a few months before I fell back into hacking after meeting up with other cybercriminals in Vietnam, who got me into stealing IDs and social security numbers from US citizens. That data was going for a very good profit online, so I was focused on getting those kinds of databases.
“From one meeting in a coffee shop to a month later, I was building websites and hacking into many sites. I started making a lot of money.”
Ngo’s actions with respect to US IDs drew the attention of the US Secret Service, who laid a trap for him to attend a meeting with another cybercriminal in Guam.
“In 2010 I opened my website for selling off IDs, the business was running for about two years but then one of my customers cooperated with the US government and found out everything about me,” Ngo says.
“On February 7, 2013, I was arrested. I was facing up to 40 years in prison. I was fighting my case while at the same time being very cooperative with the US government. I helped them with my knowledge and my sentence came down to 13 years when I was sentenced in July 2015.”
While continuing to support the US government’s efforts to track down other ID thieves from prison, Ngo says he applied to education programs as a means to better himself and prepare for life on the outside. During his court proceedings, he had heard stories of the harm his actions had caused families, which he says drove home a deep sense of wrongdoing and regret.
In November 2020, after seven years of being incarcerated, Ngo was released on the grounds of cooperation and time already served. He spent another several months in immigration detention due to the COVID-19 pandemic.
“It was very tough, being away from my family, and I had very little knowledge of English, so I was trying to improve every day, I had no choice,” he says.
“But I am grateful right now. When I talk about my experience in the US and my prison time, I’m grateful because it changed me a lot. It made me into another person. I feel like I was reborn in a way because I understand what I have to do with my life to be a useful person.”
Since his release in late 2020 and return to his homeland of Vietnam, Ngo has pledged to help reduce cybercrime and track criminal activity. He is currently helping the Vietnamese National Cyber Security Centre monitor the web for threats.
“Our mission is to nationally protect Vietnamese institutions, government or business and anything like that from threats internal and external,” he says. I’m helping them monitor the internet and doing cybersecurity research. Mainly I’m threat hunting. I hunt the kinds of people that I used to be,” he says.
“I still have contacts in the dark web so that is helpful in tracking certain activities and threats, as well as looking for those who are causing damage.
“There have been cyber criminals that I’ve helped catch. But the thing is they are so young, like 15 and 16-year-olds. They are in the same place I was back when I started. I try to talk to them and set them right. I know of two that are doing a lot better now, which is good, they are too young to understand the implications of what they are getting into.”
Ngo says so many cybercriminals will fit this young, tech-savvy hobbyist profile and he would like to see them reformed before they end up in prison.
“I learned from my very costly lesson. I realised that everybody should have a second chance. Those youngsters, I spoke to them and am honest with them. I tell them everything about my life, what happened to me, and what they should do to be better people.
“Some of them do listen, while others probably feel like, ‘OK whatever man’. For those who listen and have the will to change and be productive, it’s fine to give them a second chance.”
Ongoing security challenges
Ngo says part of the security challenge in Vietnam is that people are all too willing to share their data openly online, on social media, with little understanding of the potential consequences.
“There is such a lack of knowledge of cybersecurity, even the basic stuff. People don’t know how to protect their information. They don’t know how to set up strong passwords or two-factor authentication,” he says.
“They just go on Facebook and share all kinds of information. They still do not recognise the value of their own information. They freely share things like date of birth, email, phone numbers, identification, and sensitive stuff like pictures.
“Bad actors use that information to create fake profiles to scam others, some use that info to steal Facebook accounts and use those for phishing attacks.”
Ngo says identity theft today is as prevalent as ever. With sensitive information being regularly sold off on the dark web in huge volumes. The supply of information is high and the prices can be very low.
“From the news you see so many big organisations getting hacked, having their data breached and leaked to hackers to resell it. Sometimes for very little money,” he says. “In some cases, just $500 will be enough to buy a whole database.”