The Hapless Shakedown Crew That Hacked Trump’s Inauguration
Days before the big event, hackers seized control of the capital’s surveillance cameras and demanded a ransom. Then everything spiraled out of control. The Hapless Shakedown Crew That Hacked Trump’s Inauguration
Eight days before Donald Trump’s presidential inauguration, the Secret Service received an urgent call saying hackers had seized control of most of the video surveillance cameras that keep watch over the U.S. capital.
A lead agent jumped off his treadmill and charged toward the command center where police monitored the camera feeds day and night.
Instead of streaming videos, the computer screens displayed a message in red capital letters: “YOUR DOCUMENTS, PHOTOS, DATABASES AND OTHER IMPORTANT FILES HAVE BEEN ENCRYPTED!” Anonymous hackers demanded $60,800 in bitcoin to return control of the surveillance system.
In a Bucharest apartment 5,000 miles east, Alexandru Isvanca called Eveline Cismaru to his computer. The screen showed live footage from Washington. The 20-something couple with a history of small-time scams had inadvertently hacked the world’s most powerful nation for a five-figure ransom at a time of high anxiety over national security on Inauguration Day.
The Romanians had launched hundreds of thousands of emails embedded with ransomware in an attachment disguised as an invoice, authorities said. The list of email addresses they bought included, by chance, the Washington, D.C., police department. A recipient there apparently took the bait, opening the attachment that locked up the street-camera system. Only a payment could produce the key.
Secret Service agents debated whether the Kremlin was involved. The hackers had used Russian software. Or, maybe anti- Trump protesters were trying to sabotage the inauguration.
With the clock ticking down for an outdoor event expected to draw hundreds of thousands of spectators, U.S. law-enforcement officials had two goals: regain control of the surveillance system and track down the culprits.
Secret Service agents swarmed Washington, taking offline the many internet-connected elevators, fire alarms and thermostats along the planned presidential route to prevent further sabotage.
For years, Mr. Isvanca and Ms. Cismaru shared a sometimes-playful, sometimes-stormy partnership, supporting themselves at various times through identity-theft, credit-card fraud and ransomware attacks, according to friends, as well as U.S. and Romanian authorities.
Their latest gambit, authorities said, was the ransomware virus, which redirected the Washington video feed to their Bucharest apartment. For the couple, it seemed an unexpected stroke of good fortune.
This article about the pursuit of the hackers is based on sworn testimony, court documents, social media posts, and interviews with U.S. and European investigators, family members, neighbors, landlords and friends of Mr. Isvanca and Ms. Cismaru.
When asked for comment on the case, Michael D’Ambrosio, assistant director of the Secret Service Office of Investigations, said only that it illustrates how “physical systems that are dependent upon networked infrastructure are especially vulnerable.”
The couple has, over time, given conflicting and contradictory accounts. Mr. Isvanca at first admitted the hacking to the Secret Service, a court filing said. He later told The Wall Street Journal that the Washington police department wasn’t an intended target. Later, he said he hadn’t participated at all.
Ms. Cismaru initially denied her involvement to Secret Service agents. Later, as part of a 2018 plea agreement, she acknowledged her role in the scheme.
Ms. Cismaru sent a message to the Journal in June asking, “How much are you willing to pay for this interview?” (The Journal doesn’t pay for interviews.)
In August, she denied having anything to do with the computer hijacking. Communicating to the Journal by text and Facebook messages, Ms. Cismaru said, “I don’t know who wrote” and signed the court document in her name.
Ms. Cismaru said breaking into the U.S. capital’s video surveillance system was easy. “Americans are stupid,” Ms. Cismaru said in a text.
In fact, the couple brought about their own downfall.
Mr. Isvanca and Ms. Cismaru, known to friends as Bobo and Eve, met in 2010. She was 21 years old. Mr. Isvanca, 18 at the time, supported himself “through computer crimes and credit card fraud,” Ms. Cismaru said in a court statement. Mr. Isvanca told the Journal she had lied about him in court and denied the allegations. His lawyer said she wouldn’t comment on the case.
Within a year of their meeting, Ms. Cismaru learned to acquire and use stolen credit cards to buy items online, according to Romanian prosecutors.
The couple kept to relatively low-risk capers using black-market software, email lists and stolen credit-card numbers, small fish in an ocean of fraud.
In the U.S., fraud involving debit- and credit-card payments in 2016 neared $7.5 billion, 60% of it from online fraud, according to the most recent surveys from the Federal Reserve.
Banks and retailers generally accept those losses, either because they don’t want to risk losing customers by refusing them refunds, or because the cost of pursuing suspects like the Romanian couple is too high. Consumers, at some point, end up paying higher prices to cover the losses.
In 2012, Ms. Cismaru was convicted in Romania of participating in credit-card fraud, according to court files.
The judge issued Ms. Cismaru a suspended 3-year prison sentence. The court required that she check in every three months with police, appointments she frequently missed, Romanian officials said.
By then, Ms. Cismaru had a wealthy boyfriend, her parents said in an interview, and she moved into his upscale London home in 2012. She brought Mr. Isvanca, her cousin and his girlfriend, and another friend to live there, as well.
At the London house, she and her entourage shared hacking tips and drunken, playful evenings, according to videos and pictures she posted on Facebook. Friends said Mr. Isvanca and Ms. Cismaru had romantic ties.
In early 2013, police raided the house in a cybercrime investigation involving Mr. Isvanca, Ms. Cismaru’s boyfriend evicted everyone but Ms. Cismaru. The couple had a son in 2015.
Ms. Cismaru and her boy returned to Bucharest where she rented a spacious apartment in a central-city neighborhood of new glass-tower condominiums. There, Mr. Isvanca and Ms. Cismaru worked long days blasting out the ransomware spam to email addresses from a list called USA.txt that was acquired on the dark web, a part of the internet used by cybercriminals.
