Melbourne man Patrick Hric pleads guilty after using stolen data to access bank accounts, personal information
A woman watched her wages disappear from her banking app in “real time” as payments were made to Dan Murphy’s, UberEats and BP by an Australian hacker, a court has heard.
Details of how Patrick Michael Hric was able to impersonate the woman and eight other victims online were released in the District Court in Melbourne on Thursday, with the 35-year-old man admitting 12 charges.
Explaining the facts of the case, prosecutor Jessica Mackay said that when Hric was arrested by AFP at his home in Lynbrook in March last year, he was caught with the personal identification information of approximately 1,500 people.
These included pay stubs, bank information, government account information, and passports or driver’s licenses.
The court was told Hric began buying “key logger files”, which contained secretly recorded data logs from personal devices, from a dark web marketplace the previous year for $10 each.
The prosecutor said mobile service provider TPG used software to “circumvent” security measures in a method “akin to hacking”, then tried to use the stolen data to transfer victims’ phone numbers to TPG eSIMS, which it controlled.
Ms MacKay told the court police identified nine victims who later gave statements to police, as well as successfully “porting” 35 other phone numbers and finding records of 54 unsuccessful attempts.
Hric accessed the personal accounts of eight of the identified victims using phone number porting, while the ninth involved using a man’s Latitude credit card to purchase three Apple MacBook laptops, a tablet and a Samsung phone from JB Hi-Fi for approximately $12,000.
Ms MacKay said police identified a Facebook account under a false name linked to Hric offering to sell three MacBooks for $2000 each in October 2024.
On July 19, 2024, Hric managed to access a victim’s CommSec trading platform, where he placed an order to sell 800 shares for $23,000.
The man managed to block the move after receiving an email from the platform.
Days later, on July 21, 2024, another victim noticed $330 to $350 missing from her NAB account and later watched a live stream of purchases being made at Dan Murphy’s, UberEats, and BP.
Ms MacKay said NAB took somewhere between $1300 and $1400 before getting back $920, and she watched the woman’s weekly wage deposit “disappear in real time”.
Hric accessed another woman’s phone number on July 23 and discovered nearly $9,000 had been transferred from her bank account the next day.
The court was told that a few days later the woman obtained a UBank credit card created by Hric and a month later on August 8 the woman tried to transfer $300 to her husband to pay for his Meals on Wheels service.
Ms. MacKay said that after she was told that her Meals on Wheels payment had been declined, the woman discovered that her payee information and some other information had been changed in her banking application.
The fourth victim was contacted by a friend who received a $5,000 money order and a suspicious message from him.
“I sent you a $5,000 payment by mistake, can you send it back to me? Do you have my current bank information?” message read.
Ms MacKay said Hric had been “flagged by every bank under the sun” and did not have a bank account at the time; The Crown claimed the message was a “circuitant” way for Hric to try to get the money.
He told the court that Hric also opened bank accounts, credit cards or cryptocurrency accounts in other people’s names.
Commvault CEO Sanjay Mirchandani explains how companies can recognize the threat of cyberattacks and recover quickly.
In a police interview after his arrest, the self-described “pretty tech-savvy guy” said that once he gained control of a person’s mobile phone number, he would begin mining email accounts for banking information, requesting a one-time password be sent via text message.
“The end game was always financial gain, probably eight out of 10 times I wouldn’t get anything out of it,” he said.
Hric pleaded guilty to nine counts of unauthorized access to data with intent to commit a serious offence, one count of tampering with personally identifiable information, one count of obtaining financial advantage by deception and one count of possession of personally identifiable information.
The actual monetary benefit he received was unknown, the court was told.
In their statements to the court, two victims said the experience was a violation and left them feeling a constant lack of security.
“This wasn’t just a theft, it was an attack on the most private parts of my life,” one man said.
Hric’s lawyer, Stephanie Gillahan, told the court that although the crime was complex, her client was less motivated.
The woman said Hric’s behavior was due to his addiction to ice and described his behavior as “almost equivalent to stealing a credit card”.
Ms Gillahan said she cooperated fully with police upon her arrest, even explaining the weaknesses she exploited, saying “they know how other people work”.
The court was told Hric wrote a letter of apology making it clear he did not want mercy and was prepared to face the consequences of his actions.
Ms Gillahan said hearing about the impact of his crime on the victims left an impression on her client and argued that he had a good chance of rehabilitation if he stayed away from the situation.
The court was told that both prosecutors and the defense agreed that a prison sentence was appropriate for the offence.
Hric’s trial was adjourned by Judge Anthony Lewis and his plea hearing will continue at a later date.
