Head of TAD Group: I am taking down the government
Telegram chats unveil cyberterrorism schemes set up by the companyEuropost
Nearly a year before the 20-year-old Kristian Boykov stole the details of five million Bulgarian citizens from the information system of the National Revenue Agency (NRA), his employer TAD Group was already involved in cyberterrorism, data published on the website of the Specialised Prosecutor’s Office of Appeals reveals.
On Thursday said evidence material was presented during an open hearing before three appellate judges, who changed the restrictive measure imposed on the owner of TAD Group Ivan Todorov from BGN 100,000 bail to custody.
The evidence in question is divided into four files – two of those contain excerpts from messages that Ivan Todorov, Kristian Boykov and the third defendant in the case Georgi Yankov exchanged, as well as with other people, via the Telegram application.
The third file contains witness testimonies of a former TAD Group employee, who revealed details about the scheme through which the company operated – initially, data was illegally downloaded from the servers through a cyberattack, then the company extended an offer to the affected for providing protection against unauthorised access. Among the victims of this cyberterrorism scheme are insurance companies and brokers, media outlets, public and banking institutions, etc.
The fourth file contains information provided by representatives of the extorted companies, who confirm that they did not have business relations with TAD Group. Representatives of four companies – three insurers and a media outlet – told the investigators that they did not have contracts with Todorov’s company and that his company, therefore, should not have had access to their databases.
The communication over Telegram shows that Kristian Boykov, who used the application under the nickname John Doe, boasted about “striking” an insurance broker in November 2018 and not being willing to turn the stolen information over for less than 20,000 (the currency is not made clear), as it was 24 GB of data.
The entire time, TAD Group owner Ivan Todorov was aware of the criminal activities undertaken by his employees against companies that had to be “attracted” as clients. In relation to one such security breach, Todorov wrote in Telegram: “We are pushing them for tests, if not – let them hang in the news.” In another exchange of text messages following him being informed of a data steal, Todorov wrote: “Let’s encrypt everything. They will be reconsidering cybersecurity in two days. I will not even ask them.”
The files, in which personal details are redacted, reveal that the same mode of operation was followed in the cyberattack against the NRA – the stolen data was first sent to the website Bivol and then to the weekly Capital and bTV. The TV network has been the preferred media platform for TAD Group owner and his attorneys to appear on for the past month. Boykov’s conversations in Telegram also reveal that he sought a way to access the NRA servers back in April.
The Prosecutor’s Office also published testimonies given by three witnesses in the case. According to their words, they were TAD Group employees and were aware of the illegal activities of the defendants. They also reveal that a former employee of Ivan Todorov alerted the investigative authorities that Kristian Boykov indeed boasted about hacking the irrigation system outside of the National Assembly. “I remember him boasting about having gained access to the system that controls the sprinklers outside of the parliament and asking us whether we would like him to turn on individual sprinklers so we can go and see if it works for ourselves,” witness I.P. said.
Evidence published by the Prosecutor’s Office (published in Bulgarian only):
The Prosecutor’s Office’s motives to declassify the evidence material:
In keeping with Article 41, Paragraph 2 of the Constitution of the Republic of Bulgaria, the Specialised Prosecutor’s Office of Appeals and the Specialised Prosecutor’s Office find that the Bulgarian citizens have the right to be informed of issues of their legal interest, as long as the information is not a state or other type of secret protected by the law and it does not violate someone else’s rights. Disclosing data and/or evidence part of pretrial proceedings is an opportunity for the public to form a well-founded opinion of the validity of prosecution on cases of great public interest. The Specialised Prosecutor’s Office and the Specialised Prosecutor’s Office of Appeals will continue to uphold the presumption of innocence principle and therefore not disclose information that would jeopardise the outcome of the case. Guided by this notion, we will continue to inform the public on issues of great public interest, while abiding by the law.
In light of what was described above and after obtaining permission by a prosecutor in line with Article 19, Paragraph 1 of the Criminal Procedure Code (the only official with the power to authorise disclosure of information part of a pretrial proceeding during said proceeding), we present part of the evidence material in pretrial proceeding № 142/2019 as listed by the Specialised Prosecutor’s Office. In order to achieve maximum correctness and avoid insinuations about efforts to influence the court, the disclosure is done after the Appellate Specialised Criminal Court has considered the evidence. The files contain redacted personal details and no facts or circumstances damaging the interests of third parties or obscene language.
Ivan Todorov's US visa revoked
Due to his alleged involvement as an instigator of the cyberattack against NRA and other cyberterrorism actions, aimed at creating unrest and panic in society, the US has revoked the visa of TAD Group's owner Ivan Todorov. According to Monitor sources, Todorov has been granted a US visa card since he was working as a representative of American fast food chain in Eastern Europe.
The latest evidence from the Specialised Prosecutor’s Office of Appeals's investigation however inclines that Ivan Todorov had asked his employee Kristian Boykov to break into a server containing the data of all 268,000 American insurance brokers and then offered the stolen information for sale in a bundle with other hacked data.