A 20-year-old computer science student from Kosovo described by the Justice Department as “the first terrorist hacker convicted in the United States” was sentenced Friday to two decades in prison for providing the Islamic State with a “kill list” containing the personal information of roughly 1,300 U.S. military members and government employees.
Federal prosecutors had asked U.S. District Judge Leonie M. Brinkema to sentence Ardit Ferizi to 25 years in prison after the hacker pleaded guilty in June to two charges brought as a result of his role with the terror group.
Mr. Ferizi acknowledged hacking an Illinois-based company in June 2015 and illegally obtaining the personally identifiable information of tens of thousands of its customers. He then parsed those records for individuals with military and government email accounts before providing their details to a Junaid Hussain, an Islamic State recruiter who administered the group’s cyber operations and had previously published a similar “kill list” containing the names and addresses of 100 U.S. military personnel, according to court documents.
Mr. Hussain was ultimately killed by a U.S. drone strike in August 2015. Two weeks prior to his death, however, he took Ferizi’s hacked data and released it online in the form of a new list containing the information of approximately 1,300 U.S. government and military targets.
“[W]e are extracting confidential data and passing on your personal information to the soldiers of the khilafah, who soon with the permission of Allah will strike at your necks in your own lands!” reads an excerpt from a statement that accompanied the second kill list when it was tweeted by Hussain in mid August.
Federal investigators soon after identified Mr. Ferizi as the perpetrator of the Illinois hack and arranged to have him arrested in Sept. 2015 in Malaysia where he had been attending college. He was formally charged the following months and was subsequently extradited to the U.S. where he pleaded guilty earlier this year to providing material support to the Islamic State and accessing a protected computer without authorization and obtaining information in order to provide material support to the terror group.
In court Friday, Judge Brinkema said that “just having your name on a list, knowing that you’ve been identified by a terrorist group,” is a “terrorizing” experience, the Washington Post reported.
In a pre-sentencing memorandum, however, prosecutors said the hacker was well aware of the results his actions would have on the individuals whose names and sensitive information was widely shared among sympathizers of the Islamic State, also known as ISIL, and agreed when Hussain told him that the data would help “hit them hard.”
“The threat to these 1,300 victims goes beyond the release of their private information,” U.S. Attorney Dana Boente wrote in a court filing earlier this month.
“They have now been marked as enemies of ISIL. Any ISIL member or sympathizer in the United States looking for a target now has the information belonging to 1,300 individuals who ISIL has specifically marked for attack. The victims have a permanent target on their backs. While the defendant may not have pulled a trigger, he told members of ISIL where to shoot.”
Mr. Ferizi will be deported to Kosovo upon completing his sentence and will be barred from reentering the United States.
Prosecutors noted the psychological impact his actions had on those on the list. “This was a hit list,” Assistant U.S. Attorney Brandon Van Grack said. “The point was to find these individuals and hit them, to ‘strike at their necks’.”