Hacker: How I stole $300,000

By Edward Gay

Tomasz Grygoruk is now out of jail and studying computer networking in the hope of getting a job in computer security. Photo / Brett Phibbs
Tomasz Grygoruk is now out of jail and studying computer networking in the hope of getting a job in computer security. Photo / Brett Phibbs

Tomasz Grygoruk had been working all night on his latest bogus internet banking website when the police came through his parents' front door.

At the age of 22, he had already spent up to $300,000 of stolen money amassed through his internet phishing scams, but he came unstuck when the FBI got involved.

After five years of scams, the Aucklander found himself sentenced to three years behind bars.

Now out of jail, he wants to turn his sophisticated skills to good use, he told the Weekend Herald this week.

Grygoruk began scamming people at just 17. "It all started off with wanting a new cellphone," he said.

Within a few years, courier packages were turning up to his house every day and he was living a young man's dream - clothes, electronics and $300 bottles of Johnnie Walker blue label whisky.

Whatever he wanted was just a fake credit card away.

The Polish-born teenager started by using his old school photocopying card, adding the banking details of a person to the card's magnetic strip.

He dressed in a hoodie and sun glasses and went to an ATM at the local Caltex station. "I walked up to the machine. I was shaking."

He felt a rush as the machine dished out $20 bills. Grygoruk developed his own websites, sending out thousands of emails asking people to take part in a "bank survey".

Armed with pin numbers and account details of thousands of US-based victims, his confidence grew.

"It was like having a golden goose. You didn't want to let it go."

Grygoruk also hacked into a teacher's email account and found what he thought was proof of an inappropriate relationship between the man and one of his pupils.

He threatened to go to the man's Pennsylvania employer and local newspaper with the emails unless he deposited US$10,000 into a bank account Grygoruk had set up using a fake name.

There was actually nothing inappropriate about the relationship and the teacher went to the FBI.

The threatening emails were traced to the home of Grygoruk's parents in the East Auckland suburb of Howick.

He had only just gone to bed when the police came knocking. Grygoruk thought they knew everything, but they knew only about the blackmail.

Speaking to the Weekend Herald in the Albany apartment where he has started his new life, Grygoruk said the police walked right past a box that contained $16,000 and an eftpos and credit card writing machine.

One officer picked up a USB stick which contained the files of stolen identities, turned it over in his hand and put it back on the table.

But although the police had him for the blackmail, he could not bear to keep living with the pressure of knowing they could come back through his door at any moment.

The authorities had his computer hard drive, with its evidence of his phishing scams. "I had had enough. I didn't want to do it any more."

Grygoruk went to police and told them everything.

The Crown described the offending, which netted up to $300,000, as sophisticated, persistent and motivated by greed.

Grygoruk spent time at Mt Eden and Rangipo Prisons and kept busy by working in the library, driving the laundry van and doing an Open Polytechnic business course.

Now aged 25, he is studying computer networking. He said that with the support of his family he had turned his life around and hoped one day to work in computer security.

"I'm just concentrating on getting my life back on track and staying out of trouble."

Grygoruk said he had not yet looked at job opportunities and might choose to do more study.

"I just want to reach the point where I feel comfortable working around a computer. I've missed a lot since I've been in prison."

He lives with his girlfriend. "She's a good girl who keeps me out of trouble."

He hopes a technology company will give him a try, but one that hacks into the computer systems of large companies to test their security says this would be difficult.

Aura Information Security managing director Andy Prow said hiring a person with a criminal record was problematic because of his firm's professional liability insurers.

While he personally believed in giving a second chance to people who turned their lives around, Aura had to consider that clients needed to have complete trust in its staff.

Grygoruk said he now had a deep feeling of regret.

"At first, it was just numbers on the screen, but there is a face behind the numbers and that's the face I affected. I have no excuse for what I've done."

Where the money went
* $300 bottles of Johnnie Walker blue label whisky
* Clothes
* A new computer
* Electronics
* McDonald's

- NZ Herald

© Copyright 2014, APN New Zealand Limited

Assembled by: (static) on red akl_n1 at 11 Jul 2014 15:16:22 Processing Time: 2035ms