California Man Arrested For Hacking Websites For The Combating Terrorism Center At West Point And The New York City Comptroller

The Defendant Committed More Than 11,000 Defacements of Various Military, Government, and Business Websites Around the World Using the Online Pseudonym “Alfabetovirtual”

Geoffrey S. Berman, the United States Attorney for the Southern District of New York, and William F. Sweeney Jr., the Assistant Director-in-Charge of the New York Field Office of the Federal Bureau of Investigation (“FBI”), announced today the arrest of BILLY RIBEIRO ANDERSON, a/k/a “Anderson Albuquerque,” a/k/a “AlfabetoVirtual.”  ANDERSON was charged with three separate counts of computer fraud for obtaining unauthorized access to and committing defacements of the websites for the Combating Terrorism Center at the United States Military Academy in West Point, New York (“West Point”), and the Office of the New York City Comptroller (the “NYC Comptroller”).  ANDERSON was arrested earlier this morning at his residence in Torrance, California, and will be presented later today in federal court in Los Angeles, California.

U.S. Attorney Geoffrey S. Berman said:  “Billy Anderson allegedly used specialized computer skills and knowledge to hack important U.S. military and government websites, as well as over 11,000 other websites around the world.  Thanks to the outstanding work of the FBI’s cyber squads, criminals who compromise the integrity of government websites and network infrastructure will continue to be investigated vigorously and prosecuted to the fullest extent of the law.”

Assistant Director-in-Charge William F. Sweeney Jr. said:  “Among other possible effects, website defacements can disrupt an organization’s operations and damage its credibility.  As alleged, Anderson committed more than 11,000 such acts over several years, impacting a wide spectrum of military, government and business entities.  The charges filed against Anderson should serve as a reminder that committing these acts of cyber vandalism will not be tolerated.”

According to the allegations contained in the Complaint[1] unsealed today:

Website defacements are acts of computer intrusion during which a hacker obtains unauthorized access to computers hosting Internet websites and then replaces the publicly available contents of the website with content generated by the hacker, thereby “defacing” the website.  Hackers frequently claim responsibility for defacements by listing their online pseudonyms as part of the defaced content.

From in or about 2015 through at least March 13, 2018, ANDERSON took responsibility for obtaining unauthorized access to, and committing more than 11,000 defacements of, various U.S. military, government, and business websites around the world under the online pseudonym “AlfabetoVirtual,” including websites for the Combating Terrorism Center at West Point and the NYC Comptroller.

On or about July 10, 2015, a website owned by the NYC Comptroller was defaced, and ANDERSON, using the online pseudonym “AlfabetoVirtual,” claimed responsibility for the intrusion and defacement.  The contents of the NYC Comptroller website were modified to display the text “Hacked by AlfabetoVirtual,” “#FREEPALESTINE” and “#FREEGAZA.”  The defacement was performed by exploiting security vulnerabilities associated with the version of a plugin being used on the website.  

On or about October 4, 2016, a website for the Combating Terrorism Center at West Point was defaced, and ANDERSON, using the online pseudonym “AlfabetoVirtual,” claimed responsibility for the intrusion and defacement.  The content of the Combating Terrorism Center website was modified to display the text “Hacked by AlfabetoVirtual.”  The defacement was performed by an unauthorized administrative account that exploited a known cross-site script vulnerability, thereby enabling ANDERSON to bypass access controls and target an internal Combating Terrorism Center website address.

ANDERSON also committed unauthorized intrusions of thousands of web servers located around the world by surreptitiously installing malicious code on victim web servers that provided ANDERSON with administrative rights to the victimized web servers, thereby enabling ANDERSON to commit defacements and otherwise to maintain persistent unauthorized access to the victimized web servers. 

                                                            *                      *                      *

ANDERSON, 41, of Torrance, California, is charged with two counts of computer fraud for causing damage to a protected computer, each of which carries a maximum sentence of 10 years in prison, and one count of computer fraud for unauthorized access to a United States Government computer, which carries a maximum sentence of one year in prison.  The maximum potential sentences are prescribed by Congress and are provided here for informational purposes only, as any sentencing of the defendant will be determined by the judge.

Mr. Berman praised the outstanding investigative work of the FBI.  Mr. Berman also thanked the Computer Crime Investigative Unit of the United States Army Criminal Investigation Command and the Brazilian Federal Police Cyber Crime Unit for their assistance with the investigation. 

The prosecution of this case is being handled by the Office’s Complex Frauds and Cybercrime Unit.  Assistant United States Attorney Sagar K. Ravi is in charge of the prosecution.

The charges contained in the Complaint are merely accusations.  The defendant is presumed innocent unless and until proven guilty.

[1] As the introductory phrase signifies, the entirety of the text of the Complaint and the description of the Complaint set forth below constitute only allegations, and every fact described should be treated as an allegation.