"Let’s stop Geschev, the new club". Image: F. Bull
Bulgaria’s prosecutor general-to-be declares opposition the mastermind of data GASP
Low-cost airlines bring more and more foreign travelers to Bulgaria’s capital Sofia. Even tourists who do not speak Bulgarian heard one word echoing down the central boulevard Vitosha last Monday evening, and they understood it: "Mafia, Mafia, Mafia!" chanted about two thousand demonstrators in front of the court palace. They protested against the election of the Deputy Prosecutor General Ivan Geschev as the future Prosecutor General, which, in their opinion, was imposed by the ruling class. In their eyes, he represents the rule of law hijacked by the oligarchy in Bulgaria, as does the acting Prosecutor General Sotir Tsatsarov. The Balkan country lacks strong convictions of corrupt politicians, and police and prosecutors are suspected of arbitrarily criminalizing opposition circles.
The current NAP leaks, the grossest theft of data from the Bulgarian tax office in the history of Bulgaria, fits into this scenario. Prosecutor Geschev interprets it as a "Blow against the state", responsible for this by representatives of civil society and "Media of the protesters". As an indication for his thesis he mentions a "overexposure" of the hacker attack" in an "certain circles of the media". These are connected with the publisher of the anti-government business paper Kapital, Ivo Prokopiev, and ex-Justice Minister Hristo Ivanov, who today heads the oppositional traditional-conservative party alliance Democratic Bulgaria (DB).
On 15. July 2019, various media outlets received an email from an alleged Russian hacker. It contained a link to a massive 11 GB of data from the files of the National Agency for Revenue (NAP), the Bulgarian tax office. Since then, names, personal identification numbers, bank accounts and other confidential data of four million living and one million dead Bulgarian and foreign individuals and companies have been made public. The gigantic data leak poses significant risks for Bulgarians, many of whom now fear that fraudsters could take out loans or make deals in their names.
Quickly, a 20-year-old is accused of being the sole perpetrator of the crime
It took police and prosecutors less than forty-eight hours to investigate the hacker attack "to clear up" and to present to the public the twenty-year-old Kristian Boikov as the suspect of the crime. Boikov, an employee of the cybersecurity company TAD Group, committed the computer crime as a single perpetrator, he said at first.
In 2017, while still in school, Kristian Boikov, as a white hat hacker, drew the attention of the Bulgarian Ministry of Education to the inadequate protection of its data. At that time, the ministry officials paid attention to him only when the satirical television program Gospodari na Efira (Lords of the Ether) reported about it. Finally, the ministry asked Boikov for his help in fixing the vulnerabilities of its online presence. For the past two years, Boikov has been conducting tests of IT systems for the Bulgarian branch of the U.S.-registered TAD Group.
"It was not me who carried out the hacking attack on the tax office servers", Boikov denies the crime with which he is charged. After being released on bail for seventy-two hours, he told bTV that he and the TAD Group, which employs him, had been wrongly blacklisted. The police officers had him with "Light threats" put under Duck to get him to confess.
Not only his lawyers, but also some IT experts consider Boikov innocent. "It will probably turn out that it was not him", commented Svetlin Zhelev from the technology portal Kaldata.com. IT specialist Svetlin Nakov believes that the evidence against Boikov is contrived. "The file that was brought as evidence against Kristian Boikov is falsified. Hackers use Linux, especially the good hackers, there is no doubt about it. The specified file was created with Windows, but not by the one who exported the basic NAP data", Nakov wrote on Facebook.
Boikov’s lawyer Lyuben Kazanliev also directs accusations against the prosecutor’s office: "I think the situation is developing in a very suspicious way. It is absurd that a four-line accusation of guilt is formulated with an arrest warrant, and the prosecution’s press statement then consists of four pages. We have taken from it what alleged evidence exists, that is unheard of", he says. It will have to be proven in court what alleged evidence was found on Boikov’s computer and whether it was not uploaded to him after his seizure.
Bulgaria’s Prime Minister Boiko Borissov gave a double-edged praise to the young computer specialist Boikov. "We have unique heads and it is very important to find a way to use them for our services, so that they do not have to inflict such damage on us and be accused. We should win them over, that they work for the state, they are such magicians", said the head of government.
Now the prosecutor’s office is investigating "organized cyberterrorism"
Shortly after, however, the prosecutor Geschev rejected his original theory of individual offenders and recognized the following "organized cyberterrorism to spread emporia and fear among the Bulgarian population". The superiors of the TAD Group had incited Boikov to do this also for political interests. "We initially amed the act of an individual, now we have reason to believe that the attack against the NAP was a targeted act against the state and that the company’s activity may turn out to be a crime with a high degree of probability."
When TAD Group CEO Ivan Ivanov arrived at Sofia airport last Tuesday morning from a long trip abroad, he was immediately arrested by police officers and taken into custody.
According to Geschev, police IT specialists discovered basic NAP data in Boikov’s computer. They also found that Boikov had specifically sought data on Prime Minister Boiko Borissov, Prosecutor General Sotir Tsatsarov, and controversial MP and media entrepreneur Deljan Peevski. This, Boikov said in an interview with "Search for Bivol" titled folder. With this statement, Geschev made the connection between the hacking attack on the NAP and the auberparliamentary opposition and media critical of the government.
The online medium Bivol.bg sees itself as a Bulgarian representative of Wikileaks and has repeatedly embarrassed the government with revelations, most recently a few months ago with the so-called Apartmentgate (Bulgarian Monopoly).
Protest in front of the court palace. Image: F. Bull
Denunciation of the opposition
The media close to the government, owned by parliamentarian and editor Deljan Peevski, immediately took up Geschev’s proposal. "Hackers in back rooms" headlined his weekly Politika and showed the usual suspects: Ex-prime minister Ivan Kostov, capital editor Ivo Prokoviev and ex-minister Hristo Ivanov: "Prokopiev and Bivol emerged from the NAP attack. The blow – part of the extortionist scheme of the oligarchy created by Kostov. It qualifies as cyberterrorism and is a political attack on the country’s state structures. Behind him is the circle chapter around the accused boss Ivo Prokopiev. It was supported by the employer of the accused 20-year-old hacker Kristian Boikov", combined politics.
Hristo Ivanov rejected the allegation that Democratic Bulgaria (DB) had coordinated the attack against the NAP, as "completely groundless" back. "Lawfulness, freedom of citizens and national security are essential causes for us", he explained. "It is absolutely unthinkable for us to be involved in such an attack against institutions and violate the rights of millions of Bulgarian citizens." If Ivan Geschev is indeed elected as Bulgaria’s Prosecutor General in October 2019, the confrontation between the political opposition and the state’s repressive apparatus is likely to intensify in the coming years.