Essex black hat behind Cryptex and reFUD gets two years behind bars

Goncalo Esteves sobbed as he was sentenced

Goncalo Esteves' police mugshot. Pic: National Crime Agency
Goncalo Esteves, the man behind reFUD.me and Cryptex

A 24-year-old Essex man behind the reFUD.me antivirus evasion site, who made an estimated half a million pounds from Bitcoin, has been jailed for two years.

Goncalo Esteves, of Cape Close, Colchester, England, admitted two computer misuse offences and one charge of money laundering in January. He was sentenced today at Blackfriars Crown Court.

His main illegal business was operating reFUD.me (the FUD stands for Fully UnDetectable), which let black hats test their wares against antivirus software without uploading alerts to antivirus vendors and anti-malware researchers. The site ran between October 2011 and November 2015.

Esteves, who used the handle KillaMuvz, also had a profitable sideline in selling licences for his Cryptex program, which scrambles malware binaries in order to help black hats get their malicious payloads onto target devices without detection. A month of Cryptex Lite cost £5, or customers could buy a lifetime licence for £60.

Through his illicit online sales, Esteves earned £32,000 on Paypal alone, while prosecutors estimated that, at its height, his Bitcoin holdings were worth £500,000. Thanks to the recent crash in price, it was thought to be worth just £15,700 when he pleaded guilty on 15 January.

"The Bitcoin wallet was investigated and the National Crime Agency saw that there were numerous transfers in of Bitcoin and transfers out," said Crown barrister John Ojakovoh. "Unfortunately it is, of course, not possible to trace where those land."

The court heard how Esteves also sold a remote-access trojan (RAT) to a Skype user with the handle FishHabbo who wanted it installed on his ex-girlfriend's computer to "see what she's up to".

Ojakovoh told the court: "In fairness to the defendant he at first said, 'Instead of hacking her, how about you do something really nice for her?' But the customer persisted so the defendant sold him the product, knowing it was going to be used to spy on or stalk his ex-girlfriend."

Although Esteves claimed that his online business was legitimate, Ojakovoh told the court that his sales of RATs were "like offering to disconnect burglar alarms so that burglars can get in undetected".

The malware vendor was caught after a joint investigation by security firm Trend Micro and the National Crime Agency. A police raid on his house in November 2015 netted him and one other individual who the NCA confirmed was "NFA'd" (no further action) in "early 2016".

He was handed a seven-month suspended sentence at Reading Crown Court in August 2016 for making false claims for refunds on four Macbooks ordered on Amazon. One of the computers was used in his illegal business and was seized by police when they raided his home in 2015, as the Central News court reporting agency wrote.

Circuit Judge Mark Dennis QC told Esteves, who appeared in court accompanied by his pregnant wife and father-in-law: "Disguising viruses and malware has the potential to cause significant harm to an individual. The defendant appears to have believed that his specialised crime would enable him to carry out these offences with impunity."

The malware peddler "clutched his tie with both hands and sobbed as he was jailed for a total of two years". ®




Biting the hand that feeds IT © 1998–2018