Archive for April, 2013

Anakata translated hearings

Tuesday, April 30th, 2013

Pasted below is the translated hearings with Anakata regarding the Logica hacking case. The hearings have been transcribed by the Swedish government based on audio recordings of the hearings and then OCRed and translated (by me) to English.

2012 09 13
Interrogator: You are previously served on suspicion of several hacking cases, that you have prepared access to Logica’s servers.
G: Oh well…
Interrogator: What is your approach to the suspicion?
G: I deny crime.
Interrogator: This investigation, it has gone on since this spring and we have have quite a lot of material that we’ve been looking at. There are clear indications in this material that shows that you would be involved. Do you know of this breach of Logica?
G: No comments!
Interrogator: Do you have any special reasons to why you don’t want to comment?
G: No comments!
Interrogator: Do you know MG?
G: No comments!
Interrogator: Do you know KS?
G: No comments!
Interrogator: Does the lawyer have any questions?
Lawyer: I don’t have a question, no.
Interrogator: No. Then we finish the hearing here. Hearing finished at 13:07.

2012 10 11
Present during the hearing is lawyer Ola Salomonson (OS) interrigator Olle Wahlstrom (OW), co-interrigator John Steenmark (JS). Suspect is Gottfrid Svartholm Warg (GSW)

OW: Yes, since our last hearing… is there anything that you have thought of that you want to… (The interrigator doesn’t finish his question before the suspect replies)
G: No comments.
OW: This breach of Logica, do you have anything to say about that?
G: No comments.
OW: And if you know MG.
G: No comments.
OW: Or… CS?
G: No comments.
OW: Does the lawyer have any questions?
OS: No.
OW: The time is 09:57 and the hearing is finished.

2013 03 08
(Deputy interrogators, Joakim Persson and John Steenrnark from the County Criminal Police)

