Canadian citizen Sebastian Vachon-Desjardins netted at least $21 million in bitcoin from ransomware attacks on hospitals, schools, and the police. On Tuesday, the Department of Justice (DoJ) announced a US judge has sentenced him to 20 years behind bars.
The 35-year-old was involved with NetWalker, a Russia-based group that attacked infrastructure during the COVID-19 pandemic. The group offered a ransomware-as-a-service model and would steal company data before demanding bitcoin.
Attorneys said: “In this case [Vachon-Desjardins] used sophisticated technological means to exploit hundreds of victims in numerous countries at the height of an international health crisis,” (via DoJ, our emphasis).
NetWalker operated across 30 countries and targeted upwards of 400 victims, extracting ~$40 million in bitcoin ransom payments. Vachon-Desjardins is said to have contributed to a third of these ransomware attacks. Before this, he worked in an IT department for the Canadian government.
Vachon-Desjardins extradited to US
The Canadian threatened a Tampa Bay company in April 2020 at the height of the pandemic. He was able to access the company’s computer network and spread ransomware. The next day, employees logged on to find a message explaining all files were encrypted. If they attempted to reboot their computer, files would be lost.
The message included a code and a link to NetWalker’s TOR site. Users could enter the code before receiving a ransom demand with instructions. Vachon-Desjardins demanded $300,000 in bitcoin.
“Hi! Your files are encrypted by NetWalker,” the message said. “If for some reason you read this text before the encryption ended, this can be understood by the fact that the computer slows down, and your heart rate has increased…”
“For us this is just business,” it also read.
US authorities requested Vachon-Desjardins’ arrest. Canadian police apprehended him in Quebec on January 27, 2021. After searching his home, police seized over $740,000 in Canadian dollars and 719 bitcoin, worth almost $22 million at the time and $14.5 million today.
When sentencing Vachon-Desjardin, US District Judge William Jung said: “You have one of the worst cases I’ve ever seen, This is Jesse James meets the 21st century.”
“It is bad stuff. If you had gone to trial, I would have given you life,” he declared (our emphasis).
Vachon-Desjardins’ lawyer tried to argue for a lesser sentence, claiming that he had never committed a crime before in his life. The 35-year-old pleaded guilty in July to charges of computer fraud and wire fraud, among others.
He agreed to forfeit his ransomware earnings and in January a court will decide how much he owes his victims. He has chosen to keep quiet about his co-conspirators.