A former core infrastructure engineer has pleaded guilty to carrying out a cyberattack against his employer, locking administrators out of hundreds of systems in an attempt to extort the company.
According to court documents, 57-year-old Daniel Rhyne of Kansas City, Missouri, unlawfully accessed the network of an industrial company based in Somerset County, New Jersey, between November 9 and November 25, 2023. Using an administrator account, Rhyne scheduled malicious tasks on the company’s Windows domain controller to delete admin accounts and reset passwords across the network.
Prosecutors say he changed the credentials of 13 domain administrator accounts and 301 user accounts to a single password “TheFr0zenCrew!” while also targeting local administrator accounts affecting 3,284 workstations and 254 servers. In addition, he programmed systems to shut down random servers and workstations over several days in December.
On November 25, Rhyne allegedly escalated the attack by sending a ransom email to coworkers titled “Your Network Has Been Penetrated.” The message claimed all IT administrators had been locked out and that backups had been deleted, threatening to shut down 40 servers per day unless the company paid 20 bitcoin (valued at around $750,000 at the time).
Network administrators began noticing widespread password reset alerts that same day, soon discovering that all domain administrator accounts had been deleted. Later evidence was found that Rhyne had planned the attack in advance, including web searches on bypassing Windows logs and remotely changing account passwords using both a hidden virtual machine and his personal laptop.
Rhyne was arrested in Missouri on August 27 and later released following his initial court appearance. He now faces up to 15 years in prison after pleading guilty to hacking and extortion charges.