RUTLAND — A Vermont man who prosecutors say was behind a hacking operation used to steal personal information from tens of thousands of people has pleaded guilty to a federal criminal charge in Vermont.

Nicholas Moses, 34, of Newport, Vt., who also uses the online alias “scrublord,” entered his guilty plea Wednesday in federal court in Rutland to a charge of conspiracy to commit fraud through the use of computers.

Judge Mary Kay Lanthier released Moses on conditions pending a sentencing hearing in October. The conditions prohibit him from leaving Vermont. 

Under a plea deal, Moses faces a maximum prison term of up to five years.

Moses operated a computer malware program known as SmokeLoader and used it “to harvest” data from victims, according to court filings. 

“Thousands of computers around the world have been infected with the SmokeLoadermalware by Moses and over 65,000 victims have had their personal information and passwords stolen by Moses,” court records stated. 

The scheme played out between January 2022 and May 2023, according to court documents.

Moses maintained a server in the Netherlands to deploy the SmokeLoader data-stealing malware program on the computers of unsuspecting victims, including banks, the documents stated. One of the financial institutions, court filings stated, was based in Charlotte, North Carolina.

The stolen information from the malware program would be sold in a “dark-web marketplace” and other cybercrime forums “to be exploited by others” or by Moses, according to court records.

In one instance on Nov. 30, 2022, the court documents stated, Moses took part in an online chat where he provided the usernames and passwords for victim accounts with several video streaming services he had obtained through the SmokeLoadermalware.

In a separate online chat session a short time later, Moses stated he had sold the credentials and password of victims for $1 to $5 each, court records stated.

Moses had sent a screenshot to another person of his SmokeLoader interface from his server in the Netherlands showing a database of 619,763 files containing victims’ stolen data, according to the court documents.

“The amount of loss that was known to or reasonably foreseeable by the defendant was in excess of $40,000 but less than $95,000,” the plea agreement stated. 

During the hearing Wednesday, the judge explained to Moses the rights he was giving up by pleading guilty to a felony charge. Moses told Lanthier he wanted to plead guilty to the charge and waive his right to his trial. 

This story was republished with permission from VtDigger, which offers its reporting at no cost to local news organizations through its Community News Sharing Project. To support this work, please visit vtdigger.org/donate.