Full Report
Back in 2016-2018 when threat actors known as thedarkoverlord (“TDO”) were hacking entities and attempting to extort their victims by sending them emails with details about their family members and threats of what would happen if the victims didn’t pay up, a man in Meridian Idaho who called himself “Lifelock” or “Studmaster” was doing the... Source
Analysis Summary
# Threat Actor: Robert Purbeck
## Attribution & Identity
**Primary Identity:** Robert Purbeck
**Aliases:** "Lifelock", "Studmaster"
**Affiliation:** None explicitly mentioned, operated as an individual actor. (The article draws a comparison to the activities of "thedarkoverlord" (TDO) regarding extortion tactics involving personal threats, but Purbeck is not attributed as part of TDO.)
## Activity Summary
Robert Purbeck was active in hacking and data exfiltration from at least June 2016 through 2018, culminating in his FBI raid and indictment in August 2019. His criminal activities centered on gaining unauthorized access to medical practices, stealing data, and subsequently attempting extortion of the victims through threatening emails sent to the entities, their patients, and their children. Purbeck pleaded guilty in March 2024 to two counts of an 11-count indictment. He was sentenced to ten years in prison (60 months consecutive on two counts), significantly exceeding the recommended 70-87 month sentencing guideline range, due in part to "egregious" conduct post-plea, including doxing a U.S. Attorney and making vile, antisemitic references in filings.
## Tactics, Techniques & Procedures
- **Initial Access/Hacking:** Buying access to medical practices/entities.
- **Data Exfiltration:** Hacking and stealing sensitive data.
- **Extortion:** Sending threatening emails to victims, patients, or children demanding payment.
- **Coercion via Threats:** Threatening victims with details about their family members if payment was not made.
- **Post-Conviction Misconduct:** Doxing a U.S. Attorney and filing documents containing vile, antisemitic language, which influenced sentencing severity.
- **Legal Manipulation:** Making numerous unsuccessful attempts in court to suppress or throw out evidence.
*Note: Specific MITRE ATT&CK IDs were not present in the source text.*
## Targeting
**Sectors:** Medical entities (specifically mentioned: medical practices, Holland Eye Surgery & Laser Center).
**Geography:** The actor was based in Meridian, Idaho. Victims were spread across jurisdictions, with a specific mention of an attack in Michigan (Holland Eye Surgery & Laser Center).
**Victims:** Medical practices; specific victim mentioned: Dr. Simon (orthodontist).
## Tools & Infrastructure
**Malware families used:** Not specified in the summary.
**Infrastructure (C2, domains, IPs):** Not specified in the summary.
## Implications
The case highlights that egregious psychological torture and vile communications, even after an initial plea agreement, can lead a judge to impose sentences significantly above statutory guidelines, demonstrating the high cost of victim impact and actor belligerence. The nature of Purbeck's threats against victims' families and subsequent conduct against the justice department elevated his risk profile substantially.
## Mitigations
- **Strong Vetting:** Rigorous background checks and security posture review for partners/vendors who may gain initial access points.
- **Threat Response:** Implement documented procedures for handling extortion attempts involving specific, personal threats against staff or patients.
- **Internal Communications Policy:** Strict protocols regarding all official/legal filings, especially concerning prohibited content (e.g., doxing, hate speech), as such behavior can negate leniency efforts during sentencing.
- **Supervised Release Monitoring:** Strict enforcement of internet access prohibitions for convicted cybercriminals, as detailed by the judge's imposition of a total ban on internet use.