Case: 1:14-cr-00318 Document #: 113 Filed: 10/11/16 Page 1 of 20 PageID #:363

UNITED STATES DISTRICT COURT

NORTHERN DISTRICT OF ILLINOIS
EASTERN DIVISION
UNITED STATES OF AMERICA
v.
TIMOTHY FRENCH

)
)
)
)
)

No. 14 CR 318
Hon. Gary Feinerman

GOVERNMENTS SENTENCING MEMORANDUM

The UNITED STATES OF AMERICA, by its attorney, ZACHARY T.
FARDON, United States Attorney for the Northern District of Illinois, hereby
submits its sentencing memorandum for defendant Timothy French.
Introduction
For years, defendant Timothy French engaged in a destructive hacking spree
that harmed scores of business, non-profits, and governments, causing significant
financial losses and invading the privacy of thousands of individuals. The defendant
most recently used his technical skills on behalf of the hacking group NullCrew. His
aim was to wreak havoc on his victimsbreaking into their computer systems,
stealing their data, and dumping online sensitive personal information of thousands
of individuals, all the while taunting his victims through carefully crafted press
releases. These were sophisticated, high-profile cyber-attacks, through which the
defendant rose to prominence. It all came to an end, however, following the FBIs
exhaustive investigation.
The defendant will now face justice for his years of hacking, and he has
earned a guidelines sentence in this case given the seriousness of his crimes, his

Case: 1:14-cr-00318 Document #: 113 Filed: 10/11/16 Page 2 of 20 PageID #:364

history and characteristics, including a previous run-in with the FBI for the same
type of crime, and the need to send a message to other cybercriminals that they will
face severe punishment.
Factual Background
A.

Defendants Hacking with Net-Bashers and TeamPoison

(TeaMp0isoN) and the FBIs Search of His Residence

Long before NullCrew was launched, the defendant was working on behalf of
hacking groups Net-Bashers and TeamPoison (or TeaMp0isoN), the latter of which
in 2011 and 2012 carried out several high-profile cyber-attacks against the United
Nations, NASA, NATO, and several other large corporations and government
entities. The defendant operated under the name Corps3 and Corps3_TP. 1
When the defendants cyber-attacks on behalf of TeamPoison were traced
back to his family residence, FBI agents obtained a search warrant, which they
executed on December 22, 2011. The defendant, seventeen at the time, was
confronted by FBI agents and admitted to hacking on behalf of TeamPoison,
including the computer servers of a foreign government. The defendant stated that
he had been involved in hacking and with the hacking community for
approximately four years. He also admitted his involvement in the use of a botnet
(i.e., a network of compromised computers) to carry out cyber-attacks.
The defendants confrontation with the FBI had little impact on him. As the
defendant later wrote, I remember when [another hacker] tried to say I was
1

TeamPoison largely disbanded in 2012 following the arrests of two of its members.

Case: 1:14-cr-00318 Document #: 113 Filed: 10/11/16 Page 3 of 20 PageID #:365

defending my crimes I commited 2 for TeaMp0isoN. LOL [Laugh out loud]. Im not
sorry for anything Ive hacked.
B.

The Defendants Hacking on Behalf of NullCrew

Even though TeamPoison faded away with the charges against some of its
members, the defendant avoided arrest and his hacking continued unabated. He
went on to become a prolific and technically skilled hacker who, operating on behalf
of a new group named NullCrew, attacked a series of businesses, universities, and
government entities in the United States and throughout the world.
To do so, defendant and other members of NullCrew (such as Individual A)
identified vulnerabilities in victims computer systems for the purpose of hacking
those systems. They shared those vulnerabilities with each other and, thereafter,
coordinated their efforts to exploit those vulnerabilities to break in and steal
confidential information, including encrypted and unencrypted sensitive personal
information for thousands of individuals.
Though the defendant was careful to use end-to-end encryption services when
communicating with fellow NullCrew members and other hackers, FBI agents were
able to recover from his computer some of those chats and they bring to light the
defendants day-to-day efforts to find and exploit new victims. They also reveal the
defendants utter disregard for the damage he was bringing about.

