The man, 20-year-old Ardit Ferizi from Kosovo, who entered Malaysia in August 2014 to study computer science and forensics, will be extradited to the United States, police said on Thursday night.
The suspect communicated with an Islamic State member in Syria about hacking servers containing information and details of U.S security personnel, Malaysian police said.
“The details were then transferred to the operation unit of the IS group for further action,” the police said in a statement.
U.S. government experts say that in practice, Islamic State’s hacking exploits have been rudimentary and have done little known damage to any targeted institutions or individuals.
In contrast, the group’s coterie of cyber specialists is regarded by American and allied government counterterrorism agencies as highly sophisticated in its use of social media to spread Islamic State’s message and recruit new members and supporters.
The U.S. Justice Department said Ferizi, a known hacker, had been charged with hacking the personal information of 1,351 U.S. military personnel and federal employees and supporting Islamic State.
Ferizi, believed to be the leader of a Kosovar Internet hacking group called Kosova Hacker’s Security, hacked the computer system of a U.S. company and stole the personal identification information (PII) of thousands of individuals, the department said in a statement on Thursday.
“This case is a first of its kind and, with these charges, we seek to hold Ferizi accountable for his theft of this information and his role in ISIL’s targeting of U.S. government employees,” Assistant U.S. Attorney General John Carlin said in the statement.
The criminal complaint says Ferizi provided the PII to Islamic State members including Junaid Hussain, a British hacker who U.S. and European officials said was a top cyber expert for Islamic State in Syria. Hussain originally from Birmingham, England, was killed in a U.S. drone strike on Aug. 25, a U.S. source told Reuters at the time.
Between April and August, the complaint says, Ferizi gave the PII to Islamic State. On Aug. 11, Hussain in turn posted a tweet titled “NEW: U.S. Military AND Government HACKED by the Islamic State Hacking Division!” which contained a hyperlink to a 30-page document.
The document said in part: “We are in your emails and computer systems, watching and recording your every move. We have your names and addresses.”
It said that information would be passed on to Islamic State fighters, “who soon with the permission of Allah will strike at your necks in your own lands!”
The Justice Department said, “This posting was intended to provide ISIL (Islamic State) supporters in the United States and elsewhere with the PII belonging to the listed government employees for the purpose of encouraging terrorist attacks against those individuals.”
Muslim-majority Malaysia has not experienced significant militant attacks, but it has arrested more than 100 citizens this year on suspicion of links to Islamic State.