How the FBI and Mandiant caught a ‘serial hacker’ who tried to fake his own death



In the early hours on January 20, 2023, a doctor’s user account logged onto the Hawaii Electronic Death Registry System from out of state to certify the death of a man named Jesse Kipf. The death certificate listed the cause as “acute respiratory distress syndrome” due to COVID-19 a week earlier. And with that, Kipf was unceremoniously registered as deceased in several government databases. 

On the same day, a hacker nicknamed “FreeRadical” posted the same death certificate on a hacking forum in an attempt to monetize the access they had to the system. “Access level is medical certifier which means you can create and certify a death in this panel,” the hacker wrote.

In the post, the hacker included a partial screenshot of the fake death certificate, but they also made a critical mistake. FreeRadical forgot to redact the purported state of birth of the person in the death certificate, and left a small part of the state government’s seal showing in the corner of the screenshot. 

On the other side of the country in Colorado, Austin Larsen, a senior threat analyst at Google’s cybersecurity firm Mandiant, along with his colleagues spotted the post online as part of their routine threat intelligence gathering, which includes monitoring cybercrime forums. By homing in on the badly cropped screenshot of the fake death certificate, Larsen and his colleagues realized the forum post was evidence FreeRadical had hacked the U.S. state government of Hawaii. 

Three days after finding the hacking forum post, Larsen notified Hawaii state officials that its government systems had been hacked. 

“It is likely the actor compromised a medical certifier account,” the notification read, according to a screenshot of Larsen’s message shared with TechCrunch in an interview earlier in September. 

Larsen’s warning set in motion a federal investigation that would reveal that the doctor’s user account used to file the death certificate was compromised by none other than Jesse Kipf himself, the person who had supposedly died. Prosecutors would later allege in a court document that Kipf faked his own death to avoid paying his ex-wife around $116,000 owed to support their daughter. 

Kipf, whom prosecutors later called a “serial hacker” with “ample technical knowledge towards making a living by stealing from others,” had made a series of mistakes, including using his home internet from Somerset, Kentucky to directly connect to the Hawaii death registry system, which eventually led federal agents right to his door.

As a result, the U.S. Department of Justice criminally charged Kipf in late November 2023 with a series of hacking crimes. Kipf, prosecutors alleged, had hacked computer systems belonging to three U.S. states, as well as two vendors of large hotel chains. The Department of Justice’s press release, as well as the indictment published at the same time, did not include many of the details that prosecutors had claimed Kipf had done. Forbes had reported a few days earlier that Kipf allegedly hacked the Hawaii Department of Health. 

Earlier in September, Mandiant’s Larsen, along with FBI Special Agent Andrew Satornino, and Assistant U.S. Attorney for the Eastern District of Kentucky Kate Dieruf, sat down with TechCrunch to reveal how they found Kipf, and brought him to justice. The three spoke to TechCrunch ahead of a talk they gave at the Mandiant cybersecurity conference, mWISE.

Kipf, according to Larsen, Satornino, and Dieruf, as well as the court documents of his case, was a prolific hacker with multiple identities. 

Satornino said Kipf was an “initial access broker,” meaning a hacker who breaks into systems and then tries to sell access to those systems to other cybercriminals. In affidavits supporting search warrants against Kipf, the FBI special agent wrote that Kipf had committed credit card fraud to purchase food from food delivery services — and was arrested for it in 2022; used fake Social Security numbers to apply for loans, had more than a dozen U.S. driver’s licenses on his computer; and that he had hacked Marriott hotel vendors. 

Kipf likely got the credentials he used in the Hawaii hack from an information-stealing malware that infected the unnamed doctor’s computer, which then ended up on a Telegram channel for hackers. Kipf himself used the nickname ”GhostMarket09″ to operate a credential stealing service, Larsen said. 

Apart from GhostMarket09, Larsen said that Mandiant identified several other monikers that Kipf used on different hacking forums, as well as Telegram, which included: “theelephantshow,” “yelichanter,” and “ayohulk.” Having that list of monikers, Larsen said he manually reviewed thousands of messages sent by Kipf under his various online personas, going through a database that Mandiant created by scraping the hacking forums, “semi-public chats,” and Telegram channels.

Larsen said that Mandiant identified the FreeRadical and GhostMarket09 personas as being connected to what the company calls UNC3944, or Scattered Spider, a prolific hacking and cybercrime group allegedly behind the MGM Resorts hack, and linked to the wider criminal underworld behind a string of violent crimes known as “the Com.” 

According to Larsen, Kipf — as GhostMarket09 — provided stolen credentials for the shipping giant UPS to an alleged member of the Com who uses the moniker “lopiu” or “lolitleu.” Larsen said that Kipf was not part of the Com, but part of the cybercriminal ecosystem enabling it.

