First case of P2P-based identity theft unfolds in Seattle

Published 10 September 2007

People have been prosecuted for using peer-to-peer networks illegally to share or obtain copyrighted music, movies, and software, but this is the first prosecution of a P2P-based identity theft

Gregory Kopiloff, a 35-year old resident of Seattle, Washington, was arrested on an indictment by a federal grand jury in the Western District of Washington for mail fraud, two counts of aggravated identity theft, and accessing a protected computer without authorization to further fraud. The indictment alleges that Kopiloff used file sharing programs to invade the computers of hundreds of victims across the United States to gain access to their personal information in tax returns, credit reports, bank statements, and student financial aid applications. People have been prosecuted for using peer-to-peer, or “P2P,” networks illegally to share or obtain copyrighted music, movies, and software, but according to the Justice Department, this is the first case of criminal charges being brought against an individual who exploited P2P networks for identity theft.

According to the indictment, Kopiloff used file sharing programs such as Limewire and Soulseek to search the computers of others for federal income tax returns, student financial aid applications, and credit reports which had been stored electronically by other real people on and in their own private computers. Kopiloff would use the identity, and banking, financial, and credit information to open credit accounts over the Internet, in the names of the other real people whose identities he had stolen. He would then make fraudulent online purchases of merchandise, have it shipped to various mailboxes in the Puget Sound area, and then would sell the merchandise for about half its retail value. So far law enforcement has linked Kopiloff’s fraud to some eight victims and more then $70,000 in fraud.

The U.S. attorney’s office invited executives with Cranberry Township, Pennsylvania-based Tiversa, a computer security company, to share information on the growing threat file sharing poses to consumers. “This arrest is just the tip of the iceberg,” said Robert Boback, CEO of Tiversa. “Millions of consumers expose their sensitive information when they use P2P file sharing networks and thousands of potential criminals a day search and find this information to commit ID theft and fraud.” Tiversa monitors global file sharing networks on behalf of the world’s largest financial institutions, government agencies, and individual consumers. This monitoring showed that during a two week period, almost 56,000 requests for files involving “credit card” were issued on peer-to-peer file sharing networks monitored by Tiversa; more than 75,000 requests for specific credit card statements by brand; 50,000 requests for “tax returns”; and more than 317,000 requests for files involving “pin” and “user id.”

“Cyber crime has evolved significantly over the last several years,” said Wallace Shields, special agent in charge of the U.S. Secret Service Seattle field office. “Cooperation between law enforcement has allowed us to focus our resources and respond quickly to uncover and prevent criminal activity such as this type of financial fraud.”

Kopiloff also obtained some sensitive information the old-fashioned way, from associates who would steal mail or go “Dumpster diving” for discarded financial records, the indictment said, adding that he would open credit accounts and then go shopping online, having items such as an iPod, earphones, and a hard drive shipped to a UPS store, hotels, or post office boxes in Western Washington.