UPDATE: Milleson’s co-defendant has also pleaded guilty to numerous charges.
Original story below…
BALTIMORE, MD—A Timonium man has pled guilty in federal court on charges of aggravated identity theft in connection with with schemes to use the identity information of victims to steal digital currency and social media accounts.
Chief U.S. District Judge James K. Bredar sentenced Jordan K. Milleson, 20, to two years in federal prison, followed by one year of supervised release, for aggravated identity theft, in connecting with schemes to use the identity information of victims to steal digital currency and social media accounts.
The guilty plea and sentence were announced by Acting United States Attorney for the District of Maryland Jonathan F. Lenzner; Special Agent in Charge James R. Mancuso of Homeland Security Investigations (HSI) Baltimore; and Chief Melissa R. Hyatt of the Baltimore County Police Department.
According to his plea agreement, since at least September 23, 2017, Milleson was a computer “hacker” who accessed computers, networks, and electrometric accounts without authorization to perpetrate fraud schemes.
As detailed in the plea agreement, between September 23, 2017, and July 29, 2020, Milleson set up Internet domains and fraudulent websites, designed to appear to be legitimate websites belonging to wireless providers, but which were intended to steal account credentials and enabled Milleson and his co-conspirators to access unsuspecting victims’ electronic accounts without authorization. Milleson used techniques such as phishing and vishing to deceive victims into visiting the fraudulent websites and providing their credentials to access their electronic accounts. Victims of phishing attacks were generally contacted by e-mail, phone, or text message by persons purporting to be from reputable companies in order to induce the victims to reveal confidential information. Vishing is “voice phishing” where imposters use Internet phone services to trick victims into turning over critical financial or personal information over the phone.
Milleson admitted that he and his co-conspirators used electronic account credentials stolen from employees and affiliates of wireless providers to access those companies’ computer networks without authorization. After obtaining access to these networks, Milleson took over individual victims’ wireless accounts through “SIM swapping,” whereby customers’ mobile numbers, which are linked to unique subscriber identity modules (“SIM”), were instead linked to a SIM installed in a device controlled by Milleson or his co-conspirators. Once Milleson gained control over the victims’ mobile phone numbers, he was often able to also gain unauthorized access to the victims’ other electronic accounts, including e-mail, social media, and cryptocurrency accounts. Milleson and his co-conspirators changed the passwords to the accounts to prevent the victims from accessing their own accounts.
As detailed in the plea agreement, Milleson used stolen account passwords to take over social media accounts of Victim 1 and Victim 6, both of whom had thousands of followers and had monetized their accounts through sponsored links, product placements, and product reviews. Milleson changed the email address and password of the accounts, preventing Victim 1 and Victim 6 from accessing their accounts, and posted material to the victims’ accounts without their authorization. As a result of the takeover Victim 6 lost all of their followers on one of their social media accounts and was unable to advertise to them, losing their “brand deals,” the proceeds of which had been used to pay for college tuition, transportation, and groceries.
Milleson also admitted that, using a fraudulent website hosted at the domain Milleson registered, Milleson stole the login credentials of Victim 2, an employee of a third-party retailer for a wireless provider, who had access to the wireless provider’s computer networks. Milleson and others used the credentials of Victim 2, to gain access to the provider’s computer network system and execute SIM swapping attacks, taking control of the wireless calls and text messages sent to the accounts of Victim 3, Victim 4, and Victim 5.. This swapping attack resulted in the transfer of approximately $19,029.48 in digital currency from accounts belonging to Victim 3 and Victim 5. In addition, Victim 4 had a social media account with a two-character username, coveted by other social media users for its uniqueness and simplicity. On about June 25, 2019, Milleson took unauthorized control of Victim 4’s social media account. On January 25, 2020, Victim 7’s mobile phone stopped working as a result of a SIM swapping attack. Soon thereafter, Victim 7’s personal email password was reset without authorization. An unauthorized user then accessed Individual Victim 7’s account on a digital currency exchange and stole digital currencies worth approximately $12,300 at the time.
On June 26, 2019, a co-conspirator anonymously called the Baltimore County Police Department and falsely reported that he, purporting to be a resident of the Milleson family residence, had shot his father at the residence. During the call, the co-conspirator, posing as the purported shooter, threatened to shoot himself and to shoot at police officers if they attempted to confront him. This call was a “swatting” attack, a criminal harassment tactic in which a person places a false call to authorities that will trigger a police or special weapons and tactics (SWAT) team response—thereby causing a life-threatening situation.
Following his indictment, Milleson’s home was searched on June 29, 2020. Review of the devices seized from Milleson at that time showed that they were used to complete two-factor authentication password resets for several digital currency account and contained login credentials and passwords belonging to Individual Victims 1 and 6. Investigators also recovered incriminating messages between Milleson and his co-conspirators that detailed the group’s methodology of account infiltration and cryptocurrency theft.
Milleson entered his guilty plea on Wednesday. Chief Judge Bredar also ordered Milleson to pay restitution of $34,329.01.