The cybersecurity expert and hacker claimed he created a sophisticated attack that allowed him to add unlimited funds to gift cards from major retailers — a security hole that could have resulted in huge losses for Starbucks, Kmart and Whole Foods Market.
But the story the Springfield man told federal agents and The Washington Post last summer was a hoax that he concocted to cover a pedestrian scam, according to recently unsealed court documents.
Muneeb Akhter, 23, and his twin brother Sohaib were charged in federal court in Alexandria, Va., in February with using fraudulently obtained credit card numbers to purchase more than $25,000 worth of goods, including archery equipment, flights and a computer, according to the documents.
Akhter declined to comment on the charges against him but said he did not fabricate the hack, which he said last summer he had discovered while doing research. He said he planned to market his services to companies to protect them from the hole in security.
“They didn’t find evidence of it, so they say it’s a hoax,” Akhter said. “We’ve got a defense that is going to come out.”
Akhter refused to elaborate on what that defense would be. However, he said he was open to considering a plea deal in the case. Attorneys for both brothers did not return calls for comment.
Muneeb Akhter drew the attention of the Department of Homeland Security (DHS) shortly after getting a government security clearance and starting work as a cybersecurity contractor at General Dynamics last June. Over lunch, he boasted to colleagues about the gift-card hack he created and showed them some cards, according to a search warrant filed in Fairfax County.
Akhter’s company alerted DHS, and Akhter was soon being questioned by an agent.
Akhter said in a later interview that the agent dangled an extraordinary offer: work secretly as a hacker for the government. The agent told Akhter he had to swear out a statement about how he created the hack to get the job. Akhter complied.
Akhter told the Post over the summer he was suspicious of the offer, saying he thought it might be a ruse to get information to prosecute him. It turns out his suspicions were correct.
Agents served a search warrant on the brothers’ Springfield home in July. Court documents say agents recovered audio recordings of the brothers discussing the alleged credit-card fraud from a cellphone.
In one recording, Sohaib Akhter explains to an informant that Muneeb used a program inserted on a company’s computer to obtain the credit-card numbers of customers that were later used to charge up gift cards and make purchases.
Muneeb Akhter had told the DHS agent and The Washington Post a very different story. He said he was able to trick e-commerce portals into adding money to gift cards without spending a dime using a technique that exploited an arcane Internet hack called “bit squatting.”
If true, experts said, the attack would have been the first documented instance of such a hack. Some experts expressed doubts that Akhter had accomplished what he claimed.
In one of the recordings obtained by federal agents, Sohaib Akhter said Muneeb’s story was indeed made up.
“Sohaib Akhter explained to [an informant] that the computer program that Muneeb Akhter described to DHS agents does not exist and was simply a cover for their true activity,” the agent wrote in the charging documents.
Federal agents said that the fraudulent activity continued even after federal agents conducted the search warrant on the Akhters’ home and that Sohaib knowingly purchased items with the credit information.
The charges come after the brothers showed early promise in technology. They started at George Mason University at 16, built a robot and in 2011 became the school’s youngest graduates. They received a $200,000 Defense Advanced Research Project Agency grant in 2012 to work on a computer project.
If convicted, each brother faces a maximum sentence of five years in prison. The U.S. Attorney’s Office for the Eastern District of Virginia declined to comment on the charges.