In the spring of 2009, a college student named Amy received an instant message from someone claiming to know her. Certainly, the person knew something about her—he was able to supply details about what her bedroom looked like and he had, improbably, nude photos of Amy. He sent the photos to her and asked her to have "Web sex" with him.

Instead, Amy contacted her boyfriend Dave, who had been storing the naked photos on his own computer. (Note: victim names have been changed in this story). The two students exchanged instant messages about Amy's apparent stalker, trying to figure out what had happened. Soon after the exchange, each received a separate threat from the man. He knew what they had just chatted about, he warned, and they were not to take their story to anyone, including the police.

[partner id="arstechnica"]

Amy, terrified by her stalker's eerie knowledge, contacted campus police. Officers were dispatched to her room, where they took down Amy's story and asked her questions about the incident. Soon after, Dave received more threats from the stalker because Amy had gone to the police—and the stalker knew exactly what she had said to them.

Small wonder that, when the FBI later interviewed Amy about the case, she was "visibly upset and shaking during parts of the interview and had to stop at points to control her emotions and stop herself from crying." So afraid was Amy for her own safety that she did not leave her dorm room for a full week after the threats.

As for Dave, he suffered increased fear, anxiety, confusion, and anger; he later told a court that even his parents "had a hard time trusting anyone or even feeling comfortable enough to use a computer" after the episode.

Due in large part to the stress of the attack, Dave and Amy broke up.

But who had the mysterious stalker been? And how did he have access both to the contents of Dave's computer and to private discussions with police that Amy conducted in the privacy of her own room?

Why is my webcam light on?

The bizarre case wasn't an isolated incident. Around the same time, a Los Angeles area juvenile named Sara received an instant message from a screen name that looked almost identical to her boyfriend's. The person behind it asked her for pornographic photos; she supplied them. She soon realized her mistake, but it was too late. Threats began to roll in, saying that her mysterious interlocutor would post Sarah's nude photos on the Internet if she did not send more. When Sara e-mailed copies of these threats to her boyfriend, the stalker knew. He even called her on the phone to make the threats more personal.

"For the longest time I didn't know who this man was, why he was doing it or [if] he would come back," Sara later wrote in a victim impact statement. "Not knowing is the worst, most dreaded feeling. It's always in the back of your mind. I moved away from the LA/OC [Los Angeles/Orange County] area but even here the thoughts never left me."

In another case, a woman named Gloria received an e-mail with the subject line "who hacked your account READ it!!!" from someone who claimed to have invaded her machine. Why? The hacker said it was because Gloria's ex-boyfriend had hired him to do so—a "particularly traumatic" move, as the government later noted, because Gloria had actually taken out a restraining order against her ex-boyfriend, who had been harassing her. Gloria didn't reply to the e-mail and soon received another, this time containing a nude picture of her and promising to post it across the Internet if Gloria didn't do as he wished.

It was one of the few cases where the stalker acted on his warning. After Gloria sent copies of these threats to a friend of hers, the stalker somehow knew about it and told her, “you pissed me off now I'm going to show you.” Her nude photo was posted to MySpace—appearing on the account of the friend to whom Gloria had shown the stalker's threats.

The cases grew stranger. A 17-year old girl was online when she received an instant message from her sister—but her sister was in the next room and not using a computer. Various women reported that the lights on their laptop webcams would pop on at times when the cameras weren't in use; one woman was so unnerved by the behavior that she covered her own computer's camera with a sticker to make sure no one was spying on her.

But someone had been, and he went after so many people that Glendale, California police finally realized a broader pattern was emerging in their area. The FBI investigated and on March 8, 2010, after six months of investigations and interviews, obtained a federal search warrant for a small, neat home on Monica Lane in Santa Ana. Two days later, the feds descended, looking for their man.

Meet Guicho

Inside the home, they found 32-year old Luis "Guicho" Mijangos sitting in a wheelchair. Mijangos was an illegal alien and a paraplegic who hadn't walked since he was around 17, when a drive-by gunshot wound paralyzed him from the waist down. He grew up—unhappily, in his telling—in Mexico, where his father was "harassed" and later died. After the death, Mijangos' mother took her son to the US and eventually remarried.

Despite his injuries, Mijangos had prospects. He had taken computer classes at Orange Coast College in Costa Mesa and become proficient in Java, C++, and Web design. He set up home-based Web and computer consulting business and told investigators that he was clearing a respectable $1,000 per week.

But when the FBI showed up with a search warrant, Mijangos quickly admitted to much more. He worked with a few “black hat” hackers, he said, helping them transfer money and make use of stolen credit cards. He claimed that his criminal role was deliberately kept minor “because it meant that he would face less trouble from the police,” according to the account of the FBI Special Agent who interviewed him.

