Hacker Higinio O Ochoa III revealed more than he intended when he posted photos from his iPhone onto Twitter. The images show the bikini-clad breasts of Ochoa’s Australian girlfriend and the provocative message: “PwNd by w0rmer & CabinCr3w <3 u BiTcH’s!“. But after her boobs fell into the waiting hands of FBI’s Cyber Squad agent Scott Jensen, Ochoa was arrested.
Ochoa was so busy gloating over his conquests that he made a b00b worthy of a ‘n00b’. The photos he posted contained geo-coded data that pointed the sp00ks directly at him!
What did he do?
The Criminal Complaint report filed on 15th March, 2012 contains the details of a number of hacking allegations against Ochoa.
5th Feb: Hack #1 – West Virginia Chiefs of Police Website
Ochoa got hold of the entire database containing usernames, passwords and contact details for around 150 Law Enforcement officers in the state of West Virginia. This information was then released on the internet.
Two officials received harassing and threatening phone calls shortly after the information was released.
An article in the Charleston, WV Gazette discusses the hacking of the West Virginia Chiefs of Police website. CabinCr3w is a group of hackers who work together and plan their attacks together under the banner of Anonymous. Anonymous is a loosely affiliated group of hacktivists.
9th Feb: Hack #2 – National Crime Information Center Database
Feb 9th: Hack #3 – Mobile Alabama Police Department Servers
The last link referred to above is still live and includes the following statement from CabinCrew:
Full Legal Names
Social Security Numbers
License Plate Numbers
Date of Births
Feb 9th: Hack #4 Texas Department of Safety
The Page also contains another YouTube video [WARNING: EXPLICIT LANGUAGE]:
Feb 10th: “My Baby SETS Standards”
This tweet contains links to the following pictures (click to enlarge images):
These pictures also reference wOrmer and @AnonwOrmer along with CabinCr3w. The links in the post show images of a female in various states of undress holding various signs. One of the pictures is the same as the Alabama DPS picture with the EXiF data that shows it was taken in Australia.
Feb 20th: Hack #5 Houston County Database
Twitter user @AnonwOrmer posted, “DEFACE: http://www.houstoncounty.org By @AnonwOrmer <3 @CabinCr3w #CabinCr3w“.
Twitter user @AnonwOrmer posted, ”http://www.houstoncounty.org/ TANGO:DOWN I What no admin accounts to fix deface IT team ? weak!“.
Twitter user @AnonwOrmer posted, ”@RadnusJ yer, i pwnd all of houston countys datebase haaha“.
Twitter user @AnonwOrmer posted, “memoryne roil they had to take it offline because i deleted all the admin accounts.. .but mine haaha“.
On February 20, 2012 Houston County in Alabama experienced a website defacement. In addition the attacker created fake events on their online calendar, posted images representing Anonymous and CabinCr3w, deleted all the administrator accounts except the one created by the attacker. All of this was accomplished by gaining unauthorized administrator access to the site’s control panel. The county was forced to take their website down and rebuild the website from backups since they had no way to gain access to their website to fix the issues that the hacker created.
The Evidence Mounts
1. On February 12, 2012 at 4:54 AM, Twitter user @Anonw0rmer posted, “pWND! Me & @s3rverexe Playing with bots ! This is what happens when you kill the wrong process LULZ ! mg5 80.imageshack.us/img5 80/6416/ca…“. This picture shows a screenshot of a computer desktop. On the desktop are a number of open, running programs with an error message in front of them. There is a window showing Skype running with a username of anonwOrmer logged in. There is another program running called KVIrc version 4. In this window, the username @higochoa is logged in (click to enlarge):
2. An open source search for the username wOrmer revealed two posts on the website http://search.gmane.org/?author=oO+WOrMeR+Oo&sort=date. One post states, “1 just signed up and am waiting to jump right in im a Visual Basic Programmer and network admin, so im ready for the challenge, cant wait. Any VB Programers please send me some info regarding the syntax to the commands for the servers” and is signed “-Higino Ochoa AkA wOrmer“.
3. A Texas Department of Motor Vehicles search brings up a Drivers License for Higinio Ochoa with the following information:
Higinio 0 Ochoa III
DL in TX # 24537042
6424 Central City Bi #828
Galveston, TX 77551
Date of Birth 07/23/198 1
4. On Feb 5th, 2012 at 10:53 PM, Twitter account @higochoa posted, “LEAK: #OpPiggyBank West Virginia wvcop.com tinyurl.coml6tvokka By #W0rmer @CabinCr3w @ItsKahuna #Anonymous #CabinCr3w”. At this time, the twitter account @Anonw0rmer did not exist.
On February 6, 2012 at 11:18 AM, @Anonw0rmer posted their first Twitter post. The first account login associated with the Twitter account is from the Czech Republic. This is consistent with other intrusion records showing IP addresses located in various foreign countries, which is consistent with someone trying to hide their true IP address. The second login is from IP address 220.127.116.11, which is controlled by Comcast Communications in Houston, TX.
5. On March 2, 2012 it was learned that address 6424 Central City Bl #828 Galveston, TX 77551 was no longer in use by Ochoa. Ochoa broke the lease in 2010 and left a forwarding address of 4925 Fort Crockett Blvd. #313 Galveston, TX 22551. This apartment is one floor down, and one apartment over from Erin Beltamini’s address of 4925 Ft. Crockett Boulevard, Apartment #325, Galveston TX 77551. Due to the proximity of the two addresses, it is likely that Ochoa used his neighbor’s unsecured wireless network to perform the intrusion on the Texas Department of Public Safety servers.
6. Surveillance conducted on March 3 4, 2012 revealed that Ochoa is living at 4925 Fort Crockett Blvd, #3 13, Galveston, TX 22551.
7. A Facebook profile was located for Higinio Ochoa and can be found at www.facebook.comlgalvestonman. According to this Facebook profile, Ochoa is residing in the Galveston, TX area. On his Facebook profile it states that he is in a relationship with Kylie Gardner. Kylie Gardner’s Facebook profile which can be found at http ://www.facebook.comlkyliegardner, states that she graduated from Dungog High School which is located in Dungog, New South Wales, Australia. The EXiF data from the first picture posted on the profile shows it was taken in Australia.
This is the man himself:
8. Further open source searches revealed a Linkedln.com3 profile for Higinio Ochoa listing him as the Lead Administrator for Bombshellnet.org in Houston, Texas. Bombshellnet.org is a now defunct free linux shell service.
You might like:
Someone will soon be winning a shiny new Apple 32Gb iPod Touch! Enter our free contest here