A cybercriminal covered all his tracks—and then he verified his PayPal account

At the beginning of May, a San Francisco-based tech firm called Scale AI contacted the FBI after discovering its internal computer network had been compromised. Roughly $40,000 had been drained out of its accounts, $140 at a time.

The company, which processes code for autonomous vehicles, had been under attack for months, according to an FBI affidavit obtained by Quartz. The skillful thief used the actual password to get in and was diligent in covering his tracks, except for one small detail: He used his real phone number to verify his PayPal account.

• Why Norwegian Air is failing

Countless numbers of people and companies are victimized by cyber attacks each year. By some estimates, annual losses due to cybercrime could reach $6 trillion by 2021. And the US is the world’s top target. Law enforcement is under constant pressure to keep up with fast-changing technologies and the corresponding strategies hackers use to get past the latest safeguards and protections. Yet, with just about every aspect of modern life networked together in one way or another, it is extremely difficult to carry out a cybercrime today without leaving clues.

Milan Patel, a former top FBI cybercrime investigator, said those small mistakes are often what lead to an online intruder’s capture.

“Whether it’s verifying a PayPal account, or that one time where their VPN wasn’t working and they decided to use their regular IP address at home, there’s always some little thing that catches them up,” Patel, now retired and working in the private cybersecurity sector, told Quartz. “There are so many artifacts left behind in a digital heist.”

• The two best Spider-Man movies were made without Disney’s involvement

Patel said that every cybercriminal has a real life outside of what they’re doing online. “It’s only a matter of time before you connect their underground life to their real life to figure out who they are,” he said.

The first theft from Scale AI occurred in early 2019, when someone went into its back-end database and began diverting legitimate payments to an anonymous PayPal account linked to a fake name. About 100 such deposits, for $140 each, were made during this period. The account was linked to “Bruno.Day.1988@outlook.com,” and the intrusions had come from an IP address that resolved to a location in Thailand.

Although Scale AI tightened its security protocols following the incident, whitelisting known IP addresses and restricting others, a second set of intrusions occurred a short time later. This time the intruder managed to alter 30 bonus payments of $140 each, once again funneling them to a PayPal account maintained by “Bruno Day.”

At the end of June, Scale AI was hit again. Approximately $15,000 in bonus payments were siphoned off during this latest intrusion, but these went to a different PayPal account, one linked to “dragonball844@outlook.com.”

That’s when the FBI dug into PayPal’s logs and transaction history for both accounts. Between February and June, the one registered to “Bruno Day” had received more than 190 payments from Scale AI, for a total of more than $26,000. The name was fake, and didn’t provide any answers. The second one, linked to dragonball844, received more than 70 payments from Scale AI for more than $13,000. Dragonball844 had been created under an innocent Scale AI employee’s name, the company told Quartz, explaining that the staffer was fully cleared after being interviewed by investigators.

A heavily redacted complaint filed in federal court says an internal investigation by Scale AI revealed the simultaneous “destruction of payment database logs.” On top of that, whoever did it again used a VPN to access the system from Thailand.

But both of the PayPal accounts had been recently set up, and verified around the time of the thefts with the same mobile phone number. The FBI traced the number back to Shariq Shahab Hashme, a 25-year-old computer engineer who, it turns out, worked for Scale AI. Compounding the problem for Hashme, the PayPal accounts were linked to two Bank of America accounts, one in Hashme’s name, that had both been accessed from IP addresses in Thailand around the time of the hacking incidents.

Scale AI is a Silicon Valley “unicorn.” The company was founded by Alex Wang, a former engineer at Quora, and has raised more than $120 million in funding with investments from top-tier venture capital firms such as Y Combinator and individual investments from, among others, Dropbox founder Drew Houston and Twitch founder Justin Kan.

Hashme, who is a UK citizen, had to leave the US when his work visa expired in April, according to court filings. Hashme continued working for the company as a contractor from abroad. On Aug. 7, the FBI got a tip that Hashme would soon be flying back to the US. He was arrested after touching down at San Francisco International Airport on Aug. 10.

“Scale AI has been cooperating with authorities in the investigation and arrest of a former employee,” a company spokesperson told Quartz. “This individual has been terminated from Scale. Since this is a confidential employee matter, Scale cannot discuss or provide further details, however, we can confirm that customer data and employee safety have not been at risk.”

This article has been updated with additional information about the alias accounts allegedly used by Hashme.

Sign up for the Quartz Daily Brief, our free daily newsletter with the world’s most important and interesting news.

More stories from Quartz:

• The US proves Russia right with its first post-treaty missile launch

• Good luck trying to Google the devastating Amazon rainforest fires