Menu
Browse

Cyber Threat Actor: Jonathan Ly

Actor Type Location Known Incidents
 Icon
Insider - Disgruntled
United States of America
1 incident
Profile

The threat actor known by the alias Jonathan Ly is a former information technology employee who worked at Expedia’s Hotwire.com division. He is located in the United States of America, as indicated in the provided context. Ly held a senior IT technician position, which granted him privileged access to internal networks and devices. Between 2013 and 2016 he exploited his technical privileges to compromise the devices of senior Expedia executives. His actions included stealing passwords and maintaining remote access to laptops and email accounts belonging to the chief financial officer and the head of investor relations. The unauthorized access allowed him to view confidential communications and documents that contained non‑public market‑sensitive information. Ly used the obtained information to conduct a series of stock‑option trades that generated approximately $331,000 in illicit profits. Even after leaving the company he retained an Expedia laptop without authorization and continued to access executive devices. To conceal his activity he impersonated other employees, making it appear that legitimate users were accessing the compromised systems. The scheme was uncovered through enhanced monitoring practices deployed by Expedia, which prompted a collaboration with federal law enforcement.

The primary sector targeted by Ly was the technology and travel services industry, specifically the internal systems of a major online travel company. His strategic objective was financial gain, achieved through insider trading based on the non‑public information he obtained. No evidence points to espionage, disruption, or any state‑sponsored nexus in his activities. The tactics observed in this case involve credential theft, abuse of legitimate remote‑access capabilities, and the retention of corporate hardware after termination. Ly’s tooling style consisted of using standard access methods rather than custom malware; he relied on stolen passwords and impersonation to maintain persistence. There is no indication that he employed any specific malware families or exploit frameworks in the reported incident. Attribution remains limited to an individual actor; no affiliations with criminal consortia, hacking groups, or nation‑state actors have been publicly established. The Expedia insider‑trading operation from 2013 to 2016 represents the only publicly reported campaign associated with Jonathan Ly. Legal proceedings resulted in a guilty plea to securities fraud, an agreement to repay the illicit profits and investigation costs, and a potential sentence of up to twenty‑five years in prison. The case highlights how an insider with legitimate access can abuse trust for financial benefit without relying on sophisticated external tools.

Incidents
Attributed incidents available to members
1 incident
Sources
Sources available to members
1 source