Grant West, 26, carried out cyber-attacks on high street brands including Sainsbury’s, Asda, Uber, Argos and bookmakers Ladbrokes and Coral.
He obtained the email addresses of more than 160,000 people and sent them phishing scams masquerading as Just Eat to get their personal data.
West, who used the online identity “Courvoisier”, sold the information on the dark web, stashing his ill-gotten bitcoin profits in online caches.
He was sentenced to 10 years and eight months at Southwark crown court on Friday. The judge, Michael Gledhill, described West as “a one-man cybercrime wave” and said he had “secreted away” some of the £1.6m worth of cryptocurrency that is unaccounted for.
He said: “Regrettably, as this case has demonstrated, security of information held electronically is at best poor. When such inadequate security is confronted with a criminal of your skills and ambition it is totally unfit for purpose and worthless.
“This case should be a wake-up call to customers, companies and the computer industry to the very real threat of cybercrime.”
He added: “You have a deep and impressive knowledge of computers and if you had decided to use your abilities lawfully I have no doubt at all that you would have had a very successful career.
“Unfortunately you saw the potential of using your skills to make a great deal of money not lawfully but by crime, blatant crime and your crimes were highly sophisticated.”
West’s two-and-a-half-year scam came to an end in September last year when he was arrested in a first-class train carriage in the act of accessing the dark web. He had been returning from a trip to visit his girlfriend and co-defendant, Rachael Brooks, in North Wales.
West, who was living in a caravan park in Sheerness in Kent, used the stolen email addresses to send out messages posing as Just Eat with offers of cash rewards in exchange for customers filling out a survey.
Respondents were asked to confirm personal emails and supply extra details in order to obtain the reward, which were then harvested by West. The information, which included everything needed to make purchases online, was then advertised and sold to customers from his dark-web shop.
He built up huge caches of bitcoin and other cryptocurrency in online “wallets”. Police also found £25,000 in cash and a stash of cannabis when they raided his home last year.
The prosecution estimated that the total loss to customers and businesses was more than £1m.
A total of £84,000 was fraudulently taken from compromised accounts held at Barclays, costing the bank more than £300,000 to remedy. British Airways also suffered a £400,000 loss after Avios accounts were targeted.
Just Eat said no financial information was obtained in West’s fraud, but estimated the cost of combating the scam at more than £200,000.
Brooks, of Denbigh, North Wales, was previously given a community order after she admitted using the details of two of West’s victims to buy herself a bikini online.
West previously admitted a string of charges including conspiracy to defraud, unauthorised modification of computer material, possession and supply of cannabis, possessing criminal property and money laundering.
He has a number of previous convictions, including drug offences and other frauds.
Anna Mackenzie, defending, said West has been a cannabis user since the age of 14 and suffered from low self-esteem, lack of confidence, anxiety and depression.
“He has expressed remorse and shame and acknowledges his irresponsibility, selfishness, greed and hunger to succeed,” she said. “He wishes to offer apologies to the victims and businesses affected by his actions.”
Your views are important to us, so please feel free to give is your feedback on any of our reviews