Lewys Martin
Lewys Martin

A 22-year-old hacker has been jailed for blackmail, after demanding over £200,000 in bitcoins from Halifax Bank to stop him releasing the financial details of 28,000 customers he had stolen through phishing attacks.

Lewys Martin was jailed for four years and two months at Southwark Crown Court on Friday, after pleading guilty to blackmail, the possession of phishing malware and 740,000 email addresses, and an unrelated offence of possessing indecent images of children. He was also handed a five-year Sexual Offences Prevention Order.

His sentencing comes just as the government's police watchdog - Her Majesty's Chief Inspector of Constabulary (HMCIC) Tom Winsor – released a damning report that accuses the police of failing to keep pace with cyber-crime.

Martin was caught after a lengthy investigation by the Met Police Cyber Crime Unit, now part of the Falcon cyber and fraud team. It dates back to May 2013 when his blackmail attempt was first reported by Halifax Bank - now owned by Lloyds, and The Sun, the newspaper to whom he had threatened to sell the data.

It is believed he obtained the 28,000 credentials by sending phishing emails and links purporting to come from Halifax Bank, to dupe customers into providing their account data.

He was demanding one bitcoin for every 10 stolen accounts, or a total of 2,800 bitcoins then worth around £207,000. He even sent a sample of the phished bank accounts to show he was a genuine blackmailer.

And the fact that Martin had captured 740,000 credentials suggests he had successfully tricked the customers of many more organisations.

Halifax Bank confirmed that its own computer network was not breached, and reminded customers that it would never send an email, text or link asking for their internet banking or card details.

Martin used anonymising software to hide his identity, but he was eventually identified and arrested.

Police forensic experts examined a seized computer and phone and found evidence linking him to the blackmail.

They also found compromised personal banking information that could be used in a fraud, along with three malware-based phishing programs designed to steal personal details and data.

Detective Chief Inspector Jason Tunn of the Met Police Cyber Crime Unit said in a statement to journalists: "The MPS is determined to track down and prosecute cyber-criminals that seek to defraud businesses and residents of London. Martin was not able to defeat the bank's security systems but instead chose to target his phishing activity at retail customers.”

Despite this success, HMCIC Tom Winsor said in a report last week that the police are “behind the curve” in tackling cyber-crime, that every police officer – not just specialist units - now needs to understand technology, and the quality of leadership and management in this area is lacking.

His 2013/14 ‘State of Policing' report into the 43 police forces in England and Wales, who receive £13 billion annually, says: “The capabilities of the police need to improve if they are to get ahead of the curve of rapidly changing criminality.