Virginia Man Convicted for Deleting 96 Government Databases

A federal jury in Virginia has convicted 39-year-old Richmond resident James E. Thornton on multiple charges stemming from a 2023 cyber intrusion that resulted in the deletion of 96 government databases and unauthorized access to a victim's email account. Thornton, who was arrested in April 2024 following an FBI investigation, faced charges including computer fraud, unauthorized access to a protected computer, and aggravated identity theft. The case highlights the persistent vulnerabilities in government digital infrastructure and the serious consequences faced by perpetrators of such attacks.

According to court documents and testimony presented during the two-week trial, Thornton gained initial access to the targeted government network by deploying spear-phishing emails to employees of a federal agency. Once he obtained valid credentials through the phishing campaign, he leveraged those credentials to move laterally through the network and ultimately obtain administrator privileges. With elevated access, Thornton executed automated scripts that systematically deleted database files across multiple government systems, causing an estimated $2.3 million in damages and disrupting critical public services for several weeks.

The prosecution also established that Thornton separately stole the password of a private individual, whose identity remains protected under court orders, to access their email account without authorization. Forensic analysis conducted by the FBI's Cyber Division revealed that Thornton used the compromised email credentials to facilitate further reconnaissance activities and potentially harvest additional credentials for future attacks. Digital forensics expert Dr. Sarah Mitchell testified that the attack demonstrated sophisticated operational security, including the use of VPN services and cryptocurrency payments to obscure his location.

U.S. District Judge Thomas M. Reynolds has scheduled sentencing for March 2025, where Thornton faces a maximum penalty of 20 years in federal prison for the computer fraud charges alone, plus mandatory consecutive sentences for the identity theft counts. The case serves as a reminder of the importance of multi-factor authentication, regular security audits, and employee awareness training to prevent credential-based attacks against government systems.