back to article Teenage duo sentenced over credit card Ghostmarket

Two UK teenagers received sentences for repeated hack attacks that stole credit card data and took one online webhost offline. Zachary Woodham, 19, and Louis Tobenhouse, 18, pleaded guilty to the online offenses in late December, members of the Metropolitan Police Service's Police Central e-Crime Unit said on Monday. Using the …


This topic is closed for new posts.
  1. Anonymous Coward
    Anonymous Coward

    Stiffer sentences required

    Hackers who steal credit card and personal data should get a mandatory 5 years minimum prison sentence. They ruin many peoples lives for decades.

    1. Graham Marsden
      Thumb Down

      @Stiffer sentences required...

      The Daily Mail forums are that way ---->

      1. MH Media

        Yeh but

        Let me ask you - how would you feel if you discovered that your credit card had been skimmed for £2,185? Or how about being laid off from your job while your employer rebuilt the business following a hacking attack?

        1. Anonymous Coward
          Anonymous Coward

          Yeh but yeh but

          Who said that wasnt horrific? What does that have to do with it?

          How about finding out your pension has lost £50,000 in value because a stockbroker made a bad decision? How about discovering your job ceases to exist because the funds to run it have gone to keeping the banks afloat? How about losing £30k on your house because the market has collapsed?

          Better still, how about knowing that with criminal convictions, it is likely to cost the taxpayer in excess of half a million to look after them rather than allow them to learn from their lessons and become productive citizens. (*)

          To address your two examples - credit card skimming is a nasty shock but the loss is the card companies (and the vendor who accepted the payment, not yours). In the second one, it seems that a business has CHOSEN to take a risk on what security to put in place and lost the bet.

          How would you feel if you were laid off from your job while your employer rebuilt the business following damage from heavy rain because he hadnt bothered to properly structure the building?

          This isnt in anyway absolving these two of any guilt - what they did was criminally wrong - it is just that "justice" is not served in this manner.


          (*) anyone who says that at 19 they should have learned everything is either 15 or a retard.

    2. Thomas 18


      They are 19 and its the first offence. I bet even a year in jail would make make them never commit another hacking offence as long as they live. Isn't that the purpose of jail after all to rehabilitate or is it to punish and spread fear amongst other hackers by making an example? might want to ask yourself that question.

      1. lIsRT

        all of the above

        I suppose there are multiple reasons for whatever action is carried out in response to a crime, ideally it should satisfy all of the following:

        1. personal deterrence (i.e. discouraging the perpetrator committing the crime again)

        2. preventing recidivism (making it *impossible* to commit the crime again, distinct from point 1)

        3. deterrence by example (i.e. discouraging everyone who finds out about it from committing the same crime)

        4. restitution/compensation (all damage done in committing the crime is repaired, all losses are returned, where not possible, alternatives such as financial compensation would be indicated)

        (probably more, but that'll do for now)

        Prison would:

        probably be OK for 1

        2, temporarily (or not, if there are computers for prisoners to use in prisons)

        3 - yes, probably

        4 - definitely not - it would be the opposite, as it puts everyone's taxes up slightly

        It would be good if judges had to show that any sentence satisfied all these criteria, although that's likely impossible.

      2. Elmer Phud

        other way to rob people

        "Isn't that the purpose of jail after all to rehabilitate or is it to punish and spread fear amongst other hackers by making an example?"

        Nope, it's for outfits like Group4 to make shedloads of money.

        It goes hand-in-hand with the Daily Wail's "Lock them all up" and the inhuman treatment of unwanted forriners -- there's a killing to be made in prisons (it starts with getting rid of staff).

    3. GrayFox
      Thumb Down

      Pretty immature statement

      Those are mostly 18-yo script-kiddies with no experience at life. The ones that should be punished are web developers that make such unsecured applications and take tonnes of money for them. Nowadays anyone can run fully automated scripts that extract credit card info using Google, the thing is those kids aren't fully aware of what they're actually doing.

      1. CmdrX3

        Not so much

        I don't think it's a pretty immature statement in the slightest. I think maybe the five years mentioned is a little extreme, but a mandatory two years, not so much. Would your view change if it was some chav who mugged an old lady and went on a spending spree with her cash and cards, or a teen burglar pilfering your TV's and laptops. Just because it's online doesn't make it a victimless crime and as mentioned, some people are affected for years.

