Capitol One Hacker Found Guilty of Crypto Scam

U.S. Attorney Nick Brown announced today that a 36-year-old, former Seattle IT worker was guilty of seven federal charges related to her conspiracy to hack into cloud computer data storage accounts and steal data and computer power for her own advantage. Paige A. Thompson, also known as ‘erratic,’ was arrested in July 2019 after the FBI received a tip about Thompson’s hacking activity from Capital One. Following the seven-day jury trial, the jury pondered for ten hours. On September 15, 2022, Thompson will be sentenced by U.S. District Judge Robert S. Lasnik. 

“Ms. Thompson used her hacking skills to steal the personal information of more than 100 million people, and hijacked computer servers to mine cryptocurrency,” said U.S. Attorney Nick Brown.  “Far from being an ethical hacker trying to help companies with their computer security, she exploited mistakes to steal valuable data and sought to enrich herself.”

Thompson was found guilty of Wire fraud, five counts of unauthorized access to a protected computer, and damaging a protected computer.  The jury found her not guilty of access device fraud and aggravated identity theft.

Prosecutors cited Thompson’s own words in text messages and online conversations to show how she exploited a tool she created to monitor Amazon Web Services accounts seeking misconfigured accounts. She then hacked into it and downloaded the data of over 30 businesses, including Capital One bank, using those compromised accounts. She put cryptocurrency mining software on new servers using part of her unlawful access, with the profits flowing to her online wallet. Thompson spent hundreds of hours working on her strategy and bragging about it to others via text and online forums.

The logo for Capital One Financial is displayed above a trading post on the floor of the New York Stock Exchange, on July 30, 2019

“She wanted data, she wanted money, and she wanted to brag,” Assistant United States Attorney Andrew Friedman said in closing arguments. 

The intrusion into Capital One accounts impacted more than 100 million U.S. Customers.  The company was fined $80 million and settled customer lawsuits for $190 million.

Wire fraud carries a maximum sentence of 20 years in jail. Accessing a protected computer without permission and causing damage to a protected computer are both punishable by up to five years in prison. Judge Lasnik will determine the final sentence based on the sentencing guidelines and other statutory circumstances.

In interviews with The Associated Press following her arrest, friends and associates described Thompson as a skilled programmer and software architect whose career and behavior — oversharing in chat groups, frequent profanity, expressions of gender-identity distress, and emotional ups and downs — mirrored her online handle

At one point, two former roommates obtained a protection order against her, saying she had been stalking and harassing them.

Thompson joined Amazon in 2015 to work at Amazon Web Services, a division that hosted the Capital One data she accessed. She left that job the next year.