The chats are reproduced here as they appeared in the chat logs; errors in spelling and
punctuation have not been corrected.
2

Case: 1:14-cr-00318 Document #: 113 Filed: 10/11/16 Page 4 of 20 PageID #:366

Take, for example, a series of chats the defendant had with a fellow hacker on
April 26, 2014. The defendant began by proposing that NullCrew go after more
sensitive targets (My proposition was to hack servers that actually matter.
Something like, nsa satellites. traffic ICS / SCADA [Supervisory Control And Data
Acquisition].). The defendant emphasized that he had many ideas for doing so,
given [his] skills.
The defendant chatted about the universities he was attacking that day for
NullCrews so-called Schools Out cyber-attack, starting with University A
([University A] here I come. Again.). The defendant explained that the reason he
hacked [University A] again was that a buddy challenged him to break back in.
The defendant bragged about what he was stealing (Jacking so much shit from
[University A] lol [laugh out loud]), including Full names, Addresses, Phone
numbers, Usernames, Institution they belong to, Passwords, and Emails.
The defendant also talked about several other victims he was targeting that
daye.g., that he was [h]acking isreal isps [Internet Service Providers] just for the
fuck of it, owning [University C], and breaking into the computer science server
for University D. As the defendant said at one point, Id be so fucked if I got raided
now . . . Hacking like five servers at once. Three united nations based. . . . two
universities.
To publicize these cyber-attacks, defendant and Individual A maintained
Twitter accounts, including @NullCrew_FTS and @OfficialNull, which they used to

Case: 1:14-cr-00318 Document #: 113 Filed: 10/11/16 Page 5 of 20 PageID #:367

announce their attacks, ridicule their victims, and publicly disclose confidential
information they had stolen through their cyber-attacks. The defendant, Individual
A, and other members of NullCrew hid their true identities by using aliases when
communicating with the public and with each other. The defendant used the aliases
Orbit, @Orbit_g1rl, crysis, rootcrysis, and c0rps3. Below is an example from
September 2, 2012 of the defendant taunting his victim, saying were coming for
you two hours before posting the stolen data:

Members of NullCrew, including the defendant, also hid their identity by

launching cyber-attacks from intermediary computer servers, either a virtual
private network or a compromised computer server. In late January 2014,
defendant and Individual A used a computer server in Naperville from which to
launch a cyber-attack against Company A, a large Canadian telecommunications
company. In particular, Individual A gave defendant a vulnerability to access
databases owned by Company A. Defendant and Individual A used those
vulnerabilities to attack Company A, with the assistance of a syntax provided by a

Case: 1:14-cr-00318 Document #: 113 Filed: 10/11/16 Page 6 of 20 PageID #:368

confidential witness who was working with the FBI. The defendant and Individual
A stole from Company As databases the usernames and passwords for over 12,000
of Company As customers, intentionally causing damage to Company As computer
servers.
On February 1, 2014, the defendant, through the Twitter account
@NullCrew_FTS, announced their computer attack against Company A. The
defendant wrote: Whelp, lets start things off properly - nullcrew.org/[Company
A].txt . . . hacked by #NullCrew. The next day, the defendant published a link to a
website where he had published copies of database tables and credentials for a
computer server Company A rented from a third party. The materials on that
website included a section marked tblCredentials, containing a list of Company A
customer credentials in the form of 12,000 account username and password pairs.
The defendant, Individual A, and others, acting on behalf of NullCrew,
launched a number of similar cyber-attacks against other victims, including the
following identified in his plea declaration:

On October 23, 2012, defendant and others participated in a cyberattack on, and gained unauthorized access to, computer systems
belonging to U.S. State A;

Between July 19, 2013, and May 28, 2014, defendant and Individual A
participated in a cyber-attack on, and gained unauthorized access to,
computer systems belonging to University A;

Between January 17, 2014, and April 15, 2014, Individual A gained
unauthorized access to computer systems belonging to Company B and
defendant compiled the data stolen from Company B;

Case: 1:14-cr-00318 Document #: 113 Filed: 10/11/16 Page 7 of 20 PageID #:369

Between January 23, 2014, and February 5, 2014, defendant and

Individual A participated in a cyber-attack on, and gained
unauthorized access to, computer systems belonging to Company C;

Between January 23, 2014, and April 15, 2014, defendant and
Individual A participated in a cyber-attack on, and gained
unauthorized access to, computer systems belonging to University B;
and

Between April 2, 2014, and April 4, 2014, defendant and Individual A

participated in a cyber-attack on, and gained unauthorized access to,
computer systems belonging to Company D.

