On a non-descript November afternoon 2018, our bustling Cape Cod Community College (4Cs) campus was rocked by news that wound up making national headlines and took us on a journey into the shadowy world of “cybercrime.” Using powerful malware tools aimed at the college’s financial operations and sly social engineering tricks, hackers robbed our institution of more than $807,130.
Despite the diligence of law enforcement and bank investigators, recovering $677,594 of the stolen funds, our modern-American crime story had been missing its closing chapter: catching our antagonist.
We are happy to say that more than four years after the attack, through the tenacity of our criminal justice system, in a federal courtroom in New York City on St. Patrick’s Day 2023, the final chapter was written.
Facing the judge in the Thurgood Marshall U.S. Courthouse, Djonibek Rahmankulov stood for his crimes. Along with being convicted as a leading conspirator of the nearly $1 million stolen from 4C, Rahmankulov was also charged with laundering millions of dollars in criminal proceeds obtained from other computer hacking schemes, healthcare fraud and Small Business Administration loan fraud, as well as operating an international unlicensed money transmitting business.
Face to face
Attending the sentencing, I represented Cape Cod Community College and the thousands of students we serve every year and the hundreds of faculty and staff who work to bring higher education to our region. In my mind, these were the primary victims of his crimes. While cyberattacks occur on Massachusetts public higher education facilities every day, typically without success, several of our colleagues in the commonwealth have felt their unfortunate wrath in just the past few months. With this in mind, I felt it necessary to face our convicted hacker, reminding the court that cyberattacks are not a victimless crime.
These attacks happen in the shadows, lurking in computer systems that few understand, and taking advantage of those who are not expecting it. It is a rare occasion to get to see the face behind the crime and the members of his family.
In short order, the judge presiding over the sentencing let it be known that these heinous crimes would not be excused. For his role in the above stated charges, Rahmankulov was sentenced to 121 months in prison, three years of supervisory probation, a $40,000 fine, a $300 assessment, forfeiture of more than $5 million, and a note that the government maintains the right to search his electronic devices into the future. A man once on the path to American citizenship, he will likely face deportation procedures when his prison sentence ends.
Time to talk
Our college, meanwhile, returns to the daily battleground of cybersecurity. Attacks like the kind we suffered at 4Cs are exceptionally unexceptional. The complexity of their design evolves every day just as quickly as the technology evolved to combat it. Moments like this allow us to take a breath and reflect on the outcome and accountability of a war that often forces many to concede losses. It also allows us to reflect on the importance of sharing the increasing normality of such attacks so we can collectively learn from them across businesses and organizations of all sizes.
Related article: Getting hacked — and then what?
Speaking about these attacks forces uncomfortable conversations, and sometimes even more uncomfortable admissions, about preparedness. The next cybercriminal is out there right now, trying to steal from organizations large and small, with no regard for the lives impacted. The more we learn about “how” and “why” they are doing this nefarious work, the more we can prepare.
Stay vigilant every day. Invest in technology to protect your services. Build and sustain a culture of awareness and understanding, and never stop learning about the complexity of cyberattacks. It is my hope that you shall never have to start a crime story of your own, let alone have to see it through to the final chapter.
