A self-confessed computer hacker accused of illegally accessing the customer database of car-share company GoGet, then using it to pass on his car hire costs to strangers, had previously advised the company on flaws in its software system that could make it vulnerable to cyber attack, a court has heard.
Nik Cubrilovic, from Penrose, was the holder of a legitimate GoGet account in mid-2016 when he sent the online company a series of emails advising them he had identified vulnerabilities in their operating systems.
Cubrilovic, who advertises himself as a “former hacker turned security consultant”, has previously made headlines for his work in exposing cyber security flaws, including on the Australian government's MyGov website, and Facebook.
GoGet rewarded Cubrilovic for his advice at the time by waiving money owed on his account, which he then closed a short time later.
However, police will allege Cubrilovic used his advanced hacking skills a year later to access GoGet’s customer database when his girlfriend’s account was suspended.
It is alleged he create more than 30 bookings on five different vehicles, including an Audi A3 Convertible, over a two month period, each time charging the vehicle hire fee to a stranger’s account. The total cost of the fraud was $3423, police said.
Meantime, police claim GPS data from the cars shows they were predominantly driven between Cubrilovic’s then home address in Neutral Bay and the home of his parents in Penrose, a two hour drive away.
In Wollongong Local Court on Wednesday, police prosecutor Sergeant Shannon Ryan said officers from the State Crime Command’s cybercrime unit had carried out a “significant and highly detailed investigation” after being notified of the suspicious activity by GoGet’s administration team in July 2017.
That investigation culminated in officers raiding the Penrose property on Tuesday morning and seizing Cubrilovic’s mobile phone and computer, which they believe he used to carry out the alleged crime.
Cubrilovic was arrested at the scene and charged with two counts of unauthorised access with intent to commit serious indictable offence and 33 counts of taking a car without owner consent.
It is alleged he has since been “extremely uncooperative with police, refusing to supply any passwords to any devices”.
Police opposed Cubrilovic’s application for bail, claiming there was a risk he could use his technical skills to flee the country or tamper with evidence contained on cloud-based software.
“During this offence the accused stole a sizable database of identification details,” documents tendered to the court said.
“During investigations it was found he used three different phone numbers subscribed with different fake details.
“Investigators believe that if the accused is granted bail he will delete evidence and may use stolen identity details to create[a] fake identity [to] evade police and the courts.”
Sgt Ryan labelled Cubrilovic’s alleged behaviour a “sophisticated, ongoing course of conduct” that would likely land him a full-time jail sentence if he was convicted of the charges against him.
However, defence lawyer Matt Russoniello argued the case against Cubrilovic had been “totally overblown” and was no different to any other fraud case that came before the courts – a submission which was rejected by Magistrate Mark Douglass.
Mr Russoniello denied Cubrilovic was a flight risk, saying he had strong ties to the Illawarra, a limited criminal history and would agree to abide by any conditions imposed by the court.
Magistrate Douglass agreed to grant Cubrilovic bail but banned him from accessing the internet or having anyone access it on his behalf.
“The way in which this was done generates concern and can’t be trivialised,” he said.
Cubrilovic will also be required to live with his parents at the Penrose property, report to police three times a week, surrender his passport and agree not to contact any witnesses or GoGet employees.
Cubrilovic was supported in court on Wednesday by his brother. Neither man spoke to waiting media after Cubrilovic was released from custody on Wednesday evening.
The case will return to court on April 24 in Sydney.
Accused GoGet hacker had world’s ear
Before he piqued the interest of the Cybercrime Squad, Nik Cubrilovic made his name as a hacker-turned-cyber security expert, capable of insight that made the world sit up and take notice.
He was born in Wollongong and educated at Hayes Park Public School and Kanahooka High School.
A University of Wollongong drop-out, he emerged, at 31, as an unlikely authority on privacy in the digital age, through his unnerving blog posts about Facebook's privacy credentials.
In 2011 he revealed how the social media behemoth was tracking users' web activity even when they were logged out of the site.
The expose sparked a worldwide scandal, leading to political outrage in the US and Europe.
At the time it sparked calls for an investigation while in the US, an Illinois man filed a lawsuit on behalf of Facebook users, declaring he was seeking class action status.
As a consultant, Cubrilovic went on to sell his skills in finding weaknesses in software systems.
He publicly weighed in on the "Shell Shock" bug, and again made headlines, in 2014, for his work in exposing cybersecurity flaws on the Australian government's MyGov website.
He was interviewed by Fairfax Media regarding the myGov website flaws, which left millions of Australians' private information exposed.
He demonstrated how one of the security flaws enabled him to hijack the account of any registered myGov user.
Cubrilovic was arrested at his Penrose home on Tuesday morning after Strike Force Artsy detectives, assisted by the Public Order and Riot Squad, executed a search warrant at the property.
Detectives seized his computer and a mobile phone and charged him with illegally accessing the GoGet customer database.