A Saskatoon man accused of conspiring to hack into American educational institutions in 2017 is facing extradition to the United States. Ryan James Roach allegedly participated in a scheme to install malware, steal login credentials, and mine cryptocurrency from the targeted networks.
The accusations were presented in Saskatoon Court of King's Bench, where Justice Grant Currie ordered Roach to be taken into custody pending extradition. The judge's written decision from May 7 does not determine guilt or innocence but concludes there is sufficient evidence to justify a trial through extradition.
Roach will not be surrendered for at least 30 days. He retains the right to appeal the extradition order and may apply for judicial interim release. The extradition request was made by the Attorney General of Canada on behalf of the United States.
Details of the Cyberattacks
In October and November 2017, a cyber actor remotely accessed the computer network of a New York State educational institution, referred to in court documents as Institution 1. The Canadian Centre for Cyber Security defines a cyber actor as an individual or group with malicious intent aiming to exploit weaknesses in information systems.
On November 1, 2017, Institution 1 noticed its supercomputer running slowly. Diagnostic testing revealed a breach, with malicious software installed by the cyber actor. The software included a rootkit, a keylogger program, malware that extracted over 1,900 remote login credentials, and a file to facilitate mining of the cryptocurrency Electroneum.
Two other institutions, Institution 2 and Institution 3, faced similar attacks from the same cyber actor, identified by the U.S. as Mathiew James Stubbings, reportedly from Ontario. Roach was named as a co-conspirator.
Evidence of Conspiracy
Justice Currie acknowledged that there is no direct evidence of conversations between Roach and Stubbings planning the attacks. However, other evidence suggested a conspiracy. Three remote computer servers were used for the attacks. The first server, EURO VPS-1, was registered to a name and email address demonstrated to be controlled by Roach. Payment for that server was made by Ryan Roach via PayPal during the time of the Institution 1 breach.
Roach was arrested by Canadian authorities after the extradition request was received and brought before Currie in Saskatoon. The case highlights the growing issue of cyberattacks on educational institutions and the international cooperation required to bring perpetrators to justice.
