SINGAPORE — Using a hacking tool he downloaded, Lim Jun Quan exploited security vulnerabilities on several local websites to steal their database of customers’ usernames and passwords.

He then used the same combinations to make fraudulent purchases ranging from tablets and mobile phones from online marketplaces such as Groupon and Qoo10 to virtual currency for online games.

Although he was caught twice, Lim continued his racket, scamming 30 victims of around S$70,000.

Yesterday, the 22-year-old was sentenced to 28 months’ jail for 20 charges of cheating, unauthorised modification of computer material and trying to receive stolen property. Another 154 charges were taken into consideration for sentencing.

Deputy Public Prosecutor Suhas Malhotra said Lim was a “skilful hacker”. While he was serving National Service in 2013, he agreed to help a friend named Leong Jia Hao earn more money by hacking into online accounts to buy items using the account-holder’s credit that they then resold for profit.

In February 2014, Lim downloaded a hacking tool and used it to hack into www.meiji.com.sg to steal the company’s database of user accounts. Through trial-and-error, he logged into these individuals’ email accounts, which he used to shop on Groupon, PayPal and Qoo10.

Initially, they bought Groupon vouchers but found that redeeming items proved tricky since shops required a user’s identity card for verification. They moved on to electronic goods, such as tablets, which they asked to be delivered to a friend named Gabriel Tan Li Qun. They managed to make some money selling off some of these items they received.

Lim was arrested in June that year. By that time, he had hacked into 18 individuals’ accounts and performed 78 transactions.

While out on bail, he found a database of leaked email addresses and passwords and a list of vulnerable websites.

Between December 2014 and September last year, Lim hacked into various websites such as www.passionfloral.com.sg and www.momessentials.com.sg again to steal a database of usernames and passwords. Using the same modus operandi, he accessed one victim’s PayPal account and bought a virtual currency used for online games for reselling. He covered his tracks by diverting all PayPal emails.

The court was told that before his second arrest, Lim threw away the SIM card he had been using, and reformatted his mobile phone and computer which he used to commit the offences. He also made sure he connected to the Internet using prepaid SIM cards to avoid being traced to his home’s broadband connection.

While out on bail, he offended again. A victim paid him S$730 for virtual currency but Lim never transferred these to the buyer.

Urging the court to impose a total jail term of 30 to 36 months, Mr Suhas said Lim was an “intelligent and resourceful criminal” who took active steps to evade detection. SIAU MING EN