Many of the South Florida shootings that took place towards the spring of 2021 were triggered by gang wars, law enforcement officials said at the time. While gang activity is nowhere near as prevalent in South Florida as it is in South California, it’s also a well-known fact that Miami-Dade County has one of the highest gang populations in the country and the second-highest on the entire East Coast. What’s changed since then, however, is what gangs are fighting over—guns and drugs are out, and rivals are now trying to outdo each other when it comes to performing identity theft.
Reporting on the newly revealed shift, Forbes mentioned the example of Geno St. Flerose, a teenager the Miami police said was a member of the Everybody Eats street gang. When searching his home in August 2018, they discovered three notebooks full of other people’s personal information (names, dates of birth, bank account numbers and social security numbers) and a to-do list in which number seven was simply “fraud.”
Shortly after that, investigators revealed that St. Flerose was buying stolen data online, saying in one text message he was after “some of that black market shit” and was directed to the Russian site PlusCC. The young man currently faces various charges for identity fraud, murder and assault with a dangerous weapon.
Everybody Eats, along with its rival Little Haiti Vulchas, are infamous violent drug gangs. And while narcotics might not be so much of a focus anymore, the homicides are still piling up. “They’re using data stolen by Russian hackers and peddled on Russian-hosted sites like PlusCC to take control of other people’s bank accounts, sign up for benefits in someone else’s name, scam government programs like Medicare or the Covid-19 Paycheck Protection Program, buy weapons, rent cars and take vacations in luxury resorts,” Forbes wrote.
In South Florida, it’s pretty simple to draw a line from Russian cybercrime to US street gang killings and frauds. It’s become a real epidemic. “Fraud is the new dope,” said Armando Aguilar, criminal investigations chief at the Miami Police Department. “Fraud committed by gang members is a nationwide problem, but as with all things fraud, Miami is at the forefront.”
There currently isn’t any national data that breaks down exactly how much street gangs are reaping from white-collar crime, but law enforcement sources told Forbes the trend started about ten years ago and is still accelerating. The most recent figures show crimes related to identities stolen by data breaches rose to $3.3 billion in 2020 from $1.8 billion in 2019, according to the Federal Trade Commission (FTC).
As for 2021, the numbers are expected to be even higher, given the jump in COVID-19-related fraud. After the US federal government rushed in to help businesses and individuals with COVID relief money over the start of the pandemic, police noticed a jump in identity theft, fake companies being set up and huge amounts of money being transferred to the bank accounts of gang leaders.
Fast forward to 2022, and Little Haiti Vulchas, for example, is using one of the biggest sources of stolen data, a site called Blackpass. According to a search warrant application from the FBI and the Secret Service, communications between two alleged members of the crew, Jerry Vernelus and Erick Cadet Junior, discussed using Blackpass data for a ‘jwett’—slang describing an easy way to make illegal money.
Blackpass is believed to be run by Russian cybercriminals. Since its founding in 2012, it has built a reputation as one of the largest hosts of stolen banking and PayPal logins, as well as personal data like social security numbers, with each data point going for $1 to $5. The website has been gaining popularity since another allegedly Russian-run site, Slilpp, was knocked offline by a global law enforcement operation in the summer of 2021.
Compared with PlusCC, Blackpass is gigantic, Forbes noted. Over its four-year lifetime, PlusCC offered just 410,000 cards, according to Group-IB, a Singapore-based cybercrime company. Blackpass operators, on the other hand, have the largest cache of stolen usernames and passwords in the world, reaching into the billions of items, Alex Holden, chief technology officer of Hold Security, told the publication.
Though the alleged gangsters are making comparatively small sums, the Russians supplying them with stolen data are handling hundreds of millions in illegal transactions, causing huge financial damage and getting extraordinarily rich. And as you would expect from individuals on the black market, they’re pretty hard to unmask.
Meanwhile in Miami, regardless of the fact that there seems to be plenty of evidence available to prosecutors, current and former police officers explained it’s often not worth it to put gangsters in prison for fraud, largely because single frauds aren’t big enough, even if the overall cost is significant. Furthermore, neither the victims of cybercrime nor the police have the resources to track down every case. In a twisted way, law enforcement would probably have more incentive to chase down fraud if the results of the crimes were bloody.
On Tuesday 11 January, 19-year-old David Colombo, a self-described “information technology security specialist and hacker,” wrote on Twitter that he had found flaws in a piece of third-party software used by a relatively small number of owners of Tesla cars, meaning that hackers could remotely control some of the vehicles’ functions.
According to Colombo, the flaws gave him the ability to unlock doors and windows, start the cars without keys and even disable their security systems. He also claimed that he could see if a driver is present in the car, turn on the vehicles’ stereo sound systems and flash their headlights.
In other words, hacking into the third-party software in question offered him the chance to control pretty much what he wants in most Tesla cars. Considering the fact that a Massachusetts Institute of Technology (MIT) study confirmed that Tesla’s autopilot is unsafe back in September 2021, this potential addition to the infamous cars’ list of dangers came as yet another blow to Elon Musk’s company.
In an interview with Bloomberg, Colombo provided screenshots and other documentation of his research that identified the maker of the software and gave more details on the vulnerabilities it presents. He asked that the publication not publish specifics however, because the affected company had not published a fix at the time of writing. On Twitter, Colombo added that he could access more than 25 Teslas in at least 13 countries, which is why he decided to share this information on the social media platform when he wasn’t able to contact most of the owners directly.
‘So what’s wrong exactly?’ some of you might be wondering. According to what Colombo told Bloomberg, “the problem involves an insecure way the software stores sensitive information that’s needed to link the cars to the program.” While it truly depends on who can access such information, in the wrong hands, it could be stolen and repurposed by hackers to send malicious commands to the cars, he continued to explain. He even showed Bloomberg screenshots of a private conversation he had on Twitter with one of the affected owners, who allowed him to remotely honk his car’s horn.
Since then, Colombo has been in touch with members of Tesla’s security team as well as with the maker of the third-party software. Tesla has a “bug bounty” programme where cybersecurity researchers can report vulnerabilities in the company’s products and, if validated, receive payment.
This latest discovery goes to show some of the remaining risks of moving to the so-called ‘Internet of Things’, where everything is connected online—thus becoming potentially vulnerable to hacking threats. “Just don’t connect critical stuff to the internet,” Colombo advised. “It’s very simple. And if you have to, then make sure it is set up securely.”