In addition to those examples, the defendant successfully attacked many

other victims. For example, on April 20, 2014, the defendant and Individual A
released stolen data from nine victims they hacked, including Company B and D
and University B. The release included stolen data from a video-game company, a
website associated with a U.S. state, a network solutions company, a credit union
(as the defendant wrote in a chat, [victim] national credit union was still vuln
[vulnerable], so, pwned [hacked] it again and included it), and two international
science organizations.
The April 20, 2014 release was the product of significant effort by the
defendant and Individual A. As the defendant wrote to Individual A, Alright, man;
I set the date as 4-20 for a special. That means you and I need to work our asses off
to finish this thing up. As the day of the release approached, the defendant sought
to make sure the release would be massive.
Defendant:

Three more days, I think one more target and well be

good; lets finish her up when you can bro.

Case: 1:14-cr-00318 Document #: 113 Filed: 10/11/16 Page 8 of 20 PageID #:370

Individual A:

We can do [an international science organization]

Individual A:

I dumped about 40,000 emails from them.

Defendant:

Anything interesting? Also, you still around?

Defendant:

Hit me up when youre around, need to get those emails

so I can set them up in this file we'll be uploading with
the zine. Ripped a few users and passwords to their
project managers login from the email.

Defendant:

Saved em, just waiting on you to send me the actual email

archive that way I can include it.

Hours later, the defendant reached out to a freelance journalist about the
upcoming release, stating: Hope youre ready for over a gb [Gigabyte] of data on
4/20 from 8-10 different high profiled targets. The journalist responded, clearing
my schedule now :). The defendants post on April 20, 2014 likewise taunted his
victims. As the defendant wrote about University B:

Case: 1:14-cr-00318 Document #: 113 Filed: 10/11/16 Page 9 of 20 PageID #:371

For one of the international science organization, the defendant not only
published stolen data, he published a screenshot of his access to the webmasters
email account with the password having been changed:

The arrest of the defendant and Individual A stopped the release of

additional data they had already purloined. As referenced above, the defendant and
Individual A had hacked many universities, which they planned to release as
Schools Out release, as well as several other victims. As referenced above, online
chats about those hacks and information stolen from those universities was
recovered from the defendants computer.
Guidelines Calculation
The United States agrees with the probation officers careful calculation of
the sentencing guidelines range as follows:
A.

Loss Amount

The defendants crimes resulted in a loss that exceeds $550,000, increasing

the offense 14 levels, pursuant to Guideline 2B1.1(b)(1)(H). In estimating the loss
resulting from a defendants violation of 1030, one must include the reasonable
9

Case: 1:14-cr-00318 Document #: 113 Filed: 10/11/16 Page 10 of 20 PageID #:372

cost of any harm caused by his criminal conduct. Beyond the general rules for
calculating loss under the Guidelines, an additional comment expands the definition
of actual loss to include certain additional harms, whether or not reasonably
foreseeable, in cases brought under 18 U.S.C. 1030, as here. U.S.S.G. 2B1.1, cmt.
n.3(A)(v)(III). The commentary to the Guidelines states that for such offenses:
actual loss includes the following pecuniary harm, regardless of
whether such pecuniary harm was reasonably foreseeable: any
reasonable cost to the victim, including the cost of responding to an
offense, conducting a damage assessment, and restoring the data,
program, system, or information to its condition prior to the offense,
and any revenue lost, cost incurred, or other damages incurred because
of interruption of service. Id. (emphasis added).
As further described in the attached loss calculation chart (Exhibit B), the
government received information from some of the defendants victims regarding
the losses they sustained responding to the incident, conducting a damage
assessment, restoring the system, and revenue lost.
Victim
University A
University B
Company A
Company B
Company C
Total

Loss
$9,985.00
$16,000.00
$691,500.00
$2,360.00
$72,365.00
$792,210.20

Based on the handful of victims who provided data regarding its loss, the
defendants cyber-attacks caused in aggregate at least $792,000 in loss to victim
companies, universities, and government entities. Those costs include responding to

10

Case: 1:14-cr-00318 Document #: 113 Filed: 10/11/16 Page 11 of 20 PageID #:373

the computer intrusion, conducting damage assessments, and restoring the

computer systems.
B.

