The federal police charged the man with allegedly creating and selling spyware that allowed criminals, including perpetrators of domestic violence, to remotely control people’s computers – all while he was still a teenager.
The man will appear before Brisbane Magistrates Court on August 19 after a brief appearance on Friday.
Police say he was only 15 years old when he created the Remote Access Trojan (RAT) before selling it to thousands of people around the world between 2013 and 2019.
Spyware called Imminent Monitor was allegedly sold to 14,500 customers in 128 countries. The Federal Police also identified 201 Australians who bought the RAT.
According to an AFP spokesman, 14.2% of these people appear as defendants in domestic violence orders, and one of them is a registered sex offender.
Of the 14 people, 11 bought the RAT during the period of their DVO or within two years of the DVO being issued.
Once spyware was installed on a victim’s computer, users could control it, steal their personal information, or spy on them, including the device’s webcams or microphones, all without their knowledge.
AFP said that spyware can also log keystrokes, allowing users to see what is being written in emails or documents, such as home addresses.
“Spyware can be installed in a number of ways, including through phishing (tricking a victim into opening an email or text message),” an AFP spokesman said.
AFP believes there were tens of thousands of victims worldwide, 44 of whom have been identified in Australia.
Police say the RAT cost around A$35 and was advertised on a hacker forum.
The man is said to have earned between $300,000 and $400,000 selling malware.
A man was served a summons earlier this month at his Melbourne home and charged with six offenses, including providing data with intent to commit a computer crime, aiding, abetting, advising or facilitating the commission of a crime, namely unauthorized modification damaging data and dealing with proceeds of crime of $100,000 or more.
A 42-year-old woman who lives at the same address as the man also received a subpoena for one count of criminally obtained crimes worth $100,000 or more.
On Friday, she also appeared before Brisbane Magistrates’ Court.
The AFP investigation, dubbed Operation Cepheus, began after receiving information from cybersecurity firm Palo Alto Networks and the FBI in 2017.
This sparked a global investigation in which 85 search warrants were executed worldwide.
AFP Cyber Crime Commander Chris Goldsmid said cyber work can often be abstract to many in the community, but the operation provided clear and real examples of how dangerous technology-based crime can be.
“These types of malware are so nefarious because they can give an attacker virtual access to a victim’s bedroom or home without their knowledge,” Commander Goldsmead said.
“Unfortunately, there are criminals who use these tools not only to steal personal information for financial gain, but also for very intrusive and dastardly crimes.”