Pepijn van der Stap

Early Life and Background

Born around 2002 in the Netherlands, Pepijn van der Stap developed an early involvement with law enforcement, with his history beginning at age 12. He subsequently participated in the Dutch "Hack_Right" offender diversion program, an intervention designed to redirect technically skilled young individuals away from criminal activity. That program did not prevent his later re-offense.

Career

Van der Stap built a visible and apparently legitimate profile in the Dutch cybersecurity community. He was employed as a software engineer at Hadrian, an Amsterdam-based cybersecurity startup. Concurrently, he volunteered as a researcher at the Dutch Institute for Vulnerability Disclosure (DIVD), a non-profit organization composed of ethical hackers that responsibly discloses software vulnerabilities. At DIVD, he served as case lead on several significant vulnerability disclosure efforts and was regarded as a valued contributor.

Following his arrest in January 2023, Hadrian dismissed him and conducted an internal investigation. That investigation found no evidence that van der Stap had misused his position or access at the company for criminal purposes. Similarly, an independent forensic investigation commissioned by DIVD and carried out by Fox-IT concluded that he had not misused his access to DIVD systems or data.

Criminal Activity

From August 2020 until his arrest, van der Stap operated as part of a criminal group that hacked corporate networks, exfiltrated large volumes of data, and extorted victim organizations. Ransom demands frequently exceeded €100,000, and at least one victim paid €700,000. According to police, stolen data was often sold on criminal forums even after a ransom had been paid by the victim.

Van der Stap operated under aliases including "Umbreon" and used platforms such as RaidForums to sell stolen data. The criminal enterprise laundered proceeds estimated between €1.5 million and €2.7 million, primarily through cryptocurrency. A two-year police investigation that began in March 2021 culminated in his arrest on January 23, 2023.

Trial and Sentencing

Van der Stap was tried in Amsterdam, where he offered a near-full confession and expressed remorse for his actions. In an unusual request, he asked to remain in custody in order to continue receiving psychological therapy. His defense argued that his criminal conduct was not motivated by greed but represented a compulsive escape from personal trauma and PTSD.

On November 3, 2023, the court sentenced him to four years in prison, with one year suspended, along with a three-year probationary period. The sentence was below the six years demanded by the prosecution. The court cited his cooperation with investigators, his youth, and his psychological circumstances as mitigating factors.

Significance and Legal Context

The Dutch Public Prosecution Service (OM) explicitly framed the case as precedent-setting, describing it as "unique in nature and scope." Prosecutors sought a severe sentence to send a "clear signal" to the broader cybercrime community, arguing that large-scale data theft and extortion undermine both society and the digital economy. The OM stated that the case was intended to serve as a significant deterrent for other young, technically skilled individuals who might be tempted by cybercrime.

The case attracted substantial media attention in the Netherlands, largely due to the sharp contrast between van der Stap's public identity as an ethical security researcher and his simultaneous criminal operations.