Ten or More Victims

The defendants offense involved ten or more victims, which generates a 2level enhancement under 2B1.1(b)(2)(A)(i). The defendants numerous victims
include the samples of those identified by the defendant in his plea declaration
(University A and B, Company A, B, C, and D, and U.S. State A), as well as the
many others, including victims whose stolen data was released on April 20, 2014
(e.g., U.S. State B, a network solutions company, a credit union, and two
international science organizations) and victims whose information was hacked but
not released before the defendants arrest (such as University C and D and a
webhosting company).
C.

Sophisticated Means

The defendants offense and relevant conduct involved sophisticated means

and the defendant intentionally engaged in and caused the conduct constituting
sophisticated means, thus defendants offense level is increased by 2 levels pursuant
to Guideline 2B1.1(b)(10)(C). Specifically, the defendants scheme involved
sophisticated hacking and significant tradecraft designed to make its detection
difficult:

The defendant relied on his exceptional knowledge about computers

and networks to plan and carry out sophisticated cyber-attacks against
major corporations, government agencies, and universities throughout
the world. Not only did the defendant manage to break into dozens of
11

Case: 1:14-cr-00318 Document #: 113 Filed: 10/11/16 Page 12 of 20 PageID #:374

victims networks in a sophisticated manner, exploiting obscure

vulnerabilities using a variety of hacking tools, once inside the
networks the defendant was often able to escalate his privileges to an
administrator (thereby giving him root access to the entire network).
That enabled the defendant to move laterally within his victims
computer networks and use his database skills to collect and exfiltrate
sensitive data from his victims, which the defendant released in a
manner that could not be traced to him.

The defendant also used sophisticated means in concealing his

prodigious hacking activity. First, the defendant used specialized,
invitation-only Virtual Private Networks and proxy servers when
hacking, thereby making it difficultif not impossibleto trace the
cyber intrusions back to the defendant. As the defendant said in one
chat, I NEVER hack from anything thats mine. Indeed, in a private
conversation with another individual recovered from the defendants
computer, the defendant was discussing his so-called opsec, a
reference to operational security. The defendant remarked: Theres a
reason NC [NullCrew] has been around longer then most public
groups, referring to the fact that he made his hacking activity
extremely difficult to trace to him. Second, the defendant
communicated with his coconspirators through encrypted services that
do not maintain records (e.g., cryptocat).

D.

Intent to Obtain Personal Information

The offense level is further increased two levels, pursuant to Guideline

2B1.1(b)(17), because the defendant was convicted of an offense under 18 U.S.C.
1030 and the offense involved the intent to obtain personal information and the
unauthorized public dissemination of personal information, which is defined to
include sensitive or private information involving an identifiable individual,
including email. The defendant frequently stole private email correspondence
(some of which were recovered from the defendants computer and which the
defendant chatted about with others, e.g., Did you notice the mail files?) and

12

Case: 1:14-cr-00318 Document #: 113 Filed: 10/11/16 Page 13 of 20 PageID #:375

released thousands of email addresses and account information with the

corresponding

password,

which

likewise

constitutes

sensitive

or

private

information.
E.

Offense Involves a Conviction Under 1030(a)(5)(A)

The offense level is increased four levels because the offense involves a
conviction

under

18

U.S.C.

1030(a)(5)(A),

pursuant

to

Guideline

2B1.1(b)(18)(A)(ii).
Therefore, based on the facts now known to the government, the anticipated
offense level is 27, which, when combined with the anticipated criminal history
category of I, results in an anticipated advisory Sentencing Guidelines range of 70
to 87 months imprisonment, in addition to any supervised release, fine, and
restitution the Court may impose.
Section 3553(a) Factors
A.

