One of the most infamous and exclusive underground international cybercrime forums was infiltrated and shut down by international law enforcement agencies, resulting in charges, arrests, and searches of 70 members of this illegal meeting place for buying and selling malware, botnets, stolen personal information, credit cards, credentials, and software used for hacking organizations and individuals worldwide.
Investigators say that while the forum’s existence was widely known, they hadn’t been able to penetrate it until recently. Darkode operated under password protections and required referrals to join. On Wednesday, the site consisted of an image saying that it had been seized by authorities.
John Lynch, chief of the criminal division’s Computer Crime and Intellectual Property Section, called Darkode “a self-contained market” with sophisticated relationships in which participants used their connections to maximize the amount of money and damage they could extract.
“Following a lead generated in Pittsburgh around 18 months ago, the FBI cybersquad here launched Operation Shrouded Horizon. The bureau’s local office assembled a coalition that started domestically with the bureau’s offices in Washington, D.C., San Diego, New Orleans and San Francisco, and extended to online enforcement teams in 20 countries, including numerous European countries, Israel, Australia, Colombia, Brazil and Nigeria.”
The site, which had roughly 250 to 300 active members, was seized and shut down by authorities Tuesday as most of the arrests were being made and search warrants were being executed.
Hackers couldn’t just log onto the site. They had to be vouched for or nominated by current members to be able to buy, sell or solicit illegal wares or services on the site, authorities said.
Some of the targets were responsible for hacking into Sony’s PlayStation Network and Microsoft’s Xbox Live services last year around Christmas, authorities said.
British authorities in January arrested an 18-year-old man for computer hacking offenses related to the disruptions but hadn’t released his name. The South East Organized Crime Unit said then it had worked with the FBI.
“Most of the cybercrime forums are in Russian or some other language that’s not English, but this was an English-language forum,” he told the BBC.
“And it was a sort of meeting ground for cybercriminals from different nationalities and languages.
“A fairly significant number of people were selling botnet services there, and there were also services for deploying malware and phishing.”
He added that the forum’s visitors included members of Lizard Squad – a group of hackers which has carried out high-profile attacks on Sony, Microsoft and others.
“The guy that was most recently the admin of the forum used the nickname Sp3c,” Mr Krebs recalled.
“He was a leading member of the Lizard Squad. What’s interesting is that you don’t see his name in the lists of those that were apprehended or charged as part of this.
“I don’t really know what that means, but there was a definite connection between the Lizard Squad and this forum, at least in the last year or so.”
The FBI said that Operation Shrouded Horizon had indicated up to 300 people had used the forum.
“During the investigation, the bureau focused primarily on the Darkode members responsible for developing, distributing, facilitating and supporting the most egregious and complex cybercriminal schemes targeting victims and financial systems,” it said.
Darkode’s products included personal information of 39,000 people from a database of social security identification numbers and 20 million emails and user names that could be used to target people
As always happens after a high-profile government takedown, the cybercrime community is atwitter with rumors and speculation. Did the administrators manage to kill or wipe the servers before seizure? Did the FBI really get the site’s main administrators (they’ve been known to exaggerate in initial reports)? These are salient questions because, despite the fact that Darkode was supposedly structured to be safe for its users, criminal admins have been known to collect info on their users specifically for later use as a Get Out of Jail Free card. High-level users still at large will be watching out for such news — perhaps while packing for a one-way trip to Eastern Europe.
- Johan Anders Gudmunds, aka Mafi aka Crim aka Synthet!c, 27, of Sollebrunn, Sweden, is charged by indictment with conspiracy to commit computer fraud, conspiracy to commit wire fraud, and conspiracy to commit money laundering. He is accused of serving as the administrator of Darkode, and creating and selling malware that allowed hackers to create botnets. Gudmunds also allegedly operated his own botnet, which at times consisted of more than 50,000 computers, and used his botnet to steal data from the users of those computers on approximately 200,000,000 occasions. Gudmunds allegedly created and sold a number of malware exploit packages (such as CrimePack, Antiklus and Pandemiya 2014), according to the indictment (.pdf) against him. He also allegedly created a botnet malware called Blazebot and controlled and sold access to a Zeus botnet that was 60,000 computers strong. The Zeus malware was designed to steal bank account credentials.
- Morgan C. Culbertson, aka Android, 20, of Pittsburgh, is charged by criminal information with conspiring to send malicious code. He is accused of designing Dendroid, a coded malware intended to remotely access, control, and steal data from Google Android cellphones. The malware was allegedly offered for sale on Darkode.
- Eric L. Crocker, aka Phastman, 39, of Binghamton, N.Y., is charged by criminal information with sending spam. He is accused of being involved in a scheme involving the use of a Facebook Spreader that infected Facebook users’ computers, turning them into bots that Crocker controlled through the use of command and control servers. Crocker sold the use of this botnet to others for the purpose of sending out massive amounts of spam.
- Naveed Ahmed, aka Nav aka semaph0re, 27, of Tampa, Fla.; Phillip R. Fleitz, aka Strife, 31, of Indianapolis; and Dewayne Watts, aka m3t4lh34d aka metal, 28, of Hernando, Fla., are each charged by criminal information with conspiring to send spam. They are accused of participating in a sophisticated scheme to maintain a spam botnet that utilized bulletproof servers in China to exploit vulnerable routers in third world countries, and that sent millions of electronic mail messages designed to defeat the spam filters of cellular phone providers.
- Murtaza Saifuddin, aka rzor, 29, of Karachi, Sindh, Pakistan, is charged in an indictment with identity theft. Saifuddin is accused of attempting to transfer credit card numbers to others on Darkode.
- Daniel Placek, aka Nocen aka Loki aka Juggernaut aka M1rr0r, 27, of Glendale, Wis., is charged by criminal information with conspiracy to commit computer fraud. He is accused of creating the Darkode forum, and selling malware on Darkode designed to surreptitiously intercept and collect email addresses and passwords from network communications.
- Matjaz Skorjanc, aka iserdo aka serdo, 28, of Maribor, Slovenia; Florencio Carro Ruiz, aka NeTK aka Netkairo, 36, of Vizcaya, Spain; and Mentor Leniqi, aka Iceman, 34, of Gurisnica, Slovenia, are each charged in a criminal complaint with racketeering conspiracy; conspiracy to commit wire fraud and bank fraud; conspiracy to commit computer fraud, access device fraud, and extortion; and substantive computer fraud. Skorjanc also is accused of conspiring to organize the Darkode forum and of selling malware known as the ButterFly bot.
- Rory Stephen Guidry, aka firstname.lastname@example.org, of Opelousas, La., is charged with computer fraud. He is accused of selling botnets on Darkode.
- In a related case, Aleksandr Andreevich Panin, aka Gribodemon, 26, of Tver, Russia; and Hamza Bendelladj, aka Bx1, 27, of Tizi Ouzou, Algeria, pleaded guilty on Jan. 28, 2014, and June 26, 2015, respectively, in the Northern District of Georgia in connection with developing, distributing and controlling