Zandvoort, Netherlands – In a landmark verdict, a 21-year-old Dutch cybersecurity professional, Pepijn Van der Stap, has been sentenced to four years in prison for his involvement in a wide-ranging cybercrime spree that targeted numerous companies in the Netherlands and abroad. The charges against Van der Stap include hacking into victims’ computers, extortion, and the laundering of over 2.5 million euros in cryptocurrency.
The sentencing, handed down by the court, consists of four years of imprisonment, with one year being conditional, along with a three-year probationary period. This judgment comes after an exhaustive investigation conducted by the Dutch Public Prosecution Service, which had initially sought a six-year prison term for the defendant.
Van der Stap, along with his associates, masterminded a series of cybercrimes that took place between August 2020 and January 2023, affecting both domestic and international companies and institutions. The modus operandi of this criminal group involved blackmail, with the threat of exposing stolen data online unless a substantial ransom was paid. In addition, Van der Stap infiltrated various networks, pilfering sensitive information from compromised entities.
Law enforcement agents, upon searching Van der Stap’s computer, uncovered an arsenal of malicious tools and personal data stolen from millions of individuals. This data had been acquired through hacking, purchases, or exchanges with other cybercriminals, and was put up for sale on numerous hacking forums. Notably, Van der Stap also assisted other criminals by selling or trading this stolen data, causing substantial financial losses to the affected organizations.
The investigation into Van der Stap’s cybercriminal activities was initiated in March 2021, prompted by a report from a company based in Amsterdam. Notably, despite ongoing legal proceedings, not all organizations that fell victim to these cyberattacks have reported the full extent of their losses.
It is worth mentioning that, before his arrest, Pepijn Van der Stap had a dual life. By day, he worked as a cybersecurity professional for Hadrian Security and volunteered at the Dutch Institute for Vulnerability Disclosure (DIVD). However, by night, he delved into the world of cybercrime, participating in forums such as RaidForums, BreachForums, Sinister[.]ly, HackForums, Leakforums, and Maza, using various aliases, including Espeon, Umbreon, Lizardom, Egoshin, Togepi, OFTF, and Rekt.
Notably, BreachForums (also known as Breached) was seized in June 2023, three months after the arrest of its owner, Conor Fitzpatrick (aka Pompompurin). Similarly, RaidForums was shut down in April 2022 after its founder and admin, Diogo Santos Coelho, was apprehended in a coordinated action involving law enforcement agencies from multiple countries. Both forums were renowned as the largest hubs for trading and selling stolen databases before their seizures.
In an interview with DataBreaches.net, Van der Stap acknowledged, “The majority of my criminal hacking activities took place before I started doing lawful work. I had already started cutting back on blackhat hacking before I started working for whitehat entities. Once I began working in legitimate jobs, I started dedicating my skills to ethical purposes. For about 16 months before my arrest, I was not engaged in much illegal activity and wanted to get out altogether. But as much as I wanted to get out, it felt impossible at times.”