Nature and Circumstances of the Offense

The defendant played a central role in an extensive, deliberate, and

destructive hacking campaign that inflicted widespread and serious harm to
businesses, governments, non-profits, and thousands of individuals. That he
managed to carry out all of this online sabotage for years without being caught
(apart from the FBIs search warrant discussed below) speaks to the defendants
skills and the effort he put into his crimes. These cyber-attacks were not the

13

Case: 1:14-cr-00318 Document #: 113 Filed: 10/11/16 Page 14 of 20 PageID #:376

product of a single, impulsive decision or an isolated incident. They were the result
of meticulous work the defendant undertook day in and day out for years.
It is worth emphasizing that much of the damage the defendant wrought
cannot even be quantified. Businesses, non-profits, and universities suffered
reputational damage when their private data was released and widely reported in
the press. Even the information the defendant divulged caused damage. He
disseminated online the usernames, email accounts, and passwords for thousands of
individuals, which not only violated their privacy and sense of online security, it
exposed them to financial fraud and identity theft.
As for the defendants motivations, it is clear from the way he mocked his
victims publicly and in his private chats that he was driven by a malicious and
callous contempt for those with whom he disagreed. The defendant thought himself
above the law and that he could destroy others with impunity. The fact that the
defendant hacked without an apparent profit motive does not take away from the
seriousness of these crimes. After all, from the vantage point of his victims, the
defendants particular motivations are largely irrelevant; what matters is that their
systems have been compromised and their sensitive and private data have been
released to the general public.
In the past few years, cybercrime has come to occupy our headlines, but the
defendant was ahead of his time, cutting his teeth as teenager eight years ago and
steadily taking on more responsibility within three successive hacking groups. Each

14

Case: 1:14-cr-00318 Document #: 113 Filed: 10/11/16 Page 15 of 20 PageID #:377

new cyber-attack presented an opportunity for the defendant to walk away, as

many of his compatriots decided to do. But the defendant kept doubling down, rising
to become a well-known player in the hacking community. The defendant thus has
only himself to blame for the scope and scale of the cyber-attacks he perpetrated.
At a broader level, cybercrimes of this scale and sophistication have emerged
as one of the gravest threats to our national economy. We now recognize that those
who use the internet to steal and destroy not only inflict financial harm and violate
privacy, they undermine the security and openness of the internet itself and the
innovations that sustain much of our nations economy. These crimes merit serious
punishment.
B.

History and Characteristics of the Defendant

Though the defendant has no criminal history, this case is not his first run-in
with the law. When he was seventeen years old, having already spent four years in
the hacking community, the defendant saw firsthand the gravity of his crimes when
his family home was searched as part of an FBI cybercrime investigation. That
confrontation with the FBI should have served as a wake-up call. Instead, the
defendant continued on the same path. Indeed, even after charges in this case, the
defendant repeatedly violated the conditions of release imposed by this Court, all of
which eventually left Magistrate Judge Daniel Martin no choice but to revoke the
defendants bond.

15

Case: 1:14-cr-00318 Document #: 113 Filed: 10/11/16 Page 16 of 20 PageID #:378

The most prominent feature of the defendants history and characteristics is

his life as an underground hacker, which by the defendants own account dates back
to 2007. That track record likewise speaks to the need for a lengthy sentence of
imprisonment.
C.

The Need to Promote Respect for the Law, to Afford Adequate

Deterrence, and Provide Just Punishment for the Offense

In December of 2011, rather than being led away in handcuffs, the defendant
was offered a second chance at leading a law-abiding life. Despite having been cut a
break, and rather than heed the FBIs warning, the defendant upped the ante,
proceeding on a far more destructive course and demonstrating a complete
disregard for the law. Leniency after the defendant engaged in such prodigious
hacking would not serve as just punishment. Nor would it adequately deter the
defendant and others. His unwillingness to stop hacking despite the FBIs
intervention, coupled with his inability to comply with conditions of release in this
case, undercut any assurance that he will somehow manage to abide by the law
after nearly a decade of law-breaking.
General deterrence should also play a significant role in this Courts
sentence. Through the defendants relentless hacking, he rose to prominence and
his downfall has been followed in the press and within the hacking community. This
sentencing thus presents an opportunity to send a message that will be received, a
message that cybercriminals will face lengthy imprisonment. A threat of serious

16

Case: 1:14-cr-00318 Document #: 113 Filed: 10/11/16 Page 17 of 20 PageID #:379

punishment is even more important because hackers often get away with these
crimes undetected.
In sum, a sentence within the guidelines is appropriate and warranted
because of the seriousness of the defendants crimes, the substantial harm he
caused, his history and characteristics, in particular his lengthy track record, and
the need for deterrence and just punishment.
Conditions of Supervised Release
The government requests that the Court impose a guidelines-range term of
supervised release of one to three years. The government further requests that
defendant be required to comply with the following mandatory conditions set forth
in 18 U.S.C. 3583(d) and USSG 5D1.3(a):

Not commit another federal, state or local offense.

