Man Is Charged With Hacking West Point and Government Websites

A California man suspected of accessing and defacing numerous military, government and business websites, including that of West Point’s Combating Terrorism Center and the New York City Comptroller’s Office, was arrested Thursday on computer fraud charges.

Prosecutors believe that from 2015 through March 2018, Billy Ribeiro Anderson, under the online pseudonym AlfabetoVirtual, gained unauthorized access to computers and replaced publicly available content with the words “Hacked by AlfabetoVirtual,” “#freepalestine,” “#freegaza,” or some combination of the three. Hackers often claim responsibility for cybercrimes by adding their online pseudonyms to their defacements.

“Billy Anderson allegedly used specialized computer skills and knowledge to hack important U.S. military and government websites, as well as over 11,000 other websites around the world,” Geoffrey S. Berman, the United States attorney for the Southern District of New York, said Thursday in a statement issued by the Department of Justice.

Mr. Anderson, 41, of Torrance, Calif., faces three counts of computer fraud, and could face up to 21 years in prison if convicted on all charges.

“Among other possible effects, website defacements can disrupt an organization’s operations and damage its credibility,” William F. Sweeney Jr., the assistant director in charge of the F.B.I.’s New York field office, said in the statement.

In July 2015, security vulnerabilities in a website for the New York City comptroller were exploited, and AlfabetoVirtual claimed responsibility for the intrusion and defacement.

In October 2016, AlfabetoVirtual claimed responsibility for defacing a website for the Combating Terrorism Center, an academic center at the United States Military Academy in West Point, N.Y.

According to the complaint, the comptroller’s office ultimately paid more than $5,000 to fix the damage, and the United States government paid more than $7,000 to fix West Point’s site.

Mr. Anderson’s lawyer could not be identified on Thursday, and Sagar K. Ravi, an assistant United States attorney who is expected to prosecute the case, could not immediately be reached.

Tampering with websites in this way is probably the most common type of hacking, Levi Gundert, a former United States Secret Service special agent within the Los Angeles Electronic Crimes Task Force, said in an interview on Thursday. And those looking for holes in web servers can find “so many different ways in,” he said. “There are hundreds of people who do this regularly.”

The behavior of AlfabetoVirtual, Mr. Gundert said, seemed to be primarily hacktivist activity intended to spread a message, and leaving mostly superficial damage. “He probably looked at it as a harmless hobby,” said Mr. Gundert, who now runs a threat intelligence research team at the internet technology company Recorded Future.

It was probably the importance of the sites that were targeted and the sheer number of sites that were hit that led prosecutors to proceed with a case, he said.

There’s a “ton of potential for real harm” when someone gains unauthorized access to web servers, said Mr. Gundert, who pointed out that the large-scale Equifax breach last year — which exposed the personal information of up to 145 million Americans — began with unauthorized access. “Organizations generally underestimate the damage that can be done.”

A version of this article appears in print on , on Page A25 of the New York edition with the headline: Man Who Hacked West Point and City Comptroller Websites Is Arrested in California. Order Reprints | Today’s Paper | Subscribe