Taking Down a Canadian Ransomware Hacker

img blog Taking Down a Canadian Ransomware Hacker r1

If you type in ransomware and Canada, you’ll find countless articles about Sébastien Vachon-Desjardins, an IT analyst for the Canadian federal government. The stories are so sensational, it’s hard to believe his veracious appetite for crime. Not only did his arrest reveal that he was responsible for the largest cryptocurrency seizure in Canadian history, but he was also trafficking massive amounts of meth, cocaine, MDMA, and marijuana.

Based on the fact that he had enough waking hours every day to be one of the most successful hackers in NetWalker – a criminal ransomware group thought to be tied to Russia – a drug trafficker, and an international conspiracist, we think he may have used a great deal of the drugs he profited from. That, and the fact that he looks nothing like his former fit self, are pretty good indicators of ongoing drug use. 

But, that wasn’t what he was addicted to… money was.

In a sensational article by the CBC, they wrote, “An FBI investigation into a criminal ransomware gang believed to be tied to Russia led to a Canadian government employee in Gatineau, the largest cryptocurrency seizure in Canadian history and hundreds of victims around the world.

[The article really is worth taking a look at; the photos and videos really enhance the story.]

In the early morning hours of Jan. 27, 2021, two police forces descended on a snowy cul-de-sac in Gatineau, Que., each tasked with an important role in one of the largest-ever ransomware takedowns in Canada.

Members of the RCMP, led by the cybercrime unit, were executing a search warrant at a white brick house on the street, while the Gatineau police service was on hand to make an arrest on behalf of the FBI. The codename for the operation was Project Olunar.

They had reason to believe the man inside was User ID 128 — one of the most successful hackers in NetWalker, a criminal ransomware group thought to be tied to Russia.

“There was a huge urgency to proceed to apprehend him and stop him because the time was ticking and every day was a new victim,” said Const. Francois Picard-Blais, a cybercrime investigator for the RCMP.

Around the same time, thousands of kilometers away in Isperih, a town in northeastern Bulgaria, authorities were taking down a computer server.

“We knew that once we took that server down, then NetWalker ransomware would essentially cease to operate,” said Carlton Gammons, a U.S. federal prosecutor based in Tampa, Fla.

The operations were coordinated to avoid tipping off the target or other NetWalker affiliates.

Back in Canada, police had entered the home and Lieutenant Det. Denis Simard of the Gatineau police was making his move. He had been in the house before.

“Never in my career [did I think] I will be involved in the FBI case — and a big file like this,” Simard told The Fifth Estate.

Related Video: Tracking a hacker who extorted millions through ransomware attacks

Simard was there to arrest 33-year-old Sébastien Vachon-Desjardins, an IT analyst for the federal government turned ransomware hacker.

“He was alone with all those police officers, so was kind of lost,” said Simard.

Simard told Vachon-Desjardins he was executing a warrant for his arrest as part of an extradition order on behalf of the FBI.

“His expression was like someone was asking for help,” said Simard. “He was very down. And he wanted me to stay with him…. He [needed] me like a friend…. But I [couldn’t] stay with him. It’s not my case,” said Simard, who had arrested him on two other occasions.

RCMP officers had begun their search of the house, uncovering a goldmine of evidence.

The RCMP found $300,000 in cash in a shoebox under a pair of slippers in a bedroom closet, keys to safety deposit boxes with $400,000 cash inside, cellphones, computers and hard drives with enough terabytes of data to fill a hockey arena if it was printed out and security keys to crypto wallets holding a current value of $21 million US in bitcoin.

At the time, it was the largest seizure of cryptocurrency made by Canadian police, according to the RCMP.

Though already months into the investigation, that morning was only the beginning of what police would uncover, and the end of Vachon-Desjardins’s days as a hacker.

The ransomware scheme

Ransomware is a form of malicious software used by hackers to take control of a victim’s computer or network and then demand payment in exchange for decryption.

It was first seen as early as 1989 and has become the most common cyber threat Canadians face, according to the Canadian Centre for Cyber Security.

The agency estimates that worldwide ransomware attacks increased by 151 percent in the first half of 2021 when compared to the same period the year before.

“The problem with cybercrime is it doesn’t just grow a little bit…. It grows exponentially. It’s a huge business,” said Insp. Lina Dabit, head of the RCMP’s cyber crime investigative team in Ontario.

The NetWalker ransomware group became highly active during the COVID-19 pandemic, targeting hundreds of victims, including schools, municipalities, healthcare institutions, and businesses.

