Israeli Hacker-For-Hire Sentenced To 80 Months In Prison For Involvement In Massive Spearphishing Campaign
Geoffrey S. Berman, the United States Attorney for the Southern District of New York, and William F. Sweeney Jr., Assistant Director-in-Charge of the New York Office of the Federal Bureau of Investigation (“FBI”), announced the arrest of RICHARD LIRIANO for installing a malicious software program known as a “keylogger” on dozens of his coworkers’ computers at a New York City area hospital, obtaining unauthorized access to his victims’ email, social media and other online accounts, and using that unauthorized access to steal private and confidential files. Using his victims’ stolen credentials, LIRIANO repeatedly compromised their password-protected online accounts, and pilfered their sensitive personal photographs and other private documents.
LIRIANO was arrested yesterday and arraigned in federal court before United States Magistrate Judge Katharine H. Parker.
U.S. Attorney Geoffrey S. Berman said: “Richard Liriano, an information technology professional at a New York hospital, is alleged to have installed a ‘keylogger’ program onto dozens of his coworkers’ computers in order to spy on and steal personal information from them. Liriano allegedly used the access he gained through the malicious software to steal photos, tax records, and other personal information from his coworkers and people associated with them. As information technology increasingly becomes an integral part of our workplaces, ensuring the integrity of those systems becomes even more critical. The arrest of Liriano should serve as an error message to any information technology professionals seeking to capitalize on their trusted access to information: As in this case, you will be caught and prosecuted.”
FBI Assistant Director-in-Charge William F. Sweeney Jr. said: “Whatever alleged motivation the subject in this case had, hacking into his co-workers lives, albeit extremely disturbing, wasn't the most egregious act. He allegedly installed a harmful program on computers that house vital and critical healthcare information for hospital patients, without a thought to what he could be compromising in his attempts to spy on people.”
According to the Indictment unsealed today in Manhattan federal court:
From at least in or about 2017, up to and including at least about in or about September 28, 2018, LIRIANO misused administrative access provided to him as an information technology employee at a New York City-area hospital (“Hospital-1”), to log in to employee accounts, and copy other employees’ personal documents, including tax records, and personal photographs onto his own workspace computer for his own personal use.
To further his efforts to steal personal information from Hospital-1’s employees, LIRIANO, without authorization, secretly installed a malicious program known as a keylogger on the accounts of other, primarily female, employees. This program recorded and sent victim employees’ keystrokes to LIRIANO, which included the usernames and passwords those employees entered to access their personal web-based email accounts. Through the course of this conduct, LIRANO stole usernames and passwords for at least approximately 30 email accounts belonging to Hospital-1 employees or persons associated with those employees (the “Compromised Accounts”).
LIRIANO then used those stolen usernames and passwords to log in to the Compromised Accounts and obtain unauthorized access to other password-protected email, social media, photographs, and online accounts to which the Compromised Accounts were registered. Among other things, LIRIANO conducted searches for personal photographs in the Compromised Accounts.
* * *
LIRIANO, 33, of Bronx, New York, is charged in three counts. The first count charges him with transmitting a program to a protected computer that intentionally caused damage, which carries a maximum sentence of 10 years in prison. The second count charges him with intentionally accessing a protected computer without authorization and recklessly causing damage, which carries a maximum sentence of five years in prison. The third count is aggravated identity theft, which requires a two year prison term to be served consecutive to any sentence imposed on the computer intrusion charges. The maximum potential sentences are prescribed by Congress and are provided here for informational purposes only, as any sentencing of the defendant will be determined by the judge.
Mr. Berman praised the extraordinary work of the FBI and the New York City Police Department.
This case is being handled by the Office’s Complex Frauds and Cybercrime Unit. Assistant U.S. Attorney Vladislav Vainberg is in charge of the prosecution.
The charges contained in the Indictment are merely accusations, and the defendant is presumed innocent unless and until proven guilty.
 As the introductory phrase signifies, the entirety of the text of the Indictment, and the description of the Indictment set forth herein, constitute only allegations, and every fact described should be treated as an allegation.
James Margolin, Nicholas Biase