OW: I begin by asking, this apartment where you lived when you were arrested, how long had you lived there?
G: No comments.
OW: When you were in Cambodia did you have any job there or were you running any businesses?
G: Answer yes.
OW: Can you describe further what you worked with?
G: Yes… I freelanced as a consultant and also for nearly two years had an outsourcing company involved in web development.
OW: What was the name of that company?
G: No comments… yes that I can actually answer, it was called Arocore and later Finesy.
OW: You consulted for someone too you said?
G: I freelanced.
OW: At any particular company?
G: Freelanced.
OW: Did you have any income?
G: Yes
OW: Around how much?
G: No comments.
OW: A company called Mysec, have you worked any for them?
G: No comments.
OW: I guess you do not comment if you got any payment from them either?
G: No comment.
OW: In your apartment, we found two computers, a desktop and a MacBook. Were you using them?
G: Not personally, no, they are servers.
JP: Both?
G: Yes, it is quite clear on the laptop, if you doubt it the keyboard was broken. I might add that I actually think Steenmark here can confirm that I always had servers at home.
OW: Yes. If we take this desktop first. What is it used for then? In addition to being a server. What have you done with it?
G: It has been used as a server.
OW: For what purpose?
G: It has been used as a server.
OW: And the MacBook then?
G: It has been used as a server.
JP: What did you have for server software for it?
GS: I have already answered that.
JP: And the answer is?
GS: Yes… ssh, PowerShell Server, Remote Desktop, etc.
JP: On the MacBook?
GS: Yes
JP: What is the OS on the MacBook?
GS: There are two OS installed OS X and Windows 7
OW: And which one have you used?
GS: Both, or well yes I, both of them, I have used at various times.
OW: How long ago was it you used Mac part?
GS: No idea
OW: In the desktop computer, where there was a hard drive that was a bit loose, which had two partitions. My question is, the other partition what did you use it for?
GS: No idea, don’t remember.
JP: Do you remember what is located on the first partitions?
GS: How should I remember that? There are quite many months or years since it was partitioned.
JP: But the data on it is not that old is it?
GS: Yeah, I say what I said previously, it stood as a server. I do not know exactly what was on it. And it’s pretty ridiculous that you have to remember specific things like how my disks are partitioned so far into the future.
OW: The second hard drive which had a Linux OS installed, where you had six partitions. What are the last two partitions there, what do they contain, do you remember that?
GS: Do not remember.
OW: If we take your MacBook then, there was the Windows and Mac. You say you have used both the OS there.
GS: Both OS have been used on the computer and I want to emphasize that it is not me personally that has been using them recently.
OW: No, but have both been used?
GS: Yes, that sounds reasonable.
OW: In Windows, there are many accounts, do you remember who has had accounts on the computer?
GS: Yeah, I know approximately who they are, but…
OW: The account “A” for example?
GS: As I said I recall who they might be and I… for fear for my own life, I don’t choose… I don’t choose who they are.
OW: Are there people who have had physical access to your computers?
GS: In a couple of cases, yes.
OW: Over what period of time then?
GS: Some accounts have been used by multiple people.
OW: Over what period of time have these people had access to the computer physically?
GS: How would I be able to remember that?
OW: I don’t know.
GS: No exactly.
OW: But is it like a day, a week, a month or a year?
GS: How would I be able to remember that? How did you think that… I don’t write a diary.
OW: Yes. You have already talked about how others could access your computers remotely.
GS: Yes.
OW: Who could do that?
GS: I refer to my previous answer.
JP: And how has it been possible to remote access them?
GS: PowerShell Server, Remote Desktop, both installed and active.
OW: What computer are you talking about?
GS: I’m assuming that we are talking about the laptop…
OW: Mm… Remote desktop…
GS: …yes and PowerShell server.
OW: How often has someone connected via Remote Desktop to it?
GS: Don’t know.
OW: Is it often?
GS: Don’t know.
OW: Do they connect via Remote Desktop?
GS: Answer yes. I’m assuming so anyway, I haven’t kept track.
OW: I looked at your log files on the Windows computer, there is not a single connection via Remote Desktop.
GS: Yes… That said, I refer to my previous answers. Remember that PowerShell server is used also.
OW: But you said the Remote Desktop as an example.
GS: I said it as an example yes.
OW: SSH you said too
GS: Yes and PowerShell Server
OW: These people then, who have accessed it. Do you want to say something about them?
GS: Answer no.
OW: Is there any reason you do not want to say…..?
GS: Yes, because I fear for my own life.
OW: These people that you are afraid of, is it people you’ve met physically, who have visited you?
GS: Yes.
JP: Why have they visited you?
GS: No comments.
OW: In Cambodia, which ISP did you have?
GS: Don’t remember.
OW: Cogetel, could that be it?
GS: Don’t remember.
OW: Do you use any VPS or cloud service?
GS: Don’t remember.
OW: Don’t remember or don’t want to say?
GS: Don’t want to say.
OW: On your Windows partition here on the Mac, you can see that your clock is reset quite frequently, manually. Why is that?
GS: Because the backup battery in the computer is broken.
OW: To clarify. What happens then?
GS: To clarify. What happens then? Well, then the clock resets.
OW: To which date?
GS: … or alternatively, alternatively displays wrong.
OW: To which date is it reset?
GS: Good question. It depends on, eh, if when the battery is like half… half… (unhearable)
OW: But most common is?
GS: If it’s entirely nulled so, no I don’t know what that is.
OW: Can it be 1st January 2001?
GS: That sounds like a reasonable epoch date. I can’t comment any more.
OW: When you… adjusted the time then, when it’s wrong… How do you usually do then? Do you set the correct date or how?
GS: I don’t remember.
OW: Do you sync against a server?
GS: Don’t remember.
