Gottfrid Svartholm Warg. Photo: Simon Klose/WikiCommons
After what amounted to a false start, the largest hacking case in Danish history launched on Tuesday with the prosecution showing as yet unseen footage of the squalid state in which Pirate Bay co-founder Gottfrid Svartholm Warg was living in Phnom Penh when Cambodian Police raided his apartment in 2012.
The home-video style footage, shot as police arrested Warg, shows the dirty mattress on the floor, where the 29-year-old hacktivist was sleeping, and cans and other rubbish piled high in every corner.
Warg is shown looking slightly pathetic and painfully thin, puffing in an eccentric mechanical fashion on a cigarette.
Anders Riisager, the deputy public prosecutor, gave no rationale for showing the footage, saying only that they would "come back to his later", but the video's surprise appearance confounded police critics who have claimed they have discovered no new evidence in their 15-month investigation.
Warg and his 21-year old Danish co-defendant are accused of hacking into Danish computer mainframes operated by US IT giant USC, stealing social security numbers from Denmark's national driving licence database, illegally accessing information in a Schengen Region database and hacking into police email accounts.
In his introduction, Riisager painted the intrusion in the most dramatic terms.
"Let me start a bit untraditionally with what the case is not about," he began his address. "This case is not about free speech, but the biggest hacker attack on police records."
"There is no evidence that data on CSC was changed," he said. "But with such large volumes, one can never be certain. My criminal record could have been changed to say that I am a murderer."
Riisager argued that "Warg is probably a genius with a computer, even he will probably not deny that. A simple Google search also shows that Warg, also known as anakata, is known both as an IT specialist and hacker."
Maria Cingali, the other prosecutor, then took the jury through the technical evidence.
As well as the many files and logs linking Warg's computer to the intrusion at CSC, she revealed that the hacker had run searches on the criminal register for Warg's date of birth, for WikiLeaks founder Julian Assange, and for two Swedish criminals.
Although the police remained unable to break the encryption on the laptop seized from the 21-year-old co-defendant, she said, there was still significant evidence on the unencrypted parts of the disc.
Police found flight confirmation details showing that the security consultant had flown to Cambodia in March 2012, a month before the data intrusion began.
Cingali also showed excerpts of chat logs between two hackers using the nicknames "My Evil Twin" and "Advanced Persistent Terrorist Threat", who Danish police believe to be Svartholm and his Danish co-defendant respectively.
In the chats, in which they discuss hacking CSC's database, Advanced Persistent Terrorist Threat reveals that he was was born in 1993, speaks Danish, used to work for PriceWaterhouseCoopers, and has a grandfather who was part of the group that developed the original CPR registry, all of which point towards the 21-year-old.
According to Cingali, the unencrypted parts of the drive also held a special control system that can be used to access CSC-systems, as well as a guide to how this mainframe could be hacked.
Warg is expected to argue, as he did in the related Swedish case in 2013, that the Macbook computer seized at his flat in Cambodia in August 2012, which contains much of the incriminating information for both cases, was a server he shared with several other people.
One of those others, he claims, probably accessed the computer remotely and then used it to carry out the intrusion.
Sweden's Appeal Court ruled in 2013 that the prosecution had not provided sufficient evidence to rule out the possibility of remote control, as a result clearing Warg of hacking into the Scandinavian bank Nordea.
In his opening statement Riisager contradicted the Swedish court's findings.
"Technical studies indicate that the computer was rebooted 172 times during the critical period, which should have prevented any remote control, and technical studies find no evidence that the remote control has taken place," he said.
"The Centre for Cybercrime, which among others has helped to investigate the computer, has stated in its conclusions that they find it very unlikely that remote control happened," he added.
Tuesday's hearing was delayed almost as soon as it began, after the defence objected to what they called a "deliberate" and "tactical" attempt by the prosecution a new 27-page document, and a USB stick containing 92 slides the defence complained were confusing and made unwarranted assumptions in the case. After the prosecution agreed to discard the disputed slides, the case went ahead after lunch.