Edwin Pena, 27, was convicted in February of masterminding a scheme to hack into more than 15 telecommunications companies and then reroute calls to their networks at no charge. He must also pay more than US$1 million in restitution, and will be deported once his sentence is served.
Pena was sentenced by Judge Susan Wigenton in U.S. District Court for the District of New Jersey on computer hacking and wire fraud charges.
The scam cost his victims, including VoIP sellers Net2Phone, NovaTel and Go2Tel, more than $1.4 million in losses.
Pena is the first person to be charged by U.S. authorities with VoIP hacking, but he almost avoided prosecution. He skipped bail after his arrest, and was only captured after his Mexican girlfriend turned him in in early 2009.
Pena worked with Spokane, Washington, hacker Robert Moore to launch brute force attacks against the VoIP networks. Moore wrote computer programs that tried, again and again, to guess important prefix codes, which were then used to authorize traffic on the networks. Some of these codes were just four-digit numbers.
During a four-month period in 2005, Moore launched more than 6 million scans on AT&T's network, looking for vulnerable ports. AT&T helped authorities with their investigation, but was not named as a victim of the fraud.
Moore was previously given a two-year sentence for his role in the scheme.
Once he had access to the hacked networks, Pena operated as if he were a legitimate Internet phone wholesaler, selling telephone services to businesses at deeply discounted rates.
