Cybercriminal devoid of boundaries gets 10-year prison sentence

A rampant cybercrook and repeat attacker of medical facilities in the US is being sentenced to a decade in prison, around seven years after the first of his many crimes.

Robert Purbeck, 45, pleaded guilty back in March to two counts of computer fraud and abuse related to cybercrimes affecting at least 19 different victims.

The Meridian, Idaho, man was also ordered to pay more than $1 million in restitution to those victims, as previously agreed at the plea hearing, and will serve three years of supervised release following his prison term.

“Purbeck’s crimes reflect the efforts of a callous and brazen cybercriminal who not only hacked into numerous computer servers and stole sensitive personal information from both private and public actors, but also threatened to extort many of his victims and disclose their data,” said US attorney Ryan K Buchanan. 

“Thanks to the tireless work of law enforcement, Purbeck’s time of hiding behind a computer to steal, threaten, and intimidate is over.”

The extent of Purbeck’s theft, threats, and intimidation was laid out in great detail in the Northern District of Georgia’s sentencing documents. The man who adopted the “LifeLock” moniker, and at other times the super cool “Studmaster” pseudonym, was known for his aggressive extortion tactics that in one case ran a medical business into the ground.

Not every attack Purbeck carried out was covered, although the ones that were vividly illustrated what kind of person the so-called Studmaster was.

In the same month Purbeck bought access to the servers of a medical clinic in Griffin, Georgia, from which he stole sensitive personal information belonging to more than 43,000 people, he also targeted a California dentist referred to only as “AY” in court.

The sentencing memo [PDF] submitted by the prosecution, which argued for a long (five-year-plus) sentence, states that Purbeck gained access to the dentist’s systems and attempted to extort her for $10,000 worth of Bitcoin in “return” for not publicizing her patient’s data on the web.

Purbeck sent 27 extortion emails containing varying degrees of threatening language. Some merely threatened the viability of AY’s practice:

Other emails were even more dark, the sentencing memo claims, alleging Purbeck threatened to place AY’s family members on various sex offender registers. He was quoted as saying:

The prosecutors noted that AY suffered damages to the tune of $92,095 as a result of Purbeck’s extortion attempts against her and her patients.

He seemed to really have it in for the dental sector, as a year later a Florida orthodontist, known only as “DS,” was on the receiving end of the extortionist’s handiwork.

In a similar fashion, Purbeck gained access to the systems of DS’ practice, stole patient data, and used it as leverage to extort the orthodontist for $15,000 worth of Bitcoin, say prosecutors. 

Over the following ten days, Purbeck harassed DS with a series of emails and SMS messages, says the memo. Some contained patient data such as their name, date of birth, and social security number (SSN). Further down the line, Purbeck stooped lower, identifying DS’s daughter, a minor, as an intimidation tool.

Purbeck wrote in one email:

The following day, the memo claims, Purbeck texted DS’s wife demanding the extortion payment be paid before he started contacting patients.

DS refused to pay Purbeck, who then followed through with his threat to inform his patients in a ploy to ramp up the pressure to pay the ransom. One patient was sent a text containing an X-ray of their teeth, for example.

The text read:

Purbeck even messaged teenage patients, threatening to sell their SSNs to criminals looking for a “fresh start.”

Similar to AY, DS ultimately suffered extensive losses. The court heard these amounted to  $285,980.13 – a huge amount spent on forensic audits, notifications, remediation, and legal fees that eventually forced DS to sell his practice.

For two years after, DS said he and his family were on the brink of bankruptcy.

AY, DS, and the Griffin clinic, were just three of the 19 people and organizations victimized by Purbeck, says the memo, submitted late last week.

The government adds that others included:

  • the City of Newnan police department

  • A Locust Grove medical clinic

  • A former mayor in Michigan

  • A medical billing service in Alaska

  • An optometry clinic

  • A dialysis clinic

  • A church in Stone Mountain

  • A correctional facility

  • Am Idaho health department

  • Others

The list also included, abhorrently, a safe house for women and children who were victims of domestic violence.

The FBI raided Purbeck’s home in August 2019, seizing devices that contained the personal data of 132,000 people. He admitted during an interview in his backyard that he was the individual behind the Lifelock moniker, responsible for various attacks including AY’s, made $48,000 from various extortion attempts, and engaged in “some minor identity theft” like creating bank accounts using the data he stole.

Purbeck was indicted in March 2021, after which time, as The Register previously reported, he tried on multiple occasions to recover his devices that were seized by the FBI. He also tried to counter-sue those who arrested him, alleging among other things that his genitals were groped during the process, allegedly bringing on a bout of PTSD that required a psychotherapist’s intervention.

Commenting on Purbeck’s sentencing this week, Sean Burke, Acting Special Agent in Charge of FBI Atlanta, said: “Cyber extortion is unfortunately a rapidly growing threat and highlights the ever-growing need for corporations to remain vigilant in cybersecurity efforts. This sentencing is just one example of the FBI working together to hold criminals that hide behind their computers accountable, regardless of their location.” ®

READ MORE HERE