A hacker arrested in Malaysia last year pleaded guilty Wednesday to stealing the personal data of U.S. service members and passing it to the Islamic State terrorist group.
Ardit Ferizi used the Twitter handle “Th3Dir3ctorY” last June when he hacked into a server used by a U.S. online retail company and obtained the data of about 100,000 people.
Later in the summer, he sent the names, email addresses, passwords and locations of about 1,351 federal employees and military members to the Islamic State as part of a collective of hackers from his home country of Kosovo.
The case is a milestone — the first brought by federal prosecutors for both computer hacking and material support to terrorism. It comes as the Islamic State is becoming increasingly effective at inspiring and inciting attacks by lone wolves in the West. The group is using social-media platforms to call on sympathizers to take Sunday’s massacre in Orlando as an example and kill “disbelievers.”
Ferizi, a 21-year-old citizen of Kosovo who was living in Kuala Lumpur, offered little explanation for his actions.
“I don’t know myself why I did this,” he said in court. “I still ask myself why I committed this crime.”
Ferizi said he found his way into the retail company’s server simply while “surfing the Internet.”
He passed on the personal military information he uncovered to Junaid Hussain, a British citizen and key figure within the Islamic State. Last August, Hussain, who was both a hacker and a recruiter, posted links to the personal information on Twitter with a warning that Islamic State “soldiers . . . will strike at your necks in your own lands!”
Later that month, Hussain, who went by the nom de guerre Abu Hussain al-Britani, was killed in a U.S. drone strike in Syria.
Ferizi’s case represents a troubling convergence of terrorism and cyberattacks. “We’re going to see more and more of these blended threats,” Assistant Attorney General John Carlin said in an interview, where people carry out actions or attacks for criminal purposes and for terrorist groups.
In Ferizi’s case, the hacked company, located in Phoenix, cooperated with law enforcement, Carlin said. But many companies that are hacked think they can handle the intrusion on their own and may not realize that they are dealing with criminals who might be linked to a terrorist group. He called on firms to report what to them might seem to be a relatively small hack in the event that it turns out to be something else.
“Terrorist groups are saying that they want to use cyberattacks and are looking to acquire greater capability to use them,” he said. “We’re definitely seeing signs of that” — both by recruiting people with cyber skills and inspiring hackers to carry out attacks on their own.
The case is also unusual because U.S. officials brought Ferizi from Malaysia to Virginia for prosecution. Ferizi was detained last year on a U.S. provisional arrest warrant and was transferred to the United States in January.
Ferizi faces up to 25 years in prison. He has agreed to be deported to Kosovo after serving his prison sentence and will not be allowed to return.
“No matter how a person supports a terrorist group like ISIL, whether on the battlefield or in the cyber world, the FBI will identify, disrupt and bring them to justice for placing lives at risk,” said Paul M. Abbate of the FBI’s Washington Field Office, using an acronym for the Islamic State.