      2. Anonymous Coward

        @Pretty immature statement


        Going by your logic, you should be jailed if you get mugged, because you didn't take self defence lessons.

        Or maybe if someone, kicks in your front door, steals your car keys, then you should be jailed becuase you didn't have an reinforced steel door, your keys were not in a safe and you didn't remove the f'ing battery from your car.

        They knew full well what they were doing.

        A 10 year ban from using computers and the internet would be a better punishment.

      3. Maxson

        Jesus Jones

        So if I leave my front door unlocked it should be legal to steal mine and other people's stuff, then I should be flogged for having my shit stolen?

        1. Just Thinking


          Broken analogy. If you were running a storage business and you left your door unlocked, and other peoples' stuff got stolen (that they had paid and trusted you to look after), then yes you would be culpable. So would the security consultant who advised you that an alarm wasn't necessary.

          None of this makes it legal to steal, or even mitigates it. When a crime is committed there isn't a fixed amount of blame that has to be shared out amongst those responsible. The thief is just as guilty whether or not those in charge of security did their job properly.

      4. The Fuzzy Wotnot


        WTF have you been smoking dude, 'cos I want some of that good sh*t?!

        Bollocks! They know full well that stealing is wrong, they even gloated about it on forums. They took credit card details and tried to sell them and you're painting them as paragon of virtue?

        Typical f**king liberal intelligencia telling us that every screwed-up little teenage thief is simply "misunderstood", bullshit! They broke into places they knew were supposed to be secure, they stole some very valuable commodities and then they had the f**king nerve to gloat about it to other screw-ups who'd listen! F**k me they even called themselves hackers, so they knew they had to break in to get the good stuff.

        I'm all for the 5 years inside suggested by the other poster above. We aren't just talking about a little mistake, tried to download some files and accidentally ended up with half a dozen credit card numbers.

        My 8 year old knows stealing is wrong, knows things like ripping off moves from the internet are wrong ( got the school lecture about copyright theft quoted verbatim the other day when I was caught ripping my own DVDs! ), so if a child 10 years younger that these two gets it, these two have no excuses.

        1. Anonymous Coward

          The Fuzzy Wotnot

          Love the "hang 'em all" rant but reality intrudes every now and then. Isnt it a shame we cant kill these small level criminals so the market is left wide open for the more organised corporate robbery.

          Who has tried to paint them as a paragon of virtue? In your binary existence is it "paragon" or "same sentence as a rapist" ?

          Stealing is wrong, yet 99% of people steal all the time. Cheating and lying are wrong yet we still do it.

          The *problem* with the youngsters is that they are too young and immature to realise the consequences of their actions. This is one of the reasons why sentences do not act as a deterrent to teen offenders.

          There are much worse criminals than these two so suck up the fact you "understand" this crime and can relate to it, accept the fact JUSTICE has been done and move on.

          1. The Fuzzy Wotnot

            @AC 12:13

            "Stealing is wrong, yet 99% of people steal all the time."

            Do they really? Well explains why the Police get a bit annoyed when 62 million in this country alone are nicking stuff 'all the time', every day!!! Surprised TESCO had any sarnies left at lunchtime with everyone nicking 'em!

            Difference between lying to someone and deliberately going to some place, be it physical or virtual, with the express intention of taking or copying something without permission, with criminal intent.

            Far worse criminals and far worse crimes, so we just let it go? OK, as you wish I'll let it go, I'm sure it won't happen again!

            1. Anonymous Coward

              The Fuzzy Wotnot

              Two minor problems with your attempt at sarcasm but both seem to stem from your idea that people are still either a saint or rapist with no in-between stages. You seriously need to consider that.

              The majority (by volume) of thefts are petty thefts along the lines of employee stealing pens and other bits of stationery (British Crime Survey). This may be trivial and almost acceptable but it is a crime that costs businesses serious amounts of money (in aggregation). This isnt theft from Tesco, it is the almost constant drain that most employees seem to view as a "right." By your standards we should be locking every single one of these people up for 5 years and never letting them work again.

              Secondly, who said "let it go?" You might want to try taking a few deep breaths and re-reading what was said. It really does help with the understanding.

              Punishments should fit the crime. Taking some money of people is a bad thing, no one is doubting that, but on the scale of bad things it is pretty much at the low end. We let banks and governments do it to us on much larger scales without trying to see everyone of them banged up until the sun explodes.

