Romanian hacker Guccifer became infamous for kicking off the Hillary Clinton email scandal, but he has been convicted...
of crimes unrelated to that act.
Guccifer, aka Marcel Lehel Lazar, was extradited from Romania and pleaded guilty in May to charges, including unauthorized access to a protected computer and aggravated identity theft. Lazar was sentenced on Thursday to 52 months in prison by a federal court in Alexandria, Va.
It is believed Lazar hacked into email accounts of approximately 100 victims between 2012 and 2014, including prominent figures, such as former Secretary of State Colin Powell, Jim Nantz from CBS Sports and Sidney Blumenthal, a former political aide to Bill Clinton and unofficial adviser to Hillary Clinton.
Lazar originally made a name for himself as Guccifer by leaking memos from Blumenthal to Hillary Clinton's personal email account, thereby exposing Clinton's inappropriate use of personal servers during her time as secretary of state. Lazar also inspired the name of Guccifer 2.0, who has taken credit for the hacks of the Democratic National Committee. However, federal prosecutors were not able to confirm Lazar had compromised Clinton's servers.
Ian Gray, cyberintelligence analyst for Flashpoint, based in New York, said the lack of evidence doesn't mesh with Lazar's admission of guilt.
"While it is interesting that there was no evidence that Guccifer hacked Hillary Clinton's server, it is a factor in Guccifer's claim to fame. It appears that Guccifer, a seemingly lone Romanian actor, has little to benefit from admitting to hacking into Clinton's server," Gray told SearchSecurity. "Even if he was trying to increase the credibility of his persona Guccifer, Lazar still faces significant jail time. Further, it seems peculiar that he would claim credit for a crime that he did not commit."
Ryan O'Leary, vice president of the Threat Research Center for WhiteHat Security, based in Santa Clara, Calif., said Lazar's other crimes are still worthy of punishment.
"Whether or not he was able to gain access to Hillary Clinton's email account is somewhat irrelevant, as he was found guilty on a multitude of other online attacks and fraud," O'Leary told SearchSecurity. "He victimized hundreds of individuals who now have to live with the consequences of having your private data exposed and your identity stolen."
Federal prosecutors sought the maximum penalty for Lazar of 52 months and said in a court filing, "The extent of the harm caused by [the] defendant's conduct is incalculable." Assistant U.S. Attorney Maya Song said the maximum punishment "would also help address any false perception that unauthorized access of a computer is ever justified or rationalized as the cost of living in a wired society -- or even worse, a crime to be celebrated."
U.S. District Judge James Cacheris said he imposed the maximum sentence in hopes of deterring future attacks. "This epidemic must stop," Cacheris said.
O'Leary said the 52-month sentence for Lazar "shows how stern the country has become toward cybercrime."
"It's a serious crime that should be discouraged as much as possible. Cybercriminals are typically not remorseful for their crime, which is the case for Lazar," O'Leary said. "When he is released, it's likely he'll go right back to hacking, which is why the maximum allowable punishment is needed to keep these kinds of criminals away from a computer and away from victimizing anyone else."
Learn more about the security risks of using personal email servers.
Get info on the Clinton email scandal and information governance.