National Lottery Sentry MBA hacker given nine months in jail after swiping just £5

'You targeted a large charitable organisation' thundered judge

A Londoner who hacked the National Lottery using Sentry MBA and made off with just £5 will spend up to nine months in prison for his crimes.

Anwar Batson, 29, of Lancaster Road in London's Notting Hill, was part of a group of miscreants who hacked into the National Lottery website in 2016.

Batson, Crown prosecutor Suki Dhadda told Southwark Crown Court this morning, downloaded Sentry MBA and joined a chat group discussing and swapping configuration files for the software.

Anwar Batson

Anwar Batson

The Londoner, a father of one, "counselled others on how to hack" and "enabled them to successfully use Sentry MBA to hack others' accounts," said Dhadda.

A brute-forcing tool, Sentry MBA relies on website-specific configuration files to automate the testing of user credentials gathered, or stolen, from elsewhere.

Using the chat handle "Rosegold", Batson discussed with others, including Idris Akinwunmi and Daniel Thompson, the details of those config files and how to deploy Sentry MBA against the Lottery website. Akinwunmi was caught after police traced one of the IP addresses used in attacks against the website back to Aston University, where he was quickly identified.

Under interrogation and after examination of his computers yielded chat logs, Akinwunmi said he had learned how to use Sentry MBA from "Rosegold".

Received £5 from fellow hacker

"He could follow the instructions of Rosegold and agreed to split the proceeds with Rosegold," Dhadda told His Honour Judge Jeffrey Pegden QC. Defending Batson, barrister Daniel Kersh added: "They made an arrangement. Mr Batson would send him the Sentry MBA and that whatever Mr Akinwunmi did with it, he would get a cut. That in essence was his involvement."

So it was that Dr Ian Bentley, a National Lottery player, suffered the loss of £13 from his account – its entire contents. Akinwunmi sent £5 of the stolen sum to Batson via the bank account of an intermediary, named in court as Edwin Salter.

On 10 May 2017, Batson was arrested at his Notting Hill home. Initially he denied he had anything to do with the National Lottery hacks, claiming he "was the victim of online trolling” and that his devices "had been trolled or hacked and other people had access to his laptop." He eventually pleaded guilty in December, having not been asked to enter a plea at his first hearing before Westminster Magistrates' Court.

Searches of his devices, including two digital storage sticks, revealed a copy of the same chat that investigators found on Akinwunmi's machines as well as evidence that Batson had accessed Dr Bentley's account using Sentry MBA.

Mitigating his client's crimes, Kersh took the judge to a character reference given to the court by Batson's employer. Peering at it as the barrister spoke about his client's past, HHJ Pegden asked: "Has he told his employer about these proceedings? In the last paragraph, seems to be a reference for him applying for some position: 'I would recommend Anwar Batson to whatever position he might be applying for.' Doesn't seem addressed to the court."

Kersh turned to Batson, locked in the glass-walled dock, who nodded. "He has told his employer," confirmed the barrister.

A statement from lottery operator Camelot's CISO David Boda, which was read to the court, said the lottery operator had spent £230,000 responding to the hacks, saying that 250 customers had closed their accounts as a result of post-hack publicity – and also counting £40,000 for a staff training event that had to be postponed so all hands were available to stave off the hacks. Security staff spotted a large number of IP addresses accessing user accounts, the first indication that Batson, Akinwunmi and others were at their illicit work.

Aggravating and mitigating factors

Passing sentence, HHJ Pegden said: "In my view the gravity of your offending does not lie in the loss occasioned by the hacking and by the fraud. That indeed was low. But it does lie in the fact that you targeted a large charitable organisation, namely the National Lottery, which gives something like £30m per week to chosen charities."

The judge continued:

You pleaded guilty to the four computer misuse act offences on the 10th December of last year at the plea and trial preparation hearing. There had been no indication of any guilty pleas beforehand. Indeed, when you were questioned by police you denied any involvement in these offences… In my judgment the aggravating and mitigating factors in fact cancel each other out. Therefore the correct sentence before credit for pleas is one of 12 months' custody.

Kersh, defending Batson, had described how the hacker's mother had died at the age of 45, six months before his crimes, while his grandmother had also died not long afterwards. Describing the aggravating and mitigating circumstances as cancelling each other out, but referring to Batson's guily pleas, HHJ Pegden said: "The law is quite clear about this, the reduction should be and must be 25 per cent."

Anwar Batson pleaded guilty to four counts under the Computer Misuse Act 1990 and a late count of fraud added at the start of his sentencing hearing. He was sentenced to nine months' imprisonment concurrently on all counts. His laptop and two memory sticks, one of which contained a folder titled "Sentry MBA" with a "working and active" copy of the software were ordered to be forfeit and destroyed. He must pay £250 towards prosecution costs and repay £5 compensation to Dr Bentley, as well as the statutory victim surcharge tax.

Three other charges will lie on file.

Wearing a plain white shirt and blue jeans, and carrying a black holdall of goods for his prison sentence, Batson nodded as sentence was passed and walked down to the cells when dismissed by the judge. ®

Bootnote

In another Computer Misuse Act hacking case before Christmas, the guilty hacker, who deliberately tried to delete all accounts on airline Jet2's Active Directory domain, was sentenced to 15 months – but will only serve five. ®

Updated at 15:19 GMT on 10 January 2020 to add

Lottery operator Camelot got in touch to say: "We take player protection very seriously. If we believe unlawful activity has taken place, we will not hesitate to report it to the appropriate enforcement body and assist it in any investigation. We're pleased that this case dating back to 2016 has now come to a conclusion and welcome the sentence imposed."

Sponsored: Practical tips for Office 365 tenant-to-tenant migration

SUBSCRIBE TO OUR WEEKLY TECH NEWSLETTER


Biting the hand that feeds IT © 1998–2020