              It is perfectly normal for victims of crime to feel that their crime is the worst imaginable but the reality is the justice system has to step away from that and take an objective view. Anything else is not justice - it is mob-fulled, hate-filled, frothing revenge.

              And we dont want that, do we?

    4. This post has been deleted by its author

    5. mike2R


      I'm guess the bleeding hearts have never been the victim of credit card fraud.

      Please note that by victim, I don't mean that you were mildly inconvenienced by having your card used for fraud. The victim in that situation is not you, it is whatever poor sod took payment for goods on your card, and once you have reported the fraud, will have the funds stopped out payments for future transactions.

      These two thieves quite probably have either stolen from me directly, or have enabled others to do so. And I want justice for that.

      I don't want it primarily for the good of society, or for the good of these thieves. I want it because I have been stolen from, and I want the shits who did it to suffer for it.

      This is the most fundamental purpose of the justice system - not to rehabilitate criminals, or even to confine them or deter them. It is to provide justice to those who have had crimes committed against them; you cannot have a justice system that doesn't acknowledge this, since people will take the law into their own hands if they cannot get justice through the system.

      I always find it amusing that the same people who take a bleeding heart approach to crimes of property theft against others, often sound like a Daily Mail headline when they talk about spammers. Shows you the different perspective you have when you are a victim, even if the crime has only cost you a few seconds of your time.

      1. Anonymous Coward

        Buckets of Phail

        @Mike2R "I'm guess the bleeding hearts have never been the victim of credit card fraud."

        You guess wrong, even with your specialised redefinition of where the victim lies.

        Like lots of posters here you dont want "justice" - you want revenge and the two are very different things.

        Justice holds for a "fair and reasonable" treatment which is instantly lost when we demand teenagers (too young to drink in the US as an example) should be punished in a manner that would pretty much ensure the rest of their lives is spent pursing criminal activities.

        Yes, what they have done is wrong and criminal and there should be an element of punishment involved. 12 months in jail is *only* a soft option to people who live in luxury and, through misguided reading of various tabloids assume that prison is a holiday home. It is not.

        The "justice system" is not the "punishment system" - we moved away from that concept centuries ago (in principle if not in practice). In normal use, the criminal justice system is made up of multiple components, each of which is as "fundamental" as the other. Using the justice system as nothing more than a punishment system has been shown the world over to lead to more crime and public uprising. You appear to be driving for a revolution in your frothing desire to send these people down for LONGER sentences than if they carried out accounting fraud and stole millions from the taxpayer.

        We (in the UK at least) seem to be struggling with a mixed desire to see longer and longer headline punishments for even the most trivial offences because it shows we are "tough on crime" while in complicated cases (business fraud, corporate manslaughter) the hard work involved in understanding it means people get let off with a caution. Someone shoplifting a £10 item of clothing will probably spend longer in jail than an accountant who fiddles £10m. How is this justice? Sadly, the reductio ad absurdum here is that everyone gets life for littering.

        In this case *we* (reg readers) understand it and are outraged so we call for a longer sentence than if they had killed someone through reckless driving. Longer sentences than if they robbed a little old lady with a knife. Longer sentences than if they actually stole the credit cards from someones hands even.

        Does that make sense? Is that justice?

        By all means punish them but the punishment should fit the crime and we have to keep a sense of perspective here. If they got 10 years for this how could we scale up the punishments for more serious offenders..... ?

        1. Anonymous Coward

          I too the victem of crime.

          I have on many occasions been the victim of crime and it makes my blood boil when the culprits get of with a slap on the wrist (read as scott free).

          It makes my blood boil when I read about car thieves getting getting days out racing cars about a track. It makes my blood boil when these cretins get handed holidays abroad because the bleeding hearts feel sorry for the poor little thing who didn't have a PS3 growing up...

          I had sweet FA growing up on a council estate in Liverpool in the 80's. unemployment was at 95% on our estate... WE HAD NOTHING...

          Did I resort to stealing? no... some did and where are they now? still kicking around the same hole... I got my head burred in books and educated myself because the education system failed me because they did not understand dyslexia. Now I am running my own successful business and a family of my own.