Related Article: (But a different Canadian Hacker!)Russian LockBit ransomware operator arrested in Canada(October 2022)

But it first landed on the FBI’s radar in September 2019 when a company in Tampa, Fla., was attacked. That’s when Carlton Gammons, assistant attorney for the U.S. Department of Justice in Tampa, became the lead prosecutor on the NetWalker file.

“This is the biggest ransomware investigation that I’ve worked on in my career,” said Gammons.

According to investigators in Canada and the United States, NetWalker, previously called “Mailto,” was created by a Russian-speaking group of hackers.

At the time, there were other types of ransomware syndicates, but NetWalker stood out for its ransomware-as-a-service model.

Its developers created the malware and affiliates were recruited to use it to attack victims and demand ransoms paid in cryptocurrency.

If victims didn’t pay, affiliates would often post sensitive data, such as financial records and client information, on the NetWalker blog located on the dark web. It’s known as double extortion.

“If the ransom was paid, the two would split. Generally, between 70 to 80 percent would stay with the affiliate and the other portion go back to the developer,” said Michael McPherson, a former special agent in charge of the FBI’s Tampa field office.

NetWalker was only active for about a year and a half, but according to Gammons, in that time, victims paid about 5,058 bitcoin in ransom — the equivalent of about $40 million US at that time.

“During the course of the investigation, we found just a very, very high number of [victims],” said Gammons. “There were about 400 victims located across the world in 30 different countries.”

An ad in Cyrillic letters recruiting affiliates to NetWalker was posted by the group’s spokesperson on a hacker forum back in March 2020. It said it was looking for highly skilled applicants who had experience with other ransomware variants.

According to Gammons, Vachon-Desjardins became active with NetWalker a month earlier, in February. But he first appeared on the FBI’s radar in late spring of 2020.

Identifying user ID 128

In May 2020, a telecommunications company in Florida reported to the FBI in Tampa it was attacked by NetWalker ransomware.

Later that month, an educational institution in California and a transportation logistics company headquartered in France were also attacked.

FBI investigators determined that the companies’ virtual private networks (VPN) — their connections from a remote device to a computer network — had been accessed by an unauthorized IP address they traced to a server in Poland.

Then on June 1, 2020, NetWalker hit the University of California San Francisco’s school of medicine, a research facility working to develop a COVID-19 vaccine. Suddenly part of its systems was paralyzed.

The hackers demanded $3 million in bitcoin. A conversation between a negotiator working on behalf of the university and NetWalker shows how hackers pressured their victims.

Related Article: Russian-Canadian National Arrested in Ransomware Conspiracy(Update on the previous related article)

“Our investigation later revealed that [the university] paid approximately a $1.14 million ransom to regain access to their data,” said Gammons.

It was through this attack that the FBI identified email addresses connected to a second server in Poland.

In September, the FBI received what they had been waiting for from Polish authorities — copies of the two servers that contained a large amount of evidence, including a number of email addresses that would lead them closer to a suspect.

FBI investigators also received the contents of a server located in Bulgaria that they linked to NetWalker around the same time. On it they found detailed information about affiliates — including their user IDs.

User ID 128 appeared to be the most profitable and ranked second in the number of attacks it “built,” according to a statement of facts produced by the FBI.

Evidence on the server indicated the user was responsible for the attacks on the victims in Florida, California and headquartered in France.

So, who was User ID 128?

FBI identified a number of email addresses, including one that they tied back to the two Poland servers.

From there, they connected the account holder to an address in Gatineau.

But they needed to confirm User ID 128 was a real person, so in August 2020, the FBI notified the RCMP about their investigation. They provided a swath of information, including IP addresses connected to Bell Canada.

RCMP began to run surveillance on that house in Gatineau and in December, confirmed the user of those IP addresses was 33-year-old Sébastien Vachon-Desjardins, a federal government IT worker for Public Services and Procurement Canada.

“We didn’t anticipate that at all … hackers, you know, the image you have is a teenager in his parents’ basement. But, no, it was totally the opposite,” said Picard-Blais.

In conversations the RCMP documented, Vachon-Desjardins mentioned going to Russia, including one with NetWalker’s alleged spokesperson who used the moniker “Bugatti” over the platform Jabber in November 2020 and one with his girlfriend over Messenger in December.

“We were worried that with his background and a large amount of money that was yet unaccounted for, he would flee the country and that we wouldn’t be able to apprehend him,” said Gammons.

U.S. authorities believed they had enough evidence to pursue an indictment and extradition, according to Gammons, but they didn’t have the local jurisdiction to make the arrest, so Gatineau police were called in for help.

