Sydney man sentenced for attempted blackmail scam using stolen Optus data

Arrested back in October for an attempt to leverage stolen Optus data

Australian man sentenced for attempt to exploit stolen data from Optus

A 20-year-old Sydney man, Dennis Su, has been sentenced to an 18-month Community Correction Order (CCO) and 100 hours of community service after attempting to take advantage of the Optus data breach[1] last year to blackmail its customers.

The man, who was arrested in October 2022, used the leaked records from the security lapse to orchestrate an SMS-based extortion scheme. He threatened to sell the personal information of 92 individuals, who were part of a larger cache of 10,200 records, to other hackers unless a payment of AU$2,000 was made to a bank account under his control.

Blackmail attempt using stolen records

The suspect sent the SMS messages to 92 individuals whose information was part of a larger cache of 10,200 records briefly published in a criminal forum in September 2022. The Australian Federal Police (AFP),[2] which launched Operation Guardian following the breach, said there is no evidence that any of the affected customers transferred the demanded amount. The man, who was 19 when arrested and now 20, pleaded guilty in November 2022 to two counts of using a telecommunications network with intent to commit a serious offense.

“The criminal use of stolen data is a serious offense and has the potential to cause significant harm to the community,” AFP Commander Chris Goldsmid said. The Australian telecom service provider suffered a massive hack last year, with passport information and Medicare numbers exposed to nearly 2.1 million of its current and former customers.

The man sent text messages to 92 people in September after finding their information on a website that published data from the Optus breach. He told them their personal details would be sold and used for fraudulent activity within days unless they transferred $2,000 to a bank account belonging to his younger brother.

The court heard Su offered a high degree of cooperation with investigating police, but he also claimed he deleted the data due to his “conscience”, despite deleting it after receiving the reply about his details being reported to the police.

In Sydney's Downing Centre Local Court, Magistrate Emma Manea noted the offenses were Su's first. She placed him on an 18-month community correction order and recorded a conviction. Su must also complete 100 hours of community service and follow all reasonable directions for counseling and treatment. Su told police he was “having a difficult time being unemployed” and saw “an opportunity to make quick money”.

Prevented significant damage to the community

The man's attempted SMS scam is a reminder that the criminal use of stolen data is a serious offense and has the potential to cause significant harm to the community. The AFP acted quickly on the allegations to protect Australians from identity fraud and ensure that the man would not financially benefit from the data breach. The sentencing of Dennis Su shows that the court takes these types of crimes seriously, regardless of the perpetrator's age or motivation.

According to Australian Competition & Consumer Commission, almost AU$1.8 billion was lost to scams by Australians in 2021.[3] The category with the highest loss from scams was investment scams, amounting to AU$701 million, followed by payment redirection scams, with AU$227 million, and romance scams, with AU$142 million.

About the author
Jake Doevan
Jake Doevan - Computer technology expert

Jake Doevan is one of News Editors for He graduated from the Washington and Jefferson College , Communication and Journalism studies.

Contact Jake Doevan
About the company Esolutions