Agents had doubts about the scope of this initial account. Mijangos admitted that he did sometimes hack into other people's computers. A favorite trick was seeding peer-to-peer networks with popular-sounding song titles that were actually malware; when someone downloaded and executed the file, their machine was infected and would open itself to Mijangos's control. He claimed to have done this only five times.

And when it came to the crazy stalker-style behavior that so many women (and some men) had reported, Mijangos said his work was being misconstrued. Instead of “sextorting" his victims, Mijangos said he "hacked into female victim accounts at the request of boyfriends and husbands to determine whether the female victims were cheating on their boyfriends or husbands,” according to an FBI account. “Mijangos said he was supposed to be paid for this conduct but was not.

"Mijangos acknowledged he threatened to expose these pictures, and reckoned the threats might look like extortion, but stated that he did so to discourage anyone from contacting the authorities. Mijangos also acknowledged he asked for additional sexual videos but only to determine whether they would actually do it.”

It didn't take long to punch a hole in these claims. The FBI recovered four laptops, a BlackBerry, and a host of USB drives from Mijangos's home; a “filter team” scoured the devices for anything that fit the parameters of the search warrant. After vetting, such material was turned over to the FBI agents working the case, who learned that Mijangos had actually gone after 129 different computers for a total of 230 victims. Forty-four of the victims were juveniles.

The FBI found different kinds of malware on the computers, including tools to install a key logger on remote machines, software to turn on webcams and microphones attached to infected computers, and "dozens of videos" from those webcams, most showing the victims " getting out of the shower, dressing for the day, having sex with a partner.”

In a file called "things importan" [sic], the FBI even found screen captures from victim machines showing identifying information about them displayed on bank and financial websites.

On June 17, 2010, the FBI Cyber Squad operating out of Los Angeles swore out an arrest warrant against Mijangos. Five days later, Mijangos was arrested at 6:10 am and charged with felony extortion.

Sextortion

After his arrest, Mijangos later admitted that he made up to $3,000 a day performing "complicated financial hacks" with others. He hung around in online hacker forums like "CC Power," learned how to use malware tools like Poison Ivy and SpyNet to gain entry to other machines, and use "crypter" software to hide his work from anti-virus and security programs.

Some of the hacks simply targeted individuals, slipping the initial malware onto their machines through P2P networks. Once he had control, Mijangos's malware contacted mijangos.no-ip.org, a service that obscured his own domain name while giving his malware a persistent location for phoning home. When contact was made, Mijangos could download additional code like keyloggers to the infected machines, and it was a simple matter to grab and misuse people's credit cards after that.

But the truly odd "sextortion" behavior was Mijangos's calling card. Indeed, as the government later put it, he "dedicated considerable time to toying with victims." If he obtained access to a woman's computer, he searched for incriminating photos and video—or accessed the webcam and tried to take some of his own. If he obtained access to a man's computer, he instead impersonated the male and reached out to the man's girlfriend to ask for nude photos. With photos in hand, Mijangos would approach the women and threaten to post the picture publicly unless they sent additional nude videos of themselves. Some women did so.

He then spent considerable time monitoring people's communications. In the case of his most spectacular hacks, Mijangos could watch the instant messaging and e-mail communications of both a boyfriend and girlfriend, and could even listen in to conversations made over the phone or in person with police by using the computer's built-in microphone. The omniscient effect this created tended to terrify victims; one said later that she felt like her life had been taken from her.

On March 21, 2011, Mijangos reached a plea deal with the government and copped to two felony charges, computer hacking and wiretapping. The deal required that, whenever he might leave prison, Mijangos would report all computer use, online accounts, and passwords to his probation officer, and "shall not hide or encrypt files or data without prior approval."

On September 1, federal judge George King sentenced Mijangos to 72 months in prison for his “psychological warfare” and "sustained effort to terrorize victims."

“The FBI has seen a rise in similar cases based on the exploitation of emerging technologies by criminals," said Steven Martinez, Assistant Director in Charge of the FBI’s Los Angeles Field Office, in a statement after the sentencing, "and it’s my hope that this sentence serves as a warning for victims of Internet predators to advise law enforcement or a trusted source when threatened, and always refrain from sending compromising photographs via cyberspace."

But people just won't refrain, as illustrated by the rise of "sextortion" cases across the country. In one of the most memorable, a male high school student just outside of Milwaukee, Wisconsin, conned numerous male classmates into sending him nude pictures of themselves, then demanded that some engage in sex acts with him to keep the pictures from coming out.

Citing a few more recent examples, an August Associated Press story claimed that sextortion is on the rise in the US, and the government has taken to using the term in its criminal filings.

Without nude pictures and compromising videos, the attackers in such cases have no leverage—but digital devices have made it so easy to point, shoot, and share that everyone involved in the Mijangos hacks already had such pictures, and didn't appear to have hidden or secured them. With pictures that common, but taboos against their public distribution still strong, sextortion will certainly continue. But at least Luis Mijangos won't be doing it.

Photo illustration by Aurich Lawson