Agents of the Cybercrime Investigation and Coordinating Center (CICC) have arrested three members of a hacker’s group who were tagged as responsible for illegally obtaining election-related data from the Commission on Elections (Comelec) in January this year.
CICC executive director Undersecretary Cesar Mancao said the three arrested jackers are members of the XSOS group that allegedly steal data from the government and private companies and sell them for hefty prices.
In the case of the compromised data from the Comelec which was reported by the Manila Bulletin January, Mancao said the group was selling the information they stole for P60 million.
He identified the arrested suspects as Joel Ilagan, alias Borger; Adrian Martinez, alias Admin X; and, Jeffrey Limpiado who uses the aliases Brake, Vanguard, Universal and LRR. They were arrested on Saturday, April 23.
The three were already slapped with cases of violations of Cybercrime Prevention Act of 2012, especially in connection with system interference, illegal access and attempt to commit cybercrime.
“They threatened the Smartmatic and Comelec that if they would be ignored, they would release 60 gigabyte data of the Comelec. They had been insisting in the dark web that they could manipulate the result of the elections,” said Mancao in a press briefing at the CICC office in Quezon City on Tuesday, April 26.
The Manila Bulletin broke the story of the threat of the group after it became a topic in the dark web. Mancao said it is in the dark web were cyber-related illegal activities are discussed, shared and sold.
Before the Manila Bulletin story was published, the Comelec was informed of it and was asked of the reaction about the possible breach of confidential data from the poll body. But this was not immediately acted upon by the group and later, Comelec officials denied the hacking incident.
How they were traced
Mancao said that as soon as the CICC learned of the incident, they immediately formed a team to run after those responsible.
“They were contacted by our IT operatives and in fact, three meetings were held with them. The suspects were not aware that they were dealing with our operatives,” said Mancao.
He said the group was asking P60 million but initially asked P10 million as down payment.
He said the first meeting was held in a casino hotel in Pasay, and later in a hotel in Makati. The third meeting was in Laguna.
“Since they were already identified. We kept on negotiating with them because our goal is to identify the people who are possibly handling them,” said Mancao.
He said during that time, they were dealing with the 31-year old Limpiado whom the CICC identified as the leader of the group. It was Limpiado, a former businessman, who asked for the P60 million.
Deep, dark connection
Mancao said the group is connected to Ricardo Argana, an employee of the Smartmatic who has already gone hiding.
It was Argana who reportedly downloaded files from the Smartmatic in its Laguna office and later shared the stolen data with the group of Limpiado.
According to Mancao, the group of Limpiado was also responsible in several cases of hacking in the past.
Among them were the hacking of National Power Corporation website, hacking of ATM and credit cards and ransomware committed against local companies.
But Mancao said those arrested have admitted that it is difficult to hack the Smartmatic and the Comelec.
“They admitted that they got access at the Smartmatic but they later said that they actually obtained the data from Argana,” said Mancao.
“So they admitted that they are more on scams (that they could manipulate the result of the elections by hacking),” he added.
The modus, according to Mancao, is to negotiate with some politicians who are willing to pay to ensure victory in the May 9 elections.
With the arrest of the three suspects, Mancao assured anew that the May 9 polls will not be tainted with hacking-related cheating.
“With these arrests, we can assure the public that the threat to rig our electoral process through hacking is substantially diminished as these are the only remaining known hackers who are persistently visible on the dark web claiming that they could manipulate the elections,” said Mancao in a statement.
“Nevertheless, we will continue monitor and closely watch any other similar illegal activities online, especially with respect to the coming elections,” he added.