OW: On your Windows partition, there is a file named t001a, 16 Gb size. Do you recognize that?
GS: Don’t remember.
OW: If we say that it’s a TrueCrypt container
GS: Don’t know.
OW: Nothing you know anything about?
GS: No
OW: Have you ever used it?
GS: I just said that I don’t know about it.
OW: You don’t know about it at all?
GS: No
OW: But it’s still created already 2010 I think it is.
GS: I just said that the time in the computer is wrong.
OW: Yes, not since 2010 I hope.
GS: Bad quality on that fucking… fucking Mac
OW: Mac?
JP: It was almost new 2010
OW: PuTTY do you use it?
GS: No comments.
OW: MG do you know him?
GS: No comments.
OW: Do not want to comment or are you scared or do not know, can you answer that?
GS: No comments.
OW: diROX…?
GS: No Comments
OW: We can see, or we know from before that you had e-mail contact with MG already in 2006.
GS: Now you don’t stick to the time…
OW: Yes, but the question is if you know him.
GS: Yes, I leave no comment on it.
OW: In your computer, there are a number of different log files, the connections you have done to Logica… or that’s in your computer against Logica systems, what were these log files from?
GS: Probably from those who used the computer. Either locally or, more likely remote.
OW: Have you seen these log files?
GS: Answer no. On which of the computers was that?
OW: It’s on the MacBook.
JP: Windows partition
OW: Yes, on your computers, there is a fairly large amount of data coming from Logica, now we’re talking two computers. How did it get there?
GS: Referfing to previous answers.
JP: Which are?
GS: Referring to the previous answer.
OW: OK. I told you t001a was a TrueCrypt container, do you use the program TrueCrypt?
GS: No comment.
OW: Do you know if you autostart something with TrueCrypt?
GS: What?
OW: That it mounts anything when you start the computer?
GS: (Inaudible mumbling)
OW: I think we’ll do some questions, Joakim.
JP: Mm, exactly. As you may know MG is also served suspicion of the breach of Logica. And in his material we have found large amounts of chat logs… and now the question is: what username do you usually use on…..?
GS: Yeah, mine is pretty well known, Anakata
JP: Hmmm, do you use other one?
GS: Answer no.
JP: No?
GS: Not normally.
JP: Not normally. tLt. (Rest lost in transcription, MG chatting with tLt in logs.)
GS: I can not answer that.
JP: You can not answer that. In this chat, there’s quite a lot of evidence that a person who is called tLt would be involved in this breach of Logica. There are also indications that this person would be Gottfrid Svartholm Warg.
GS: So, I would like to point out that IRC does not have any form of registration of nicknames or something. It doesn’t require any passwords to…
JP: No.
GS: …
JP: But the nick Anakata is pretty well known.
GS: Yes
JP: Mm. For example diROX asks TiAMO where is Anakata? So he responds Cambodia, that’s correct isn’t it?
GS: That sounds reasonable.
JP: Later diROX writes, talking to tLt. tLt says he’s been very focused on z/OS. Do you know what that is?
GS: No I don’t.
JP: diROX then says that, yes, asks a bit and tLt says that maybe they should speak encryptedly and invites him to SSL mIRC on planet.wideopenbsd.org. Do you know that server?
GS: No Comments
JP: That’s a lot of material. tLt writes for example this also: “hello again, are you doing? right now I’m snorting amphetamine and swear a bit over the electricity, hope it doesn’t disappear again for 18 hours.” Could it be, perhaps that power is lost in Phnom Penh?
GS: I’ve been through lengthy power outages in Sweden too, so it…
JP: 18 hours is maybe a little…
GS: Locally in smaller areas I’ve experienced 36 hour outages.
JP: He also says, among other things… tLt, that he has an SSH key that he uses to backdoor an admin account
GS: Oh well
JP: tLt also writes: so download, and then he writes again that hoho they are so fucking owned, their RACF database tank/etc/passwd. Nothing you recognize?
GS: No
JP: Do you know what a RACF is?
GS: No Comments
JP: And you did not know MG?
GS: I said that I do not comment that.
JP: If we say like this then, in your computer we found a tool called HexMvsdump. Is it something you know anything about?
GS: No Comments
JP: Anyway here diROX writes asking, I need to access the police multi question and tLt replies that, have to crack the RACF database and it’s encrypted with DES encrypted with the password key and then tLt writes, I’m changing the password for a cop. Lower down he writes later, did you crack the db. Yes, says diROX. Looked through it briefly. Have you also gotten my HexMvsdump tool? No I don’t think so, tLt sends a link to Pastebin where it is, diROX replies now so (rest lost in OCR/transcription)
GS: No comments.
JP: Another excerpt here. tLt asking if diROX wants a pair of Infotorg accounts. Approximately 70000 and diROX asks if he has any police accounts. This is nothing you know anything about either?
JP: tLt also writes, I also have complete dumps of amongst others the bailiff registry, only that is 12 Gb haha, got hold of the table of contents, it’s a little easier to find fun things then. Do you know anything about this?
GS: I… just want to comment that bailiff records are public documents.
JP: In your computer we have found the records, which are 10.6 gig. It matches pretty well with this number. Do you have any comments about that?
GS: Nope. Can you show me the notorious bailiff register, what does it contain?
JP: Yes, I didn’t bring 12 Gb printed with me and so but…
GS: You did in the Pirate Bay trial.
JP: Yes, but you know, times change, unfortunately.
OW: Before the trial, you will see the material we present, of course.
JP: diROX also says he wants their records for the tax agency, tLt asks, don’t you want some money from the bailiff too. Yes says diROX, have 1700000 SEK in debt, tLt answers, yes if you have someone to put it on then maybe we can…
JP: Do you know of others who hang in #hack.se?
GS: No comments.
JP: In conjunction with this list of protected security number being put on Pastebin, diROX writes that the dump was stolen over a year ago, the one with the protected. tLt answes, yes. diROX responds, it didn’t even include names. tLt writes fuck what a lot of things, and then links to some files. tLt also writes that SPAR is not in the Infotorg/Sema/Logica anymore, however, makes KFMs register REX, you saw that I stole the entire thing.