          It makes my blood boil that my daughter who is currently doing her GCSE's and is expected to get A+ across the board, Who has never been late for school, never had a day off unless she was ill, never been in trouble with the police, does not smoke or drink.... and what does she get? all she is going to get is £30,000 worth of debit when she goes to university. but as she wants to be a dentist and will earn £100,000 a year that's ok....

          If they really want to get the yoof of today to behave, is to give them something worth loosing... how about, if your child reaches the grand age of 17 without being known to the police, passing all the GCSE's never being late for school... give them driving lessons, a small car and 5 years worth of insurance.....but make it so easy to loose.... even being in a group of people that have been reported to police for causing trouble you loose it.... see how many kids hang around with the "wrong type" then....

          1. Anonymous Coward
            Anonymous Coward

            Scott Free

            How is a criminal record "scott free"?

            By the way, 1980s East Germany called and asked for its social policy back.

    6. Neil 23

      "Decades" - really?

      Rape ruins lives for decades, so do other violent crimes, I don't really see credit card fraud being in the same league.

      In my limited personal experience, having had my credit card number stolen 3 times, the longest I've suffered is a gap of about a week until the new card turned up & the money was refunded by the bank.

      Fraudulently applying for credit can have a bigger effect on the victim but can be resolved in much smaller timescales than decades.

      1. mike2R

        Re: "Decades" - really?

        Neil 23. Refunded by the bank? The bank?? You don't honestly think that the bank would give you its own money in such a quick and painless process do you...

        The money came from whatever merchant was unlucky enough to be defrauded by the person who compromised your card.

  2. M Gale

    "I will never get a job in IT now"

    While I'm sure some companies may be warned off, there's plenty of tales of ex-crims turned security analysts. Sort of like hiring a thief to design a better lock, I suppose. You get years of experience in how to break the things, going into hardening said things. Plus you know who the little fucker is and he's on the payroll, so easy enough to track.

    So long as they come out the other end of their sentences and try for a BSc in Computer Forensics or similar, I'd say his current criminal record might even help. Just don't go bragging about it in the job interview like it's your best qualification.

    1. This post has been deleted by its author

      1. Anonymous Coward
        Anonymous Coward

        Might as well kill them then.

        "Nobody sane EVER hires anyone with a criminal record, "

        Well thats their life over then - they will live on state hand outs for the next sixty years. Wonderful.

        Even if it is just JSA (ironically) it will now cost the state £400,000 for these two. Who is being punished?

        "especially when it comes to Security."

        Rarely the case. Even in the military and banking sector. The OSA iform s a notification, not a check as it applies whether or not you bother to sign the form.

        Even the Cabinet Office guidance does not say to reject an SC or DV candidate (let alone the BPSS) where there are spent convictions. Thats the whole idea of having spent / unspent. Depending on the nature of the offence, an unspent conviction is not an automatic bar to SC/DV as this is down to the judgement of the IO.

        Most of the insider threat comes, not from "Known Criminals" but all the people who have successfully passed the check and are no longer under suspicion.

        Still, I bet you've stolen stationery from work.

      2. Vic

        Sure about that?

        > Nobody sane EVER hires anyone with a criminal record

        I know quite a few people with SIA badges who have previous convictions.

        Besides which, the Rehabilitation of Offenders Act 1974 means that criminal records are frequently not disclosed, as the offences are deemed "spent".

        So your bold assertion is clearly wrong - sane people often employ those with a criminal record, both knowingly and unknowingly.


  3. N2

    200 hours of unpaid work?

    not unlike working in IT then

  4. Anonymous Coward


    Being a script kiddie doesn't really qualify you to be a penetration tester.

    1. Anonymous Coward
      Anonymous Coward

      Toolz and Toolz

      All penetration testeres these days seem to do is use NMap and use Metasploit. (The same as a Skiddie....)

      1. PrivateCitizen

        re Toolz and Toolz

        Sadly that isnt even a joke. Even the "gold standard" CHECK testers seem to be heading that way.

  5. Mike Moyle

    "“I will never get a job in IT now.”

    Sure you will... just keep up your skillz and learn Russian. Or Chinese. Or possibly Farsi.

  6. Anonymous Coward

    “I will never get a job in IT now.”

    Consider yourself fortunate, kid. If you're anything like I was at age 19, then your experience of programming to date (fun, quick, exciting, able to do what you want when you want unsing whatever technology you damn well feel like) and the reality of working as a programmer (process, documentation, reviews, teamwork, meetings, very occasionally getting to code boring stuff, general drudgery, annoying micro-managers who know just enough about software to be a real pain in the ass, sales departments making promises that engineering have to work unpaid overtime to keep) will be two VERY different animals.