Arrested before — on drug charges

Simard had arrested Vachon-Desjardins twice before, the first time in 2015.

Simard was working in the drug section of the Gatineau police force when he got a tip about bags and boxes being moved in and out of the house where Vachon-Desjardins lived.

Vachon-Desjardins was known in Quebec’s criminal community as “gâteau” because he shared the same surname as the maker of the popular Jos Louis cakes.

Simard and his team found drugs with a street value of $500,000 in an upstairs bedroom.

“Speed, marijuana, hashish … it was a lot of drugs. So, it was a stash,” said Simard.

As part of his surveillance, Simard followed Vachon-Desjardins to work and was shocked to learn he was a computer technician for the federal government at the National Research Council of Canada in Ottawa.

Vachon-Desjardins was arrested in March 2015 on four counts of drug trafficking and was given a 3 1/2-year prison sentence.

When he got out of prison, still under conditional release, Public Services and Procurement Canada (PSPC) hired him in October 2016.

When asked, the department of the federal government responsible for employee payroll and purchasing, would not say whether it ran a background check on Vachon-Desjardins before hiring him.

Three years went by, and then Simard got a tip that Vachon-Desjardins was allegedly trafficking drugs again.

This time, Vachon-Desjardins was transporting drugs throughout Quebec. Simard arrested him a second time.

“He told me … he was having an addiction to money. He always wanted more and more and more. He [didn’t] know where to stop,” said Simard.

Vachon-Desjardins was released from custody, and it would be months before he would be officially charged with trafficking meth, cocaine, MDMA, and marijuana.

It was around this time, in February 2020 while working from home and awaiting drug charges, that the FBI believed he first became active with NetWalker.

The confession video

In January 2021, following his third arrest by Simard, this time on behalf of the FBI for alleged ransomware crimes in the United States, Vachon-Desjardins was taken to the Hull detention facility in Gatineau to await extradition.

He applied for bail in May. In his application, he said he was still employed by the federal government, but that his security clearance had been suspended pending an investigation by PSPC.

PSPC told The Fifth Estate in an email that “as of Jan. 13, 2021, Mr. Vachon-Desjardins was no longer a PSPC employee,” but would not confirm whether Vachon-Desjardins quit or was fired, citing privacy reasons.

It also said it “took swift action to safeguard PSPC’s employees, information and assets” once PSPC was made aware of “adverse” information, and following an internal investigation, it found no evidence of a security breach or compromise to government information or assets.

Before Vachon-Desjardins could be extradited, his pending drug charges and the RCMP’s ransomware case in Canada needed to be resolved.

“Once we had his actual devices, we were able to get a far more clear picture of what he was doing. We were able to see, sort of with more clarity, the number of victims that he was victimizing,” said Gammons.

The RCMP discovered some of those victims included Canadian educational institutions and businesses.

Related Article: Ex-Canadian Government Employee Pleads Guilty Over NetWalker Ransomware Attacks

Investigators reached out to some victims they had identified, including Amacon, a real estate development firm in Vancouver that had been attacked in August 2020.

“We had kept good logs and we were able to provide them IP addresses and timestamps, access logs, scope, and we were able to tie all of that together, working together with the RCMP to try to help put together a charge,” said Arthur Keech, the firm’s IT manager.

Amacon didn’t pay the $10,000 ransom.

“I have a very strong position that you should never communicate or sort of consider any ransom with these individuals,” said Keech

But six Canadian victims did give in to demands that allegedly came from Vachon-Desjardins, paying ransoms totaling $1.6 million, according to the agreed statement of facts filed in Ontario provincial court. Still, RCMP said few were keen to talk to them.

“It was very hard to get the story, to get the information from them, because they were trying to protect their reputation,” said Picard-Blais.

“Most of the victims feel ashamed to come out in public or report it to the police.”

Picard-Blais and his colleagues continued their investigation throughout 2021.

Then came a huge turning point in the investigation — the RCMP got a call from Vachon-Desjardins’s lawyer. He wanted to cooperate with police.

“We had lots of evidence against him. And at that point, he probably felt stuck and that it was in his best interest to cooperate with us,” said Picard-Blais.

Over two days in November 2021, Vachon-Desjardins gave a statement to the RCMP detailing his criminal activities involving Canadian victims.

“I could feel that he was very proud of his work,” said Picard-Blais.

Vachon-Desjardins confirmed that between May 2020 and January 2021, he targeted at least 17 Canadian victims, including a school in Quebec called Cégep de St. Félicien, the College of Nurses of Ontario, the town of Montmagny, Que., and his own former college, La Cité, in Ottawa.