OW: This specific dump, is it something that was on Pastebin that you recognize? That we talked about, with protected
GS: I’ve seen it on pastebin, yes.
OW: Have you had part of it yourself?
GS: Like I said I’ve seen it on… and it was as said only a list of social security numbers, no secret information in itself… More accurate way of saying it is that it’s the social security numbers for people with protected identities, not security numbers that are in itself protected.
OW: No, that’s right.
GS: I would personally be very surprised if it was on the Internet connected systems over. I assume that it is not…. intrusion has occurred…
JP: diROX also writes that, do you like Cambodia by the way? Mm, says tLt. diROX, found the border between Cambodia and Thailand to be pretty shitty. tLt, yes.
GS: And here I would like to comment that there is more than one Swedish person in Cambodia.
JP: Mm
GS: Even in time of writing, time of speaking
JP: tLt also pasted into a post, including where it says, port 443 is listening waiting for the APT callback, alert advancing port 443 threatning accepted presistent TCP connection from 93.1.86.1.70.54, port number, then commenting advanced printer typewriter fashion. Do you recognize this extract?
GS: No Comments
JP: In your computer, there is a script… exact same excerpt at least three times… And then tLt writes, well look at that. diROX asks, what does this mean now? tLt responds, yes, let get up some of that root. tLt, diROX writes and then, can you access everything now? There’s more; these are just a few excerpts contained in this material. Is that enough?
OW: Yeah, the last thing here, among others…. the script we talked about, there’s a lot of log files in your encrypted container, where this script is used. Do you know of it?
GS: Answer no.
OW: On your computer, in this encrypted container there is a file called prim.gz containing Logica RACF database that we talked about in the chat.
GS: I refer to the previous answer.
JP: Should we explain to the lawyer what RACF is?
ML: Yes, please.
JP: RACF database is a user permission database that Logica has in their mainframe systems, with usernames, details of passwords, and in cases where they have Infotorg accounts, also affiliation, organizational membership, and services or yes, company names and such things.
ML: Okay, thank you.
OW: When Logica themselves went through this intrusion, went through their system, they found a number of files that were uploaded to their system. Backdoors, various program files. They came from several different IP addresses. Common to these, many of them, is that they are on your computer, inside your encrypted container.
GS: Yes, I refer to previous answers.
OW: Eg a program called kuku, do you know that?
GS: I refer to the previous answer.
OW: During these breach so, he or they that did it. They compressed a whole lot of Logica’s material into tgz-files and then downloaded them with FTP. Even a portion of these compressed files are on your computer in…
GS: …referring to previous answers
OW: We spoke about a SSH key… in the chat, even that is in the encrypted container.
GS: Referring to my previous answer.
OW: In the computer there are also four files with usernames and passwords, it’s over 100 000. Anything you recognize?
GS: Referring to previous answers.
ML: Which computer?
OW: The MacBook. In your computer there is a file called just “out”, it includes a summary of data, raw data from the tax agency.
JP: I have it with me if you want to show it.
OW: Yes, no. This summary is about your security number, you.
GS: Partially I’m referring to previous answers and partially I also want to comment that I am somewhat famous. So there are a lot of reasons why people would look up my information… me.
OW: It’s not queries. They have withdrewn…
GS: Yes but queries… (interrupting eachother)
GS: You understand what I mean…
OW: So it is not you who has done this?
GS: No
OW: There is one about Fredrik Neij too, the same.
GS: I refer to the same thing, he is famous too. Famous for having large debts, if it’s the bailiff it’s about then I would like to add that it seems likely.
JP: These are datasets… that are a little, not only at the tax agency, but several different dataset that the data is gathered from, it’s not only tax agency or or bailiff data.
GS: What data is it then?
JP: Datasets that you have… that are on your computer.
GS: Yes it is good that people have decided that I am guilty already from the start. Thanks for that.
JP: I’m sorry, that’s not what I meant. I meant…
GS: …that’s exactly what you meant
JP: I just meant that your computer contains these datasets that the summary is based on.
GS: Yes queries, summary, whatever… I’m still wondering what kind of data it is.
JP: Shall we show it in that case?
OW: Yes, you can do that.
JP: Then you can see for yourself.
JP: The file… name is out.txt
GS: Yes, this is easy to understand?
OW: It’s various data about you.
GS: But where is it from? Half of it is entirely impossible to understand. Then there are some tips I can guess are cash amounts and… some obvious dates… so congratulations, somebody has done a credit check on me.
JP: If it now is a credit check…
GS: I’m guessing that it is.
JP: Considering that the dataset names are also here, D044, and the prefix D044… so it is very unlikely that it would be a credit check.
GS: Equivalent information at least.
OW: A last question about Logica here. We spoke about these social security numbers, the list with the security numbers that was on Pastebin. In your computer you have, in two places, that list.
GS: I’m referring to previous answers.
OW: There is an Excel spreadsheet called infotorgusers. It contains around 3 000 names, people and their permissions in Infotog. The main portion of these people are police employees. Do you know of this list?
GS: Answer no
OW: Does the lawyer have any questions regarding what we have talked about now?
ML: I don’t have any questions about what we talked about now.
OW: The time is 10:40 and we finish the hearing regarding Logica.