    Then it'll get outsourced to somewhere cheaper and you'll be 40, out of work and wondering what was supposed to be so awesome about working in IT.

    1. Dagg Silver badge

      NO Joke

      The sad thing AC is what you have stated is no joke!

      1. defiler

        A real professional

        And despite the drawn-out rant in the middle, he even remembered to close his brackets. Now that's a programmer!

        1. Paul_Murphy


          Capitalisation is correct as well, and since he doesn't finish every sentence with a ';' they haven't been stuck using Java/ECMA-script for the last couple of decades.


  7. mark l 2 Silver badge

    no security

    The script kiddies used security vulnerabilities on the websites to gleem unencrypted credit card details but obviously didn't consider using any security and encryption on their own computers as if they had encrypted them and stored them on a truecrypt partition may have meant the MET had not enough evidence to charge them with anything.

    And having dealt with the MET e-crime unit in the past they pretty much want all the evidence handing to them on a plate and you bringing the suspect into the police station yourself before they will do anything

    1. Anonymous Coward
      Anonymous Coward


      Remember not giving your encryption keys to the police makes it an automatic guilty plea

      1. Anonymous Coward
        Anonymous Coward


        Guilty plea to a different charge maybe.

  8. Mark 65

    Manual needs an update

    "Woodham and Tobenhouse posted tutorials on Ghostmarket that gave advice on hacking into company websites, committing fraud and evading capture by authorities, police said."

    That last bit needs updating.

  9. Naughtyhorse

    committing fraud and evading capture by authorities

    So not very good at it then.

    that would give me far more pause for thougth if they applied for a job than anything else.

  10. Steven Roper

    "I'll never get a job in IT now"

    Awwww. Poor little boy. You should count your lucky stars sunshine, because if I was in charge of things you'd now be swinging from the end of a rope. In a public city square.


    1. Paul_Murphy


      I see what you did there.


      1. Steven Roper
        Thumb Up


        It's actually my real name. I guess my family comes from a long line of hangmen. String 'em up, I say, string 'em up!

  11. mafoo


    "Woodham also used some of the stolen cards to pay for access to premium chat lines that he owned."

    That may have been a contributing factor to getting caught.

    Do people never learn, always take the 2nd taxi!

  12. Winkypop Silver badge

    When I were 18.....

    ...we were more interested in women, cars and the drink.

    Scamming people wasn't on the list.

    The kids these day, eh?

    1. Anonymous Coward
      IT Angle

      It's called "entrepreneurial".

      David Flashman said we haz to all be more like that, now they do and getz punishd. No fair!

      But then this cabinet promised a less fair society so that's OK.

  13. Anonymous Coward
    Anonymous Coward

    "I will never get a job in IT now"

    10 actions have consequences

    20 goto 10

  14. bowdie

    “I will never get a job in IT now.”

    FX : The world's saddest song, played on the world's smallest violin.

  15. Anonymous Coward

    Just the begining.

    Just wait till the FBI and UK authorities get their hands on the people that hacked/DDOS PSN...

    Surely anyone foolish enough to have downloaded and ran LOIC will be shitting bricks right now, waiting for the knock on the door...

    Oh Dear, no so cool now heh?

    EPIC FAIL, is the term I think you like to use....

  16. MarthaFarqhar

    Good job they weren't sent down

    Otherwise they'd get to know the pain of having an open port probed repeatedly.

  17. trafalgar

    what is theft...?

    27% APR!

  18. Jeff 11

    @Thomas 18

    "Isn't that the purpose of jail after all to rehabilitate or is it to punish and spread fear amongst other hackers by making an example? might want to ask yourself that question."

    Neither, conceptually. The purpose of prison is simply to keep criminals out of law-abiding society for a period of time. Rehabilitation is an activity that may or may not occur in prison. The sentence by the court is really the deterrent, not prison by itself.

    As for these guys getting a job in IT, that's doubtful. When they come out of prison, they'll be years out of date, so they'd have to refresh their security skills if they want a job in the whitehat industry. And no company processing sensitive data is going to want to employ people who've sold it for criminal purposes.

This topic is closed for new posts.

Other stories you might like