The Fifth Estate/Enquête obtained part of Vachon-Desjardins’s confession video, recorded at the Hull detention facility, from the RCMP.

“Then we’re targeting the Canadian victims. We had like more than 15 to 20,000 networks of VPN access … which was all the credentials, name and passwords,” Vachon-Desjardins told police.

“And we were going from there, one by one. We were starting to think: ‘Is this network worth it? Are we [going] to the next one?’”

Weeks before his arrest, Vachon-Desjardins had transferred millions of dollars out of his bitcoin wallet. During his confession, he said it was to help fund a bigger and better version of NetWalker ransomware.

The End for Vachon-Desjardins

In January 2022, after he pleaded guilty to drug trafficking charges in Quebec provincial court, for which he received a 4½ year sentence, Vachon-Desjardins was sentenced in Ontario provincial court to seven years in prison for his ransomware-related offenses in Canada.

But it wasn’t over yet. A few months later, he was extradited to face four counts in the U.S. including conspiracy to commit wire fraud, conspiracy to commit computer fraud, intentional damage to a protected computer, and transmitting a demand in relation to damaging a protected computer.

Mark O’Brien, a criminal defense lawyer in Tampa, was retained by Vachon-Desjardins. He remembers their first conversation.

“Sébastien said, ‘Mark, I did wrong. I want to accept responsibility for doing that wrong… I want to tell the judge that I committed this crime and that I’m sorry,” said O’Brien.

“And that was his goal from the very beginning, which is unusual.”

In June 2022 in the U.S. district court in Tampa, Vachon-Desjardins pleaded guilty to the four charges related to ransomware attacks in the United States.

Related Article: Canadian Netwalker Ransomware Affiliate Sentenced to 20 Years in U.S. Prison

“I think Mr. Vachon Desjardins’s motivation was purely greed. I think Mr. Vachon-Desjardins wanted to make as much money as fast as he could, and he had made millions and could have stopped. But he didn’t,” said Gammons.

Four months later, wearing an orange jumpsuit with a buzzcut, Vachon-Desjardins appeared in court to learn his sentence.

O’Brien and Gammons had agreed on a joint sentencing submission of 13 to 14 years — the lower end of the sentencing guidelines.

While Vachon-Desjardins was cooperative, according to Gammons, there weren’t any factors weighing in his favour that could further downgrade his sentence.

“There was really nothing … that I know about him that kind of led you to believe that he would commit crimes of this nature,” said Gammons. “He grew up living a very normal life – [he] had two loving parents. He was gainfully employed.”

Visibly outraged by the crimes, Justice William Jung gave Vachon-Desjardins 240 months in prison — or 20 years, the highest sentence he could deliver, for what he called “the worst case” he’d ever seen. Vachon-Desjardins will serve his Canadian sentences concurrently.

Jung said he would have given Vachon-Desjardins “life” had he gone to trial and lost.

“He was disappointed but accepting,” said O’Brien of his client.

The FBI believes Vachon-Desjardins was one of 100 affiliates working with NetWalker.

“International cyber cases, especially ransomware cases, are very hard to investigate,” said Gammons.

“And I think that a lot of individuals who commit these crimes don’t think that they’ll ever stand trial in the United States. I think that the 20-year sentence was a very good deterrence piece to prevent others who might consider committing this type of conduct, that maybe they should think twice.”

Vachon-Desjardins remains in Pinellas County Jail in Clearwater, Fla., as he awaits his next hearing set for January, when restitution for his victims will be decided. He will then be assigned to a federal prison.”

At Adaptive Office Solutions, cybersecurity is our specialty. We keep cybercrimes at bay by using analysis, forensics, and reverse engineering to prevent malware attempts and patch vulnerability issues. By making an investment in multilayered cybersecurity, you can leverage our expertise to boost your defenses, mitigate risks, and protect your data with next-gen IT security solutions.

Every single device that connects to the internet poses a cyber security threat, including that innocent-looking smartwatch you’re wearing. Adaptive’s wide range of experience and certifications fills the gaps in your business’s IT infrastructure and dramatically increases the effectiveness of your cybersecurity posture.

Using our proactive cybersecurity management, cutting-edge network security tools, and comprehensive business IT solutions you can lower your costs through systems that are running at their prime; creating greater efficiency and preventing data loss and costly downtime. With Adaptive Office Solutions by your side, we’ll help you navigate the complexities of cybersecurity so you can achieve business success without worrying about online threats.

To schedule a Cyber Security Risk Review, call the Adaptive Office Solutions’ hotline at 506-624-9480 or email us at helpdesk@adaptiveoffice.ca