{
	"id": "42763b3c-6d64-43c3-946e-57f7d618dc86",
	"created_at": "2026-04-06T01:30:02.981519Z",
	"updated_at": "2026-04-10T13:12:14.578129Z",
	"deleted_at": null,
	"sha1_hash": "452ac1a9930e21cf1d2f03e88fbf06c35fbe5300",
	"title": "The Secret Service Tried to Catch a Hacker With a Malware Booby-Trap",
	"llm_title": "",
	"authors": "",
	"file_creation_date": "0001-01-01T00:00:00Z",
	"file_modification_date": "0001-01-01T00:00:00Z",
	"file_size": 58201,
	"plain_text": "The Secret Service Tried to Catch a Hacker With a Malware\r\nBooby-Trap\r\nBy Joseph Cox\r\nPublished: 2020-07-10 · Archived: 2026-04-06 01:23:46 UTC\r\nA Seattle Police Department officer tried to unmask a ransomware attacker by deploying his own hack, according\r\nto newly unsealed court records.\r\nAlthough in this case the officer’s attempt didn’t work, the news shows that the use of so-called network\r\ninvestigative techniques (NITs)—the U.S. government’s general term for hacking tools deployed by law\r\nenforcement—is not limited to the FBI. Here, the Seattle Police Department official was working in their capacity\r\nas a Task Force Officer for the U.S. Secret Service.\r\nSeamus Hughes, deputy director of the program on extremism at George Washington University, discovered and\r\nshared the court docket with Motherboard.\r\nIn 2016 the South Correctional Entity (SCORE) Jail in Des Moines, Washington found ransomware on its\r\ncomputer network, according to the warrant application written by Chris Hansen, the Seattle Police Department\r\ndetective and Secret Service Task Force Officer. Ransomware is a type of malware that generally encrypts files on\r\na target’s system and then demands a bounty payment in cryptocurrency to unlock them. In some cases,\r\nransomware attackers will offer to unlock a limited number of victim’s files to prove they do have the capability to\r\nrecover the data.\r\nHansen spoke to the information technology director for the jail who’s listed in the court docket as “A.M.”, and\r\nreported that a user “was unable to access the user’s computer files on a server that the SCORE Jail uses to\r\nfacilitate remote searches of jail records by law enforcement officers with accounts on the SCORE Jail computer\r\nsystem,” the document reads. The ransomware appeared to have infected the system through the account of an\r\nAuburn, Washington police officer who had been hacked himself.\r\nDo you know anything about law enforcement hacking? Who is using the tools, and who is selling them?\r\nWe’d love to hear from you. Using a non-work phone or computer, you can contact Joseph Cox securely on\r\nSignal on +44 20 8133 5190, Wickr on josephcox, OTR chat on jfcox@jabber.ccc.de, or email\r\njoseph.cox@vice.com.\r\nThe impact was sizable, and majorly disrupted work for over 12 hours, infected a network share used by every\r\nemployee in the jail, and the ransomware also “infected a software program used by several law enforcement\r\nagencies to create lineup montages, infecting the image files used for creating these lineups and preventing law\r\nenforcement officers from accessing the system to look up inmate booking photos and tattoo images,” the\r\ndocument reads.\r\nAlong with the bevvy of encrypted material on the system sat another, new file.\r\nhttps://www.vice.com/en/article/wxqz54/secret-service-network-investigative-technique-ransomware\r\nPage 1 of 3\n\n“hallo, our dear friend! looks like you have some troubles with your security. all your files are now encrypted,” the\r\nmessage from the ransomware attackers read, which added they would only keep the keys to decrypt the files for\r\nno more than 72 hours.\r\nWhile Hansen and A.M. were on the phone, the ransomware kept spreading. As A.M. took a RAM image\r\n(essentially preserving what was currently in the system’s memory) of a computer with a suspicious process\r\nrunning on it, the ransomware then started locking down that system’s files too, the document reads. At Hansen’s\r\ndirection, A.M. contacted one of the email addresses provided by the attackers in their original message,\r\nlavandos@dr.com, and asked for more information on how to retrieve the files. The ransomware attacker replied,\r\nand asked A.M. to send three of the encrypted files, the complaint adds.\r\nHansen checked the email headers of the reply, and found the attacker’s related IP address was a Tor exit node. Tor\r\nis an anonymity network that routes a user’s traffic through computers spread throughout the world. Because this\r\nclearly wasn’t an IP address that would help identify who the ransomware attacker really was, Hansen hatched a\r\nplan.