Support wouldn’t change his password, so he mailed them a bomb

by Lisa Vaas, Sophos

On 8 March, Cryptopay co-founder Wesley Rashid began to open a padded package addressed to two of his employees.

Something about it struck him the wrong way, though, so he didn’t open it all the way. That was a fortunate decision. The package held a bomb that could have injured or even killed him.

London’s Metropolitan Police announced on Friday that the sender, a 43-year-old Swedish man named Jermu Michael Salonen, has been sentenced to six and a half years in prison for sending the potentially lethal homemade bomb.

It turns out that the package had been delivered months earlier, around November 2017, to an office unmanned by Cryptopay employees. The UK crypto-wallet business had at one point employed an accounting firm that did have an office in that location, but fortunately nobody at the accounting company opened it on behalf of its client. The letter bomb just sat there, unopened, for five months.

Forensic specialists managed to retrieve some DNA samples from the package, but no matches were found in the UK. Investigators turned next to Interpol, and that’s when they hit a match, turning up Salonen’s DNA sample in Sweden.

Police said he was known to Swedish authorities. In addition to being found guilty of attempted murder by Stockholm District Court, Salonen was also convicted of mailing threatening letters to Swedish lawmakers and government officials.

Finally, he was also found guilty of 20 counts of threats in relation to letters filled with a mysterious white powder that was sent to Swedish lawmakers. According to the Associated Press, Prime Minister Stefan Lofven received some of that powder in August 2017, along with a handwritten letter that said: “you will soon be dead.”

When police asked Cryptopay what could have motivated Salonen to send the company a pipe bomb – or, rather, two pipe bombs, which is what investigators found when they picked apart the explosive package – the only thing the company could think of was that it had declined his request for a password change.

In August 2017, Salonen, a customer of Cryptopay, emailed their customer services team to ask for a new password. They refused, given that it was against the company’s privacy policy.

A fair point, as it’s never a good idea to send a new password in an email. A password-reset link is safer all round, although it’s not clear if Cryptopay offered this option to Salonen.

Commander Clarke Jarrett, head of the Met Police Counter Terrorism Command:

Salonen seemingly made and sent a device that had the capability to seriously harm and even kill over something as inconsequential as a change of password.

Fortunately the bomb did not detonate. It was due to sheer luck that the recipient ripped opened the package in the middle rather than using the envelope flap which would have activated the device.

Sheer luck, sheer four-leaf clover, sheer good sense to stop when things seem a bit off.

Next time you have to deal with a customer service rep, or your help desk staffers, or anybody who deals with opening your organization’s mail, be gentle. It’s shocking to think that any of them could one day risk their life at the hands of a mentally unstable, disgruntled customer, all over the most trivial of help-desk requests.