Not unlawfully possess a controlled substance.

Submit to the collection of a DNA sample if the collection is authorized

by law

Refrain any unlawful use of a controlled a controlled substance and

submit to one drug test within 15 days on supervised release and
periodic tests thereafter.

The government further recommends the following conditions because they

serve to facilitate supervision by the probation officer, support defendants
rehabilitation and reintegration into the community, and promote deterrence and
protect the public:

17

Case: 1:14-cr-00318 Document #: 113 Filed: 10/11/16 Page 18 of 20 PageID #:380

Defendant shall make restitution to a victim of the offense under

3556.

Defendant shall seek, and work conscientiously, at lawful employment

or pursue conscientiously a course of study or vocational training that
will equip the defendant for employment.

Defendant shall refrain from knowingly meeting or communicating

with any person whom the defendant knows to be engaged in criminal
activity.

Defendant shall refrain from excessive use of alcohol or any use of a

narcotic drug or other controlled substance, without a prescription by a
licensed medical practitioner.

Refrain from possessing a firearm, destructive device, or other

dangerous weapon.

Defendant shall participate, at the direction of the probation officer, in

a substance abuse treatment program, which may include urine
testing up to a maximum of 104 tests per year and shall participate, at
the direction of the probation officer, in a mental health treatment
program, which may include the use of prescription medications.

Defendant shall work in community service for 200 hours, as direction

by a probation officer.

Defendant shall not leave the judicial district without permission.

Defendant shall report to the probation office as directed.

Defendant shall permit the probation officer to visit the defendant at

home, and to confiscate any contraband in plain view of the officer.

Defendant shall notify the probation officer of changes in residence or

employment, and any arrest or questioning by a law enforcement
officer, within 72 hours.

Defendant shall truthfully answer inquiries by the probation officer

and follow the officers instructions.

18

Case: 1:14-cr-00318 Document #: 113 Filed: 10/11/16 Page 19 of 20 PageID #:381

In light of financial obligations defendant may incur as a result of his

conviction in this matter as well as the ongoing need to protect the public and to
ensure that the probation officer can satisfy his or her duty to remain informed
about the defendant, as well as to support the defendants rehabilitation and
reintegration into the community, the government concurs with the PSRs
recommendations that the Court impose the following special conditions of
supervision:

Defendant shall participate in an approved job skill-training program

at the direction of the probation officer within the first 60 days of
placement on supervision.

If unemployed aft her first 60 days of supervision, or if unemployed for

60 days after termination or lay-off from employment, defendant shall
perform at least 20 hours of community service per week at the
direction of the probation officer until gainfully employed (the
community service shall not exceed 200 hours).

Defendant shall not incur new credit charges or open additional lines
of credit without the approval of a probation officer unless the
defendant is in compliance with the financial obligations imposed by
this judgment.

Defendant shall provide a probation officer with access to any

requested financial information necessary to monitor compliance with
conditions of supervised release.

Defendant shall notify the court of any material change in the

defendants economic circumstances that might affect the defendants
ability to pay restitution, fines, or special assessments.

Defendant shall pay any financial penalty that is imposed and remains
unpaid at the commencement of the term of probation. Defendants
monthly payment schedule shall be an amount that is at least 10% of
the defendants net monthly income, defined as income net of
19

Case: 1:14-cr-00318 Document #: 113 Filed: 10/11/16 Page 20 of 20 PageID #:382

reasonable expenses for basic necessities such as food, shelter, utilities,

insurance, and employment-related expenses.

Defendant shall not enter into any agreement to act as an informer or

special agent of a law enforcement agency without the permission of
the court.
Conclusion

For the foregoing reasons, the United States respectfully requests this Court
impose a sentence with the guidelines range of 70 to 87 months imprisonment and
a three-year term of supervised release.
Respectfully submitted,
ZACHARY T. FARDON
United States Attorney
s/William E. Ridgway
WILLIAM E. RIDGWAY
Assistant U.S. Attorneys
219 South Dearborn St., Rm. 500
Chicago, Illinois 60604
(312) 353-5300

20