Thousands of cyber victims around the world, say RCMP after Canadian charged in malware investigation

There could be thousands of malware victims in multiple countries say RCMP after they charged software developer and former IT professional John Paul Revesz on Nov. 8 under Section 342.1 of the Criminal Code – a vague hybrid offence for unauthorized use of a computer.

RCMP’s National Division Cybercrime Investigative Team aren’t saying much about Revesz except that they believe he orchestrated an “international malware scheme under the company name ‘Orcus Technologies'” following an investigation that spanned more than three years.

“This case highlights the importance of partnerships with law enforcement agencies and private sector organizations,” said the RCMP in a press release that noted police initiated their investigation in July 2016 “after reports of a significant amount of computers… infected with a ‘Remote Access Trojan’ type of virus.”

RCMP did not respond to The Post Millennial‘s queries, in particular if any additional charges were expected and what took them so long to track down Revesz, after a July 21, 2016 article by former Washington Post reporter Brian Krebs essentially outed the alleged perp.

According to Krebs’ story, he was tipped off by cyber security consultant Daniel Gallagher after a Twitter battle with Revesz, involving other malware researchers on ethics and legalities of peddling an application that gave users the ability to take control of another computer, then coaching clients how to use it.

In what’s left of the Twitter thread – John Paul Revesz’ purported allias Ciriis mcGraw has since deleted his side of the conversation – some humour belies the seriousness of Revesz’ alleged activities.

“Can you give me an example where disabling a user’s webcam light might be acceptable use?” asks Gallager sarcastically in the thread.

Another writes: “As we know all legitimate software vendors sell on hackforums”.

Like others in the security business, Gallagher is not anxious for publicity, at least beyond his Twitter following and like the RCMP, did not respond to TPM‘s queries for this story.

With the cloak-and-dagger, shroud of mystery surrounding this oddball case, TPM reached out to the accused Revesz, who obliged.

In a lengthy Facebook conversation with Revesz, he marks the Twitter debate with Gallager et al. as ground zero for two events: shoring up protocols on Orcus to protect user and client, thereby bolstering the software’s legitimacy, and Krebs for sparking the entire investigation by running to the Federal Bureau of Investigation.

“I can tell you exactly how this started: Twitter argument (with Gallagher et al.), they contact Krebs, who in turn contacted the FBI. The FBI contact the RCMP, and that’s how this all started,” claimed Revesz.

Revesz also said he was just the marketing side of the Orcus application business, based on “software” that was “solely developed” by a business partner Revesz declined to name.

Revesz told TPM that he imagined such an idea while working as a Systems administrator for TD Bank, a job he held more than 10 years ago.

“Orcus was for legal, legitimate Systems administrators to easily access and manage their client computers within their network,” said Revesz.

The Torontonian said he plans to fight the charges and that he doesn’t expect any additional charges, despite the hybrid nature of the criminal code offence.

“It comes down to Legal definition. Was Orcus a Remote Administrative Tool, or a Trojan? And secondly, where is the line drawn from legal software, to malware?” said Revesz who compared Orcus to a brick.

“If I pick up a brick and bludgeon someone with it, who is at fault? The brick maker or me for misusing the brick?”

Krebs, who publishes on his eponymous KrebsOnSecurity.com, told TPM that malware of the sort Revesz peddles is traded in online Hacker forums, and dismissed the claim he went to the FBI.

“Anything you want to know is in my stories… I’m not sure there is more I can say about this guy.”

According to Krebs’ latest story on the charge against Revesz, Australian police executed their search warrants coinciding with RCMP warrant on Revesz, in March of 2019.

“Several former customers of (Revesz) took to Hackforums[.]net to complain about being raided by investigators who are trying to track down individuals suspected of using Orcus to infect computers with malware,” writes Krebs.

“‘I got raided [and] within the first 5 minutes they mention Orcus to me,’ complained one customer.”

In a brief interview with TPM, Krebs said typical Orcus clients are individuals, and as he reported in July of 2016, such applications are being created by those who “think they can get away with writing, selling and supporting malicious software and then couching their commerce as a purely legitimate enterprise.”

The cyber security journalist called Revesz’ brick-argument “pretty weak” and likened Orcus business model to selling lock picks then “supporting thieves who are having trouble using them to steal stuff.”

“I can’t take credit for that, but I thought it was pretty funny,” Krebs said of a description he read on social media.

In the July 5 Twitter thread that Revesz cages as seminal to his current legal woes, Malware Tech, aka Marcus Hitchens, makes a similar argument.

And like lock picks, Krebs said Orcus-type malware “isn’t terribly sophisticated in terms of the programming that goes into them, but the functionality of them can be extraordinarily sophisticated.”

“The point is, once you get something like this on a machine, you can control it and do what (the computer owner) can do.”

Other cases involving section 342.1 of the Criminal Code–unauthorized use of computers–indicate its broad application.

Most recently, it formed part of espionage charges against RCMP Cameron Ortis. It’s also been used to prosecute people who use computers or mobile devices to lure children, as well as election tampering cases involving robocalls that provided voters incorrect or deceiving information.