Everything important to Sweden is hacked

Saturday, April 27th, 2013

“The case is of Swedish national interest due to the very extensive character of the intrusion. The preliminary investigation involves Swedish authorities such as the Swedish Prosecution Authority, the National Bureau of Investigation (Police), the Stockholm Regional Investigation Unit (Police) and the Swedish Security Service (Security Police). […] The accessed data may cause considerable damage to authorities, companies and individuals. The intrusion handled by the on-going criminal investigation is probably the most serious suffered by Swedish IT-systems linked to public authorities. […] The analysis of the intruded mainframe computer makes it evident that an IP-number connected to Cambodian Internet Service Providers/Hosting Services have been used for part of the criminal intrusions, including extensive copying of sensitive data from the mainframe computer.”

This writing covers the Swedish government’s legal aid request which you can read in PDF format here.

The Swedish government’s request for legal assistance again proves that the kidnapping had nothing to do with TPB. The trial conviction was a cheap flag for Interpol to wave so that the Cambodian authorities would act, unlike how they usually go “meh” over internationally wanted pedophiles and murderers hiding in the region.

4th October, while the prosecution spokesperson told the media that this circus was due to TPB, Cyrus Farivar wrote in an article published by Ars Technica: Femerstrand also accused the Swedish Security Service of conducting surveillance of Svartholm Warg in Cambodia, “since [at least] March 2012.” (The Swedish Security Service did not reply to our request for comment.) How did I know? They were checking me out too. They visited me in restaurants and documented what I was eating, they photographed the house that I lived in and they filmed me taking out my garbage. Spotting agents is sometimes easy, and probably much easier in Phnom Penh; they don’t blend in. They must’ve sent rookies to Cambodia, I mean we’re talking Hawaii shirts, straw hats and sunglasses. Reading about myself in the intel on Gottfrid as “one or more Swedish hacktivist in Cambodia ” confirms my previous suspicions that they did their homework about me.

Evidence in the case has been gathered from equipment seized from the suspects’ possessions, Pastebin, Ubuntu One, Passagen and IRC (primarily EFNet). Two computers seized from one of the suspects were, according to the lawsuit, encrypted and could not be analyzed by forensics personnel. A few individuals living in Sweden have been visited by Swedish Police agents and had equipment seized and forced to sit in hearings with IT forensics staff simply for having online contact with suspects in the case. Several friends who had IRC contact with Gottfrid have noticed hacking attempts on their machines that were traced back to Swedish police agencies. It appears safe to claim that the current police tactic is to throw rocks in the water to observe which rings form.

The Swedish government’s panic request for legal assistance claims that the alleged data breaches, when added together, is historically the most dangerous one targeting the Swedish government – ever. Interestingly enough the media hasn’t dared mentioning it despite it being said in the lawsuit that the machines that were used by the attackers to hack the Swedish Nordea bank (which spent over 10 billion SEK on their secure systems) were in fact owned by the Swedish Parliamentary Administration and the Swedish National Police, which is supposedly also entirely hacked. What should be more interesting to discuss than how somebody allegedly tries to increase some integers in database row columns is how somebody allegedly gained full control of a country’s most important infrastructural parts and not be noticed for two years.

