FBI: MSP Engineer Arrested In Attempt To Sell Access To Clients

“I have admin access to the hosting panel, passwords for each client is provided and you’ll access them through RDP. Their client list is sort of extensive I’m asking for $600 BTC,” said Marquavious Britt in a post on Torum using his online alter ego “w0zniak,” the FBI charged.

An MSP employee was arrested last month for trying to sell information that would allow hackers to take-over the cloud servers of Atlanta-based Chimera Technologies, according to federal court records.

“I’m selling access to an MSP,” Marquavious D. Britt allegedly wrote as “w0zniak” in a post to Torum, a dark web forum popular with hackers, on Sept. 30, 2019, according to court records. He boasted that he had access to Chimera’s virtual private servers, which included customers such as law offices, accountants, and a pharmaceutical company.

Britt, 26, of Augusta, Ga., a former systems engineer at Chimera, is charged with two separate counts of computer fraud after federal agents did a controlled buy from Britt’s online alter-ego, “w0zniak.” He was released on $15,000 unsecured bond and ordered placed on GPS monitoring and confined to his home on Jan. 22.

[RELATED: How Alleged Dark Web Hacker ‘w0zniak’ ‘Tried To Put’ MSP Chimera Out Of Business]

Attempts to reach Britt through his lawyer were unsuccessful. Reached this morning, attorney Holly Chapman said she represented Britt at his appearance but is no longer representing him. She said his counsel would likely be assigned by the Northern District court where his case was transferred. No attorney has yet been assigned according to paperwork there.

The U.S. Attorney's Office for Georgia's Northern District had no comment outside of the court filings.

According to the FBI’s affidavit, Britt was hired by Chimera on May 6 and let go on June 24. In court records he is described as a “disgruntled” employee, though he worked at the company for only six weeks. Chimera provides IT support, mobile application development, website development, and software support to its clients, the FBI said.

“He literally tried to put us out of business,” said Raymond Alexander, Britt’s former boss and co-owner of Chimera, which is also affiliated with Chimera Innovations LLC, in an interview with CRN.

An automated dark web scanner created by Datto first alerted channel security researchers to w0zniack’s post.

“I have admin access to the hosting panel, passwords for each client is provided and you’ll access them through RDP,” he allegedly wrote. “Their client list is sort of extensive with about 20 in total, notably several law offices, accounting firms, food industry company, and a pharmaceutical company, job staffing company, etc. I’m asking for $600 BTC … I can provide photos if requested.”

W0zniak’s undoing came in part as a result of a close collaboration between MSP vendors Huntress Labs, Datto and ConnectWise to discover the identity of the at-risk MSP after finding the dark web posting.

After a series of back and forth chats on encrypted lines, w0zniak sent the group a screen shot of the compromised virtual private server. That picture included some of the MSP’s customer names which enabled them to identify Chimera as the victim. The companies reported their findings to the FBI, which took it from there.

“An FBI confidential source responded to the post, and expressed interest in purchasing the MSP access,” the FBI said. “In response, w0zniak emailed the [confidential witness] a screenshot of the Vultr administrator panel. The [witness] and w0zniak then negotiated a price of $450.00, and the [witness] sent 0.05254621 Bitcoin to w0zniak’s Coinbase wallet.”

From there FBI agents subpoenaed the Coinbase account w0zniak used and found it had several ties to Britt. It was created in his name, using a photocopy of his driver’s license, his correct date of birth, social security number, and it was linked to a PayPal account set up in Britt’s name, as well as a Chase account belonging to Britt. Additionally, Britt used the “_w0z” moniker in his Twitter and Instagram handles.

“He was smart at technology, but he was dumb at criminal activity,” Alexander said. “I really told him that in a text. Like ‘Are you really that dumb? Everybody cannot be a criminal.’”