Terrible tales of opsec oversights: How cybercrooks get themselves caught

July 1, 2025 TH Author

They say that success breeds complacency, and complacency leads to failure. For cybercriminals, taking too many shortcuts when it comes to opsec delivers a little more than that.

In these cases, failure might mean the criminal doesn’t get access to the server with the most valuable data to copy, or fails to trick any of the victim org’s staff members to execute a malicious remote access tool. Complacency, however, can get them caught, and all too often we hear about highly skilled individuals taking one too many shortcuts – the type that leads police to their doors.

Kai West/IntelBroker

After the recent arrest of Kai West, a 25-year-old Brit, in connection with the “IntelBroker” case, the FBI’s indictment seems certain it’s an example of how not to cover one’s tracks.

According to the US authorities, who allege West is notorious data thief IntelBroker, between 2023 and 2025 the online attacker caused around $25 million worth of damage to the companies he and his friends breached.

The US top cops are appealing to extradite the man following his February arrest in France.

In total, West is accused of seeking to collect at least $2 million from sales of company data during that same period. A small chunk of that sum ($250) belongs to federal investigators, and was used to track him down.

In January 2023, they purchased the data belonging to one of IntelBroker’s recent victims at the time, and tracked the Bitcoin transaction to a wallet that police claim their suspect, West, controls.

They think this because down the line the funds passed through accounts for which West had completed know your customer (KYC) checks with his real identity documents.

The indictment claims a Coinbase account was found with his provisional driver’s license attached to it, as well as a Ramp account, registered to Kai West, with his date of birth and home address in the UK.

Nicholas Kloster

Another recent example to add to the list is the case of Nicholas Kloster, who just last week pleaded guilty to charges unsealed last year.

Kloster’s three-month Missouri crime spree was completely outshone by his apparent nonchalance about maintaining his digital anonymity.

His methodology is a real head-scratcher. Kloster’s offences on paper include breaking and entering, and unauthorized computer access, but some might say the real crime was his apparent disregard for basic opsec.

For starters, within a month of being hired by a new company, he used the company credit card to make various personal purchases, including a thumb drive advertised as a hacking tool.

He also allegedly broke into a health club after working hours, caused around $5,000 worth of damage to its security camera system, and used that in a bid to secure employment as a security professional.

According to the complaint, he used his current employer’s email account, the one tied to his real identity, to email the health club details of exactly what he did to the security system, and send a resume for good measure.

He presumably did this to flaunt his expertise as a means to convince the health club that he knew his stuff. Posting the club’s camera feeds to social media shortly after probably did not help matters though.

Hector Monsegur/Sabu

Hector Monsegur, aka Sabu, aka leader of the LulzSec crime ring responsible for attacks on Sony Pictures, Fox, PBS, Bethesda, and more, only messed up once. But, with a rap sheet as high-profile as this, even a single slip-up can be one’s undoing.

Usually water-tight when it comes to opsec, Monsegur crucially failed to use Tor to log into a chatroom used by LulzSec less than a week after one of the group’s most high-profile attacks, one on a website affiliated with the FBI.

Monsegur warned members to be extra vigilant as regards security, then fell short of his own usual standards himself mere days after.

A former member of Anonymous, Monsegur received a lenient sentence in exchange for his quick agreement to become an FBI informant. The information he supplied led to the arrests of four additional members of LulzSec.

Zachary Shames/Mephobia

Names like NSO Group and Paragon have become synonymous with spyware over the last decade, but the market for non-commercial packages remains alive and well.

That market is served by the likes of Zachary Shames, who is thought to have made in excess of $100,000 from his award-winning high school programming project – Limitless Logger.

It was researchers at Trend Micro who tipped off the FBI to Shames’ exploits, in both senses of the word. They had been tracking Mephobia, the alias distributing Limitless Logger to over 16,000 PCs, for some time.

According to available information, Shames didn’t make many huge errors for a long time, but the diligent cybercrime investigators scooped up small nuggets of information to weave a much larger picture.

Over time, Trend pieced together small details divulged by Shames while using his Mephobia alias to tie him to PayPal, Skype, GitHub, and other accounts.

However, the killer blow came after he included his real name in various forum posts using the Mephobia alias. From there, the name was then used to unearth other accounts linked to Shames, which in turn were linked to Mephobia accounts. He pleaded guilty to aiding and abetting computer intrusions in 2017.

Alexandre Cazes

Like others in this list, the Canadian co-founder of AlphaBay, which in its heyday was the largest dark web drug marketplace of its kind, was typically sound when it came to opsec, but one alleged early failing may have led to his capture.

Cazes was arrested at his Phuket home in 2017 after investigators got hold of a message sent to new AlphaBay users in 2014 which contained his personal email address.

That message was displayed to new registrants and in password reset emails for a brief time, likely before a formal investigation into AlphaBay began. Given this was the only indicator of the co-founder’s identity, it marked a huge breakthrough in the FBI’s case.

From there, they found other accounts linked to the same email address and ultimately Cazes’ real identity.

He was arrested in 2017, and an examination of an opened latop at his residence found keys to AlphaBay and its admin portal. Cazes died while in custody shortly after being detained.

Ross Ulbricht/Dread Pirate Roberts

Finishing off the list is fellow dark web drug lord Ross Ulbricht, who was kindly pardoned by President Trump earlier this year after being sentenced to life in 2015 and can now be seen on social media making the most of his newfound freedom.

Ulbricht ran Silk Road, the first major drug marketplace of its kind, and while his opsec failings were more basic than his peers, they led to the arrest of arguably the US’ most high-profile cybercriminal. We simply could not exclude him.

One of the funnier examples of terrible opsec in the court documents was the claim he’d asked a question on Stack Overflow about a PHP problem he was encountering, including details that led the more technical among the crowd to link the post to Ulbricht and the Silk Road.

The question remains live on the forum now, although the comments from sharp-eyed users who linked it to Ulbricht were removed.

Ulbricht also made various other mistakes, including advertising Silk Road on clearweb forums using either his real name or aliases that could easily be linked back to him, and hinting at his Silk Road affiliation with clues in his LinkedIn profile. ®