The question regarding whether Gottfrid did or did not attempt to transfer money to his bank account is highly irrelevant. What’s actually interesting in this case is that no matter if Gottfrid is guilty or innocent the Swedish government is right now standing bent over with their pants down saying somebody took control of their most critical systems and they didn’t even notice it for two years, despite somebody taking full copies of the data. These obviously existing security issues are not limited to Sweden. The customers of computer systems, both in the public and private sector, are all purchasing IBM products. IBM mainframes are ranked most secure in the world. Regardless of whether Gottfrid is guilty or innocent the fact remains: somebody has broken the systems on which shoulders all society critical elements stand: governments and banks.

The digitalization of our entire society has been proved to be broken, is the world ready to discuss that or do you want to continue debating the morals of stealing money on a bank mainframe? Open your eyes, the entire world just broke down and a lonesome bearded supposed drug addict is the alleged mastermind. In your face, Sweden.

Tor node gets raided

In June 2012 the Swedish International Public Prosecution Office requested legal aid from Germany to retrieve all data related to IP 217.13.197.5 after it had been discovered that it was used to connect to Logica mainframes. The Berlin police agency raided the address and the IP owned by Speedbone Internet & Connectivity. The server turned out to be a Tor exit node and no information could be retrieved about any users. No evidence was found during the raid and nothing was seized. The mainframe accessed stored big amounts of personal and financial data for the Swedish tax agency. Big amounts of data stored on systems used by the Prosecution Office and police authorities were also accessed and downloaded.

No evidence from Leaseweb

In September 2012 the Swedish International Public Prosecution Office requested legal aid from Germany to retrieve all data related to IP 46.165.196.182. The customer that rented the server could never be found since the service had been terminated a long time before the request arrived and Leaseweb did not keep customer data.

The info below is from the PDF linked in the top and not my personal words.

Detailed information of suspect (12 July 2012)

National Bureau of Investigation
Cyber Crime Unit
Richard Ahlgren

Family name: SVARTHOLM WARG
Forename: Per Gottfrid
Sex: Male
Date of birth: 17/10/1984
Nationality: Sweden

Passport
Passport number: 23810667
Date of issue: 28/01/2003
Place of issue: Stockholm, Sweden
Expiry date: 28/01/2013

Description (dated 26/05/2011)
Height: 175 cm
Eye colour: Blue
Skin colour: Fair skinned
Hair colour: Medium blonde

Links to Cambodia
In September 2011 the trials concerning The Pirate Bay started in the Svea Court of Appealing. Gottfrid Svartholm Warg was not present and it was told that he was in Phnom Penh, Cambodia. He posted a medical certificate, written in Khmer, to his attorney stating that he suffered from some kind of illness.

According to an article 2009 on the blog of the travel writer Adam Bray, Svartholm Warg had lived for a time in an apartment on top of the Cadillac Bar & Grill in Phnom Penh.

This article also said that Svartholm Warg was the owner of the company Estoy Ltd. Seychelles IBC in Phnom Penh. When he registered the company’s website he stated the phone number +855 929 607 72 (Cambodian number).

In chat logs from the IRC network Svartholm Warg posted in 2009 and 2010 that he was operating from Cambodia. For instance he wrote that he uses the border crossing at Poipet from Thailand to Cambodia.

Driving license
In the seizure from the current investigation a picture of Gottfrid Svartholm Warg’s Cambodian driving license was found. The picture is attached to this document.
Card code: A1.000034
Issue date: 21/01/2009
Address of Svartholm Warg: 4 St. 104 Wat Phnom, Daun Penh

IP information
In chat logs from the investigation Svartholm Warg has been logged on from IP-numbers pointing to Cambodia. These IP-numbers with timestamps are:

124.248.174.161 unknown time Cogetel Online
124.248.167.191 25/03.2012 2015 (UTC 0) Cogetel Online
124.248.187.150 10/03/2012 12:42 (UTC 0) Cogetel Online
124.248.187.22 04/03/2012 16:11 (UTC 0) Cogetel Online

Other IP-numbers pointing to Cambodia in the investigation are:

203.176.141.205 10/03/2012 01:00 (UTC 0) Mekongnet
27.109.118.33 10/03/2012 19:30 (UTC 0) DTV Starnet

