Former AWS Employee Convicted of Capital One Hack

June 20, 2022

Hacked into Amazon Web Services and stole data and computer power to mine cryptocurrency

A 36-year-old former Seattle tech worker was convicted in U.S. District Court in Seattle of seven federal crimes connected to her scheme to hack into cloud computer data storage accounts and steal data and computer power for her own benefit, announced U.S. Attorney Nick Brown. Paige A. Thompson a/k/a ‘erratic,’ was arrested in July 2019, after Capital One alerted the FBI to Thompson’s hacking activity. The jury deliberated for ten hours following the seven-day jury trial. Thompson is scheduled for sentencing by U.S. District Judge Robert S. Lasnik on September 15, 2022.

“Ms. Thompson used her hacking skills to steal the personal information of more than 100 million people, and hijacked computer servers to mine cryptocurrency,” said U.S. Attorney Nick Brown. “Far from being an ethical hacker trying to help companies with their computer security, she exploited mistakes to steal valuable data and sought to enrich herself.”

Thompson was found guilty of Wire fraud, five counts of unauthorized access to a protected computer and damaging a protected computer. The jury found her not guilty of access device fraud and aggravated identity theft.

Using Thompson’s own words in texts and online chats, prosecutors showed how Thompson used a tool she built to scan Amazon Web Services accounts to look for misconfigured accounts. She then used those misconfigured accounts to hack in and download the data of more than 30 entities, including Capital One bank. With some of her illegal access, she planted cryptocurrency mining software on new servers with the income from the mining going to her online wallet. Thompson spent hundreds of hours advancing her scheme, and bragged about her illegal conduct to others via text or online forums.

“She wanted data, she wanted money, and she wanted to brag,” Assistant United States Attorney Andrew Friedman said in closing arguments.

The intrusion to Capital One accounts impacted more than 100 million U.S. Customers. The company was fined $80 million and settled customer lawsuits for $190 million.

Wire fraud is punishable by up to 20 years in prison. Illegally accessing a protected computer and damaging a protected computer are punishable by up to five years in prison. The ultimate sentence is up to Judge Lasnik who will consider the sentencing guidelines and other statutory factors.

The case was investigated by the FBI Seattle Cyber Task Force. The case is being prosecuted by Assistant United States Attorneys Andrew Friedman, Jessica Manca, Tania Culbertson, and Steven Masada.