When I first meet Ngo Minh Hieu—the once-notorious teen hacker who rose from a quiet Vietnamese seaside town to become what US authorities have described as one of the most prolific identity thieves ever to grace a federal prison—I am reminded of Leonardo DiCaprio in the 2002 film “Catch Me If You Can.”
Just like DiCaprio’s character Frank Abagnale, Hieu ran scams for years before he was captured and made to help US agents catch more criminals. But more like Rami Malek’s character in the popular US television series “Mr. Robot,” Hieu spent his childhood in a computer shop owned by his uncle learning the skills he’d later use for better—and for worse.
After serving seven years of a 13-year prison sentence for selling the records of 13,000 people out of a trove of more than 200 million identities he had compiled by hacking into various consumer information databases, Hieu returned to live in the southern part of Ho Chi Minh City where megamalls bleed into verdant marshland.
Now on something of an apology tour, teaching cybersecurity to Vietnamese students, executives, and everyone in between in his spare time, Hieu has a job working as a government researcher. Not only does Vietnam have the highest percentage of computers infected with malware, according to security website Comparitech, it is also believed to have thousands of hackers on the state payroll.
Hieu says he’s determined not to stray back to the dark side, but as we part ways after an interview, we walk past an ATM that was standing open while being serviced. “That’s a temptation right there,” he says, reading my mind. It is hard to know if he is joking.
Still, Hieu’s felonies were all committed online. By hacking and conning his way into databases containing private data, including Social Security numbers and personal addresses, Hieu was able to sell the information onto criminal networks.
By the time of his arrest by US Secret Service agents in 2013, authorities estimated that he had netted around USD 2 million, which he used to splash out on sports cars for street racing, or vacations that saw him bounce from one exotic location to another across Malaysia and Thailand.
“I was a selfish person,” says Hieu, now 31. “Back in the day, I loved luxury stuff. That was nonsense. Now I tell my mom, if I can eat three meals a day, it’s better than prison food.”
At the time, Hieu explained away his identity theft crimes by telling himself they weren’t as bad as other things he had done such as selling credit card data. Now Hieu is keen to emphasize that he understands how damaging identity theft can be.
Using data stolen by Hieu, thieves filed USD 65 million in fake tax returns in the US, according to the FBI. “I don’t know of any other cybercriminal who has caused more material financial harm to more Americans than Ngo [Hieu],” Secret Service agent Matt O’Neill told KrebsOnSecurity, a cyber blog that says its reports alerted O’Neill to Hieu’s hacking activities.
Swapping his black hat for a white one, Hieu first helped the US government track down cybercriminals. Giving expert testimony and tips to officers posing as him in a string of cyber stings that contributed to a reported 20 arrests, Hieu was using the same methods by which he himself was caught: trading messages online with a hacker who turned out to be cooperating with the police.
Lured to the US Pacific territory of Guam by someone he thought was another hacker offering stolen identity data, Hieu was summoned to an airport investigation room soon after his plane landed.
“My whole stomach was crazy, I lost all feeling, I felt like my soul was not there,” said Hieu, adding that he still gets chills remembering the two-month detention in Guam where he slept on the floor without so much as a toothbrush. “That’s a real jail.”
Eventually transported to the US mainland where he was convicted and sentenced, Hieu filled his time with learning origami, group therapy, FaceTime calls to Vietnam, and helping law enforcement officials, which meant being transported with wrists and ankles shackled to 15 different prisons across the country, often wearing “clothes like paper” in the cold. “You feel like your life is worthless. You feel like you’re an animal,” he said of the transfers.
US authorities wanted him “to use a criminal mind, to catch a criminal,” Hieu said, which kind of resembles his current job in Vietnam, where he works for the national cyber agency scanning the dark web for threats and giving security training.
The one-party state is no stranger to cyber espionage. Vietnam hacks dissidents globally, employing 10,000 so-called cyber troops to block or manipulate content on Facebook and YouTube, according to US government-funded advocacy group Freedom House. Vietnam has rejected the group’s findings, saying it respects human rights.
When asked about Vietnam’s cyber record, Hieu said he took the new job with a condition. “I told them straight up, I want to help the community,” he said. “The rest, I don’t know.”
What does help mean? Hieu answered by pulling out two phones. One was a Philips feature phone—yes, they still exist—used for voice calls only. “It’s not smart, but it protects me,” said Hieu.
The other was a Huawei smartphone equipped with an app he developed called Chong Lua Dao, or Fight Scams. Outside work, he uses the app to give advice on cyber hygiene, as well as through his Facebook page, which has 200,000 followers, or even via speeches at colleges and conferences.
One of Southeast Asia’s big six economies in 2020, Vietnam had the biggest jump in first-time digital customers, according to a report by Google, Temasek, and Bain. That includes many new internet users unfamiliar with how easily they can be targeted online. With a total population of 100 million people, that is not a bad-sized audience for someone offering online safety advice.
After growing up among the wheat fields near Cam Ranh Bay, where the Soviet and US navies once had outposts, Hieu has chosen Vietnam’s commercial capital to repurpose the computer skills of a misspent youth.
“I could have done so many things, used my skills, instead of chasing the devil,” he said. The devil that blinded him was money, he said, waving his left palm across his eyes to demonstrate. Hieu said he’s even working on a memoir and has received an offer from a domestic studio that wants to buy the movie rights to his story.