Three young men (21, 21, and 18) have been arrested by Amsterdam’s cyber crime police as part of an investigation into hacking, blackmail, theft, and money laundering. The investigation pertains to stolen data belonging to tens of millions of people. A justice department spokesperson said that one of the three arrested is a:

“very clever hacker who has come on the police radar before.”

It was also announced that one of the men was a volunteer at the Dutch Institute for Vulnerability Disclosure (DIVD), an organisation that frequently works with law enforcement to warn companies of vulnerabilities in their infrastructure. There are over 100 volunteers at DIVD, many of whom have access to highly sensitive data.

A screenshot of DIVD's website showing their mission statement.

A two-year investigation

The investigation started back in March 2021 following a breach at a large Dutch company. The modus operandi of the hackers is not dissimilar to that of a ransomware gang: the hackers gain access to the victim’s systems, send a threatening email, and demand money in the form of Bitcoin. If payment isn’t received, the hackers steal corporate data and then destroy the company’s network.

Typical monetary demands range anywhere from €100-700k and Dutch police have estimated that the hackers have generated an income of more than €2.5 million.