The Hacker News
Richard Kirk Kirk hacked into more than 300 eBay users' e-mail accounts after cracking their passwords.

He then was able to steal money from his victims' usually secure PayPal accounts.

He transferred money from PayPal into hundreds of his own accounts, and then used the stolen cash to buy valuable items, including gold bars.

On Friday he was jailed for three and a half years for fraud and theft committed between 2008 and 2010.

Nottingham Crown Court heard he stole more than £180,000 from his victims to buy gold jewellery, gold bullion bars and a Mitsubishi Shogun car on eBay.

Victims were mainly individual account holders from Mansfield, Nottingham, Australia and Sweden.

One account belonged to a special school in the North West for children with a short life expectancy.

Kirk used the school's website, which sold memorabilia, to sell gold bars.

After he agreed a sale of £3,000, the gold was never sent to the buyer.

"Richard Kirk is a professional eBay-cum-PayPal hacker," said Martin Hurst, prosecuting.

"What this man has been doing is attacking other people's accounts and stealing their money on a daily basis for hours at a time."

Aged only 22, Kirk had considerable skill at guessing users' answers to security questions.

By claiming to have forgotten the password, he would answer a sequence of security questions they would have previously answered.

He guessed the type of first car users drove, their year of birth or favourite colour.

The court heard people often used the same password on their eBay accounts, which gave Kirk a way in to spend their money.

Users of PayPal have registered addresses, but Kirk would ask them to be sent to another address.

This meant that many victims, who realised their accounts had been hacked into, could not get their money back when they alerted PayPal.

PayPal was unable to reclaim £40,000 – which it has now paid back to people had lost money because of Kirk's offences– because people who Kirk had bought items from had already transferred the cash to their bank accounts.

Kirk took control of their PayPal accounts and set up hundreds of accounts linked to his home address in Bradmore Rise, Sherwood.

Detective Constable Dave Prest explained: "PayPal had the power to reverse the payment when the original person's account was hacked into. But where it is sent to a different address, to an unverified address from the one on the website, then PayPal does not reimburse customers.

"This is where the seller has come unstuck."

Martin Elwick, in mitigation, said: "What is a remarkable feature of the fraud is that he uses his home address for the delivery of every single item.

"It beggars belief PayPal never brought it to an end years ago – they can trace each transaction to his home address."

Kirk pleaded guilty to five charges of fraud, four of theft and one relating to the use of a laptop during the frauds.

Judge Ebrahim Mooncey said: "A lot of effort was put in by you over a long period of time in order to conduct the fraud you did."

A proceeds of crime hearing – which will examine Kirk's assets – has been adjourned.

Found this article interesting? Follow us on Twitter and LinkedIn to read more exclusive content we post.