“I would say he’s a run-of-the-mill hacker. It felt like he didn’t have fear of consequences either,” said Larsen. “He was adjacently involved in other parts of the criminal community, but really, where he came into play was selling credentials to enable other intrusions.”

A photo of the fake death certificate filed by Jesse Kipf using a doctor’s stolen credentials.
A photo of the fake death certificate filed by Jesse Kipf using a doctor’s stolen credentials. Image Credit: Mandiant (provided)

In parallel, and unbeknownst to Mandiant, the FBI had received a report from the National Cyber Forensics Training Alliance, a non-profit that monitors the dark web and collaborates with law enforcement and the private sector, which included a series of nicknames used on the dark web by a hacker located in Kentucky. 

The investigation led to Kentucky because Kipf had apparently forgotten to use a VPN at least once when accessing the Hawaii death registry systems, exposing his Somerset, Kentucky home IP address, according to Larsen and court documents. 

Then, in May 2023, Hawaii’s Attorney General’s Office, which was investigating the hack of its death registry, alerted the Kentucky Attorney General’s office that someone in the southeastern state used the login credentials of a real doctor, who had “system level entitlements to input death worksheets,” to access the Hawaii death registration system and file a death certificate for a man named Jesse Kipf, according to a court document. 

On July 13, 2023, U.S. federal agents arrested Kipf at his home in Somerset and took him into custody. In a later interview with the authorities, Kipf confessed to a series of cybercrimes, which he said allowed him to not have a regular job for five years. 

“How did you let your IP slip?” the interviewers asked Kipf, referring to the home IP address Kipf used to connect to the Hawaii system. “Just laziness… I just super didn’t care anymore,” Kipf responded, according to a partial transcript of the interview. Kipf said that he “quit giving a f—k.” 

In fact, later in the investigation, the authorities learned that Kipf had used his same home IP address to attempt to “visit, and extract data from Marriott internet domains and internal servers” between February 9 and May 22, 2023 — a total of 1,423 times. The goal there, according to Satornino, was to sell access to those networks to other hackers on forums used by cybercriminals. 

Kipf also said in the interview that he had accessed the death registry systems of Arizona, Connecticut, Tennessee, and Vermont, just to see how easy it would be, the court documents say. In Arizona’s death registry system, Kipf successfully filed a death certificate where he put the name “Crab Rangoon” — a type of cheese-filled crisp Chinese wonton — as the name of the deceased, according to a screenshot of the certificate seen by TechCrunch.

He did, however, have some semblance of a plan. Kipf told interviewers that he had created a forged credit profile with a false Social Security number in order to use it after he faked his death, according to court documents.

The hacker also confessed to selling the personal information of hacking victims to people in Algeria, Ukraine, and Russia, and providing access information for a Marriott’s vendor system to Russians, court documents show. 

Once the FBI was able to go through Kipf’s devices, they found past Google searches in his browsing history suggesting he was trying to find information on how to avoid paying child support, said Satornino. 

Finally, Kipf was also accused of hacking into GuestTek and Milestone, two vendors who worked with Marriott hotels. In those hacks too, Kipf used his home IP address. 

Perhaps because of all the evidence Mandiant and the FBI had gathered on Kipf’s history of cybercrime, and his confession in the interview with the authorities, the hacker reached a plea deal with prosecutors. Kipf formally admitted to causing close to $80,000 in damages to the government and corporate networks he hacked, and $116,000 for the unpaid child support for his ex-wife. He also admitted to identity theft, for using doctor’s stolen credentials in the Hawaii hack to create the death certificate. 

“The Defendant is a serial hacker, stealing personal identifying information and infiltrating protected computer networks of businesses and governmental entities with abandon,” Dieruf wrote in a memorandum asking the court to sentence Kipf to seven years in prison. “He caused significant damage, both monetarily and in the form of technological responses, to his corporate and governmental victims.” 

Dieruf added: “By attempting to kill himself off to avoid child support obligations, [Kipf] continues to re-victimize his daughter and her mother, who are owed more than $116,000 in child support obligations.”

In the sentencing memorandum filed by Kipf’s lawyer Thomas Miceli, the attorney conceded that Kipf “understands and does not deny the seriousness of his conduct.” Miceli, who did not respond to TechCrunch’s request for comment, wrote at the time that Kipf was diagnosed with paranoid delusions and schizophrenic tendencies, and that his“mental health spiraled after the conclusion of his military service” in Iraq, which “increased his drug addiction.”

Kipf was sentenced to prison for 81 months, just shy of seven years. According to the Department of Justice press release announcing his sentencing in August, Kipf must serve at least 85 percent of his prison sentence — more than five years — under federal law.




Source