The Suffolk panel will investigate how long workers suspected illegal bitcoin mining

A Suffolk County legislative committee investigating the 2022 ransomware attack will also examine county employees’ knowledge of illegal bitcoin mining in a county data center in the years before it was reported to the Suffolk district attorney in 2021, the committee chairman said.

Newsday on Sunday reported that several county employees who worked for the Department of Information Technology suspected or knew about the illegal crypto-mining of Suffolk Clerk’s Assistant IT Director, Christopher Naples, from six months to four years before an employee alerted the District Attorney’s office. An employee said in a sworn statement that the county’s top cybersecurity coordinator told him that bitcoin mining in Naples had been operating since 2017.

“I’m disappointed that no county staff came forward if they knew about this,” Committee Chair Legis said. Anthony Piccirillo (R-Holtsville). “I can understand their trepidation and why they would be afraid” given what he said was a legacy in county government of retaliation and intimidation.

Piccirillo said the committee “will definitely question that.”

Meanwhile, Naples moves on to new pursuits.

On March 21, Napoli was elected executive vice president of the Riverhead County Center unit of the Association of Municipal Employees, according to a flyer posted in the clerk’s office.

Daniel Levler, AME president, did not return a call for comment. Neither did Pauline Jenkins, who was elected president of the Riverhead County Center unit.

Authorities charged Napoli with third-degree grand larceny, public corruption and computer breach. His case is pending in Southampton Town Justice Court, where his attorney, William Keahon, said earlier this month that he expected the case to be resolved soon. Naples has another court date in May.

Napoli was suspended with pay following his arrest on September 8, 2021 in connection with the bitcoin mining operation. He earned $149,721 last year, according to payroll records.

Exactly how much Napoli earned in bitcoin has not been disclosed. Business records show that a company he runs, IT Fusion, reported $835,000 in sales last year.

Bitcoin is a form of cryptocurrency. It is based on what is known as the blockchain, which is a series of data points linked together. Adding a block to the chain requires someone to ensure that the encryption was done correctly. It’s called “proof of work”, which is the same as bitcoin mining. It is done through a complex mathematical process. When someone completes a proof of work, the reward is a bitcoin.

Earlier this year, Piccirillo told Newsday that the committee would also investigate why a dozen IT employees and county officials had signed unprecedented nondisclosure agreements in the wake of the ransomware attack.

Newsday has since obtained copies of those non-disclosure agreements in response to a Freedom of Information request, and among those who signed them were IT Commissioner Scott Mastellon and Deputy Commissioner Ari McKenzie, who is also Chief Technology Officer. The NDAs indicate that the 12 people who signed them gained access to the county’s “sensitive cloud and on-premises applications,” including “information or data about county employees and personnel.”

Suffolk Comptroller John Kennedy confirmed in a Newsday story last month information from a county source that IT staff had signed NDAs to review private county employee emails from last fall. The source also met with an investigator from Suffolk District Attorney Ray Tierney’s office about the nondisclosure agreement. Some county employees are seeking whistleblower status to talk to the committee and the DA, said a source seeking that status.

Tierney at the time declined to comment on whether his office was investigating, but Piccirillo said, “I look forward to investigating the legality of these nondisclosure agreements.”

Suffolk County explained the use of NDAs this way: “Because of the county’s decentralized [information technology] infrastructure and because the county’s IT follows a least-privilege policy to minimize access, the county needed all hands on deck to help restore county services, therefore the Incident Response Team needed improved access to information they previously did not have access to.”

Piccirillo said his committee, and committee counsel Richard Donaghue, continue to press the Bellone administration for information about the county’s response to and preparedness for the attack. He said the committee recently received copies of a 40-page report on the incident from a division of Palo Alto Networks, the company that provided the firewall and other cybersecurity systems ahead of the attack. Piccirillo and others have raised questions about the appropriateness of Palo Alto’s Unit 42 department conducting the probe, given the company’s role as a provider of cybersecurity products.

Piccirillo also said the committee is reviewing a batch of emails provided by the Bellone administration after a request for about 8,000 emails dating back to June. He said depending on the completeness of the material, the committee would decide whether or not it was necessary to subpoena the administration for more information.

The committee will meet later this month to decide when to hold public meetings and who the first witnesses will be.