Credit card number
A credit card number with the name Gottfrid Svartholm was found in the investigation.
Number: 4111 3418 0000 2947
Expiry date: 12/10
Name: Gottfrid Svartholm
Issuing bank: Acleda Bank PLC, Cambodia

Intelligence information
The information about Svartholm Warg that follows is to be seen as unconfirmed intelligence information:
– he is a drug addict and a frequent user of marijuana and crystal meth
– he is in very bad shape and may have spent time in hospital recently
– he has earlier or recent rented a house in Cambodia from an unknown American citizen
– he may have contact with one or more Swedish hacktivist in Cambodia
– he (and his network) may have access to at least one Internet Service Provider in Cambodia. That ISP is Cogetel.
– he (and his network) may have access to the mail account of the Mayor of Phnom Penh

Request for assistance

Cyber Crime Unit
Richard Ahlgren

Dear colleagues,

The Swedish National Bureau of Investigation is currently involved in a Cyber Crime investigation concerning a serious computer intrusion. In this investigation we request assistance from the Cambodian Police.

Preamble
The criminal offence being investigated is a very serious case of breach of data secrecy according to the Swedish Penal Code Chapter 4, Section 9c. The case is of Swedish national interest due to the very extensive character of the intrusion. The preliminary investigation is handled by several Swedish authorities such as the Swedish Prosecution Authority, the National Bureau of Investigation, the Stockholm Regional Investigation Unit and the Swedish Security Service.

Suspects
Two suspects have been detained during part of the preliminary investigation and we would appreciate your help with a third one. All suspects are Swedish citizens. The third suspect is:

Family name: SVARTHOLM WARG
Forename: Per Gottfrid
Date of birth: 17/10/1984
Sex: Male

Gottfrid Svartholm Warg is suspected for a breach of data secrecy together with others, on numerous occasions during the period January 1 2012 to April 15 2012. There has not yet been application for a detention order.

Svartholm Warg is international wanted (Interpol file number 2012/318024) in another case as a result of an imposed sentence of 1 year imprisonment in the Svea Court of Appeal 17/04/2009. The diffusion is attached.

His present location is unknown though we believe that he lives in Phnom Penh, Cambodia. See more detailed information in the attached files.

Case details
Intrusions have been made against, inter alia, a mainframe computer operated by a private company, hosting large amounts of personal data/census data from the Swedish Tax Agency, including protected personal data, as well as data of financial nature. Large amounts of data from the Enforcement Authority and the Police have been accessed as well.

The accessed data may cause considerable damage to authorities, companies and individuals.

The intruion handled by the on-going criminal is probably the most serious suffered by Swedish IT-systems linked to public authorities.

Requested assistance
Our request concerns investigative assistance locating the suspect Gottfrid Svartholm Warg. Furthermore we would like assistance with surveillance of the suspect with the purpose of documenting and analyzing his activities, contacts and locations.

In order to locate the suspect, see the attached document with detailed information. There you can find information about, inter alia, IP-addresses, credit card number, driving license and intelligence information. We have tried to collect and analyse information about his specific whereabouts but we cannot come any gfurther. We now need your assistance.

When the suspect has been located the intention of the prosecutor in this case, Senior Public Prosecutor Henrik Olin, is to file a Rogatory Request concerning a search warrant. In addition to the arrest of Svartholm Warg we would like to seize his computers, mobile phones, hard drives, other digital storage media and personal belongings that can be used as evidence in our case. If necessary and if possible Swedish police officers can assist in the house search.

HAND OVER RECORDS

Evidence number Description
1 Hard Drive Seagate 80 G
2 Hard Drive Hitachi 80 G
3 USB Stick
4 USB Stick
5 USB Stick
6 Memory Card
7 Wireless Access Point
8 Pärm
9 3G Dongle With Sim Card
10 Modem Zon
11 Sim Card Tele2
12 Plastic Cover belonging to a Switch
13 Paper With Addresses
14 Business Card
15 Paper From EuroBank
16 Bagage Tag
17 Receipt
18 IPhone
19 Nokia Phone
20 Invoice for MacBook
21 Note Book
22 Bankbook
23 Bankbook
24 Bankbook
25 Passport
26 MacBook
27 Plastic Cover belonging to a Router
28 Surveillance Camera, CCTV
29 16 Home Burned CDs
30 Lock Picking Tools
31 Modem Online
32 Key
33 Key