They used a virus from what authorities suspect was a Russia-based group, which made money by taking a portion of the ransom in exchange for providing a password to unlock seized computers.
Using such plug-and-play ransomware is so foolproof that even bungling criminals can profit, according to cybersecurity experts.
On Jan. 9, 2017, Mr. Isvanca ordered food online from Andy’s Pizza in Bucharest. That day, using the same email address, he hacked the Washington street cameras, Ms. Cismaru later told prosecutors.
In Washington, ransomware disabled 126 of the 186 computers linked to the cameras, and Secret Service and police began trying to regain control.
Inaugurations are the most intense event on the Secret Service calendar, and 2017 was no exception. Every would-be disrupter would be familiar with the motorcade route that President Obama and Mr. Trump would follow.
U.S. agents rushed to reinstall the operating system in stricken computers, one by one. As they worked, Ms. Cismaru posted a picture of herself at her laptop in a Bucharest restaurant: “#13Fridaynostress #workworkwork #feelinghappyandmotivated,” she wrote.
Three days before the inauguration, authorities got the surveillance cameras working.
Mr. Isvanca assured Ms. Cismaru that they had left no trace. He was wrong. Mr. Isvanca used the same email address for both the online pizza order and the hack.
Ms. Cismaru also left behind a glaring clue. She was using a fraudulent business account on Amazon to sell items she didn’t own. When she was alerted to an order, she purchased the product from a legitimate seller using a stolen credit card. The item was then shipped to the buyer.
Of the 126 hacked computers, the first one Secret Service agents analyzed was the very same one that hackers had used to spread the computer malware. The lucky find not only saved valuable time—the computer screen showed a tracking number for a package headed to the U.K. The couple had also used the commandeered computer in the Amazon scheme.
The package contained a hand-held meat barbecuing accessory, called the “Smoking Gun.” The device lets cooks “add a delicious smoky flavor to your food and drinks in just no time,” its producer said.
At the request of U.S. officials, the British National Crime Agency conducted a raid of the package’s destination, a London office. An officer later called the Secret Service and jokingly said, “I found the smoking gun.”
Investigators tracing Ms. Cismaru’s online activity discovered she had used a Gmail account with her full name as a backup to accounts created for the credit-card and ransomware schemes. Investigators found one email account with the details of 2,170 stolen credit cards, as well as the same USA.txt list detected on the hacked police computer in Washington.
Ms. Cismaru said her personal email account was “fraudulently used without my knowledge,” in a statement to the Journal. She blamed the Smoking Gun purchase on others.
In late January 2017, U.S. investigators contacted Europol. By summer, Dutch, British and Europol investigators had joined agents of the Secret Service and Federal Bureau of Investigation to plan the arrest of Mr. Isvanca and Ms. Cismaru.
The couple “ended up being the mostly unlucky hackers after being the luckiest,” said a Romanian investigator who joined the dragnet.
Ten days before Christmas 2017, Ms. Cismaru’s parents said, they drove their daughter, her baby and her Swedish boyfriend to the Bucharest airport for a flight to London.
Ms. Cismaru had a ticket for seat 19C. Mr. Isvanca, unknown to Ms. Cismaru’s family, was on the same flight in seat 19D. They were arrested before boarding and confined to house arrest.
Mr. Isvanca stayed in his mother’s modest apartment in the eastern Romanian city of Onesti. Ms. Cismaru smoked cigarettes at her parents’ home outside Bucharest. They were ordered not to speak to each other.
In early 2018, Mr. Isvanca messaged Ms. Cismaru on an encrypted app, according to her guilty plea. The Secret Service has no proof it was us, he wrote. If she testified against him, Mr. Isvanca warned, he would forge conversations incriminating her. She later shared screenshots with U.S. prosecutors.
On Feb. 16, 2018, Ms. Cismaru failed to show up for a morning appointment at Perfect Smile Dentistry in Bucharest. British police believe she left Romania and traveled by train from Hungary to France. Her boyfriend drove her from Paris to London using the channel tunnel.
Police in London, alerted by U.S. authorities, sent two officers to the boyfriend’s house. Ms. Cismaru had dashed out the back door by the time officers entered the house. She tried to hide in a garden, but two other officers were watching the back of the house.
Once trapped, Ms. Cismaru shouted, “I’m pregnant!” Officers escorted her, screaming, into a police car. She “denied any involvement in this scheme and even denied the use of her own personal email account,” according to court documents.
Ms. Cismaru and Mr. Isvanca were charged in the U.S. with 11 counts, including conspiracy to commit wire fraud, computer fraud, trespassing in a government computer and attempted extortion. Ms. Cismaru was extradited to the U.S. in July 2018. Character witnesses described her as a caring mother.
On Sept. 20, 2018, Ms. Cismaru entered a guilty plea to two of the 11 counts and agreed to testify against Mr. Isvanca. In a court statement, she “admitted to her participation in this conspiracy, along with a co-conspirator.”
U.S. prosecutors determined Ms. Cismaru played a minor role. In January, she was released for time served. In March, she was deported.
Mr. Isvanca is on trial in Romania on earlier charges involving credit-card theft. He faces extradition to the U.S., where charges in the Washington case carry penalties of up to 20 years in prison.
In London, Ms. Cismaru says she is a fashion fitness entrepreneur and Instagram influencer, posting glamour shots and ads to 90,000 followers.
A recent post shows her posing in a tightfitting dress, draping her high heels across a leather sofa, lips pursed.
“Living my best life,” she wrote, adding a crying-laughing emoji. “#BossGirl.”