Capital One Hacker Paige Thompson Sentenced to Time ServedThompson Will Be Under Probation for 5 Years and Her Computer Use Will Be Monitored
Convicted Capital One hacker Paige Thompson received a sentence of time served and five years of probation following her June conviction in U.S. federal courts for five felonies and two misdemeanors.
A jury found Thompson, 36, guilty of wire fraud, five counts of unauthorized access to a protected computer and damaging a protected computer.
Judge Robert S. Lasnik ordered Thompson to perform 50 hours of community service each year during probation, be subject to location monitoring for three years and to restrict herself to her home except as needed for employment and other specific exemptions such as medical care. Her use of computers and the internet will be subject to federal monitoring.*
Federal prosecutors asked for seven years, time they said took into account the relatively limited impact of her hacking and her mental health circumstances. Still, "Thompson was one bad day away from sharing the data she stole," prosecutors wrote the judge ahead of sentencing. Thompson asked for time served - she spent approximately 100 days in jail - and three years of supervised release, pointing to her cooperation with investigators, mental conditions and transgender status. Her "physical appearance as a transgender woman would likely make her a target for physical, sexual and verbal victimization in prison," defense attorneys said.
"We are very disappointed with the court’s sentencing decision. This is not what justice looks like,” said U.S. Attorney Nick Brown in a statement.
"This is exactly what justice looks like," said Thompson defense attorney Colin Fieman, in an email to Information Security Media Group. "The case was overcharged and misunderstood by the government from the outset," he added.**
Thompson, a one-time coder for Amazon Web Services, in March 2019 began scanning IP addresses hosted by AWS for misconfigured web application firewalls.
Among the approximately 30 AWS accounts Thompson accessed, one belonged to credit card giant Capital One. Thompson downloaded identifying information of about 100 million individuals, which led to the Virginia-based bank paying an $80 million fine to regulators and settling a proposed class action lawsuit for $190 million (see: Capital One Moves Past 2019 Hacking Incident). There is no evidence that Thompson published the stolen data, although at one point she threatened to give it to a "Chinese dude who scams people for research chems on Reddit and drug forums."
Going by the online handle "erratic," Thompson used her illicit AWS access to plant Ethereum cryptocurrency-mining software, at one point boasting that she earned $5,000 a month. Thompson stored scanning and evaluation scripts in folder named "aws_hacking_shit" and the data she exfiltrated in a folder called "aws_dumps."
During the trial, prosecutors laid out a sequence of steps that began when a custom script let her identify accounts where the firewall also acted as a reverse proxy able to access internal cloud computing resources.
That server-side request forgery vulnerability let Thompson open an AWS metadata service containing information such as account holder identity and access management roles. An FBI computer scientist testified that Thompson stored the results of another script querying the AWS Instance Metadata Service in a number of places on her custom desktop, including in a file named megametadata.txt.
With the names of IAM roles obtained from the metadata service, Thompson was able to acquire security credentials and log onto the AWS accounts. Other organizations caught up in the hack included the Transportation Security Administration, Vodafone, Michigan State University and Digital.ai, a mobile software development company.
Thompson obfuscated her IP address by using the iPredator VPN and Tor, the anonymity-promoting browser.
It wasn't a technological lapse that led to her arrest, but an unsolicited confession to an independent cybersecurity compliance consultant named Kat Valentine. Thompson had seen Valentine's tweets depicting mock-ups for a line of custom-made, hacker-themed shoes that Thompson thought about retailing as an artistic project. Thompson direct-messaged the other woman over a period of four days in June 2019, sending a link to a semiprivate GitHub repository containing 3 terabytes of data downloaded from AWS.
Unsure whether the link was legitimate, Valentine didn't click on it until July, after which she contacted Capital One with the message, "Hello there, There appears to be some leaked s3 data of yours in someone's github/gist" and a link to the repository.
The trail for law enforcement leading to Thompson was straightforward after that. The GitHub page - a text repository known as a gist - displayed Thompson's name and had a chain of links that included her resume, which listed her home address. A week after the FBI opened an investigation, agents accompanied by a SWAT team arrived at the South Seattle house where Thompson slept on a mattress on the floor in a small room inside a residence shared with housemates.
"It was pretty unprecedented to go from no case to search warrant in about four days," said FBI agent Joel Martini during the trial.
*Update Oct. 4, 2022 21:39 UTC: Updates story with sentencing document and details about probation conditions.
**Update Oct. 4, 2022 22:33 UTC: Updates the story with comments from Colin Fieman.