Nine years ago, Timothy French began his hacking career, the feds say.
By 2011, he had the FBI’s attention.
Today, he is 22 years old.
Now federal prosecutors want to send the NullCrew hacker to prison for as many as seven years after he helped expose 12,000 Bell Canada customer usernames and passwords in June 2014. Long before that, the feds say French was involved in cyberattacks against the United Nations, NASA, NATO and others — all when he was about 17.
“His aim was to wreak havoc on his victims — breaking into their computer systems, stealing their data and dumping online sensitive personal information of thousands of individuals, all the while taunting his victims through carefully crafted press releases,” Assistant U.S. Attorney William Ridgway wrote in a memo filed in federal court this week.
But in a bid for redemption, French has offered a judge a sealed list of suggestions for institutions hoping to improve their online security. His defense attorney, Candace Jackson, filed her own memo comparing French to notorious hacker Kevin Mitnick, who served five years in prison but now works as a computer security consultant. Jackson asked U.S. District Judge Gary Feinerman to give her client no more than three years in prison.
“(French’s) writings and his actions demonstrate that he is motivated to correct the course he was on, and that he wants to develop his considerable talent for computer for good,” Jackson wrote.
Feinerman is set to sentence French on Nov. 1. The hearing will follow the indictment last week in Chicago of two teenage members of the hacker group known as “Lizard Squad.”
The feds say French’s hacks caused more than $792,000 in damage, but “much of the damage the defendant wrought cannot even be quantified. Businesses, non-profits and universities suffered reputational damage when their private data was released and widely reported in the press.”
French admitted last December he launched a NullCrew cyberattack through a Naperville computer server and participated in six additional attacks on businesses, universities and governments. NullCrew tried to publicly embarrass its targets — which also included the University of Virginia and the Science & Technology Center in Ukraine — by boasting about its successes on Twitter.
French used the online handles “Orbit,” “@Orbit_g1rl,” “crysis,” “rootcrysis” and “c0rps3.” In April 2014, the feds say he contacted a freelance journalist and stated, “Hope you’re ready for over a gb [Gigabyte] of data on 4/20 from 8-10 different high profiled targets.” The journalist responded that he was “clearing” his schedule.
Jackson said French, of Tennessee, grew up in a small town and had few opportunities. He took his first airplane ride when U.S. Marshals hauled him to Chicago to answer to criminal charges filed against him in 2014.
But the feds say the FBI first visited French’s home in December 2011, when French was 17. They did so because of French’s alleged exploits with the hacker groups Net-Bashers and Team Poison, which carried out cyberattacks against the UN, NASA and NATO in 2011 and 2012, records show. French allegedly told the FBI he had already been involved in the hacking community for four years at that point — and he admitted hacking a foreign government’s computer servers.
“In December of 2011, rather than being led away in handcuffs, the defendant was offered a second chance at leading a law-abiding life,” Ridgway wrote. “Despite having been cut a break, and rather than heed the FBI’s warning, the defendant upped the ante, proceeding on a far more destructive course and demonstrating a complete disregard for the law. Leniency after (French) engaged in such prodigious hacking would not serve as just punishment.”