\r\nHansen first took a NIT, which in this case was a program that once run on a target’s computer would connect\r\nback to a Secret Service server and reveal the IP address of the suspect’s machine. He then compressed the file,\r\nand with the cooperation of the jail, placed the file on the jail’s compromised network, deliberately exposing it to\r\nthe ransomware and encrypting it.\r\nThe idea was that the jail would send this booby-trapped file, along with two others, to the attackers to decrypt,\r\nthe document explains. Once the ransomware author sent back the unencrypted versions, the jail would reply\r\nsaying that one of them—the one including the NIT—is not working, and ask the attackers to examine the\r\nunzipped file and repair it. The jail would also send them another, unencrypted copy of the file in case the\r\nattackers didn’t retain one.\r\n“If the perpetrator(s), in fact, examine(s) the unzipped file, and in doing so attempt(s) to run the file, the action of\r\npressing the ‘run’ button will launch the NIT,” the complaint reads. Once activated, the NIT would not only tip-off\r\ninvestigators to the target’s IP address, but also collect some other basic information like the computer’s open\r\ncommunication ports, the type of operating system it was running, its language, timezone, wireless network\r\ninformation, and host and usernames. Armed with that sort of information, investigators may be able to identify\r\nwhere the attackers are located, or eventually who they are.\r\nBut this rather convoluted plan didn’t play out.\r\n“DEPLOYMENT OF NIT UNSUCCESSFUL; NO EVIDENCE SEIZED,” another document reads. The\r\ndocuments don’t elaborate why the NIT did not work.\r\nU.S. law enforcement has increasingly turned to NITs, especially in cases that involve the Tor network or other\r\nanonymity systems. The FBI has used NITs to unmask people making bomb threats, other financially-driven\r\ncybercriminals, and child predators. Whereas some cases are highly targeted in nature, some operations have also\r\nbeen exceptionally broad. Motherboard previously revealed how the FBI hacked over 8,000 computers based in\r\n120 countries based on one warrant.\r\nhttps://www.vice.com/en/article/wxqz54/secret-service-network-investigative-technique-ransomware\r\nPage 2 of 3\n\nThat was a legally contentious warrant, as many defense lawyers argued that the judge who signed it did not have\r\nthe authorization to green-light searches outside of her own district. Shortly after in December 2016, long-planned\r\nchanges to the rules around warrants came into effect, meaning that magistrate judges could authorize hacking\r\noperations anywhere in the world.\r\n“DEPLOYMENT OF NIT UNSUCCESSFUL; NO EVIDENCE SEIZED.”\r\nHansen deployed his NIT a few weeks after those changes, according to the court records.\r\nAhmed Ghappour, associate professor of law at Boston University, who has studied the legal issues around NITs\r\nand in particular their geopolitical ramifications, previously told Motherboard that hacking suspects who use Tor\r\nis “like playing Russian Roulette with cross-border cyber operations,” primarily because investigators ultimately\r\ndon’t know where the NIT is going to end up, outside the United States or otherwise.\r\nAnd law enforcement NITs have failed in the past. When trying to unmask Buster Hernandez, a particularly\r\negregious child abuser targeting people on Facebook, the FBI tried, and failed, to unmask him with a NIT. But as\r\nMotherboard revealed last month, Facebook’s own security team then purchased a much more effective piece of\r\nmalware and provided it to the FBI, which successfully deployed it against Hernandez.\r\nThe Seattle Police Department did not respond to a request for comment. The Department of Homeland Security,\r\nof which the Secret Service is a part, also did not respond.\r\nSubscribe to our cybersecurity podcast, CYBER.\r\nSource: https://www.vice.com/en/article/wxqz54/secret-service-network-investigative-technique-ransomware\r\nhttps://www.vice.com/en/article/wxqz54/secret-service-network-investigative-technique-ransomware\r\nPage 3 of 3",
	"extraction_quality": 1,
	"language": "EN",
	"sources": [
		"Malpedia"
	],
	"origins": [
		"web"
	],
	"references": [
		"https://www.vice.com/en/article/wxqz54/secret-service-network-investigative-technique-ransomware"
	],
	"report_names": [
		"secret-service-network-investigative-technique-ransomware"
	],
	"threat_actors": [],
	"ts_created_at": 1775439002,
	"ts_updated_at": 1775826734,
	"ts_creation_date": 0,
	"ts_modification_date": 0,
	"files": {
		"pdf": "https://archive.orkl.eu/452ac1a9930e21cf1d2f03e88fbf06c35fbe5300.pdf",
		"text": "https://archive.orkl.eu/452ac1a9930e21cf1d2f03e88fbf06c35fbe5300.txt",
		"img": "https://archive.orkl.eu/452ac1a9930e21cf1d2f03e88fbf06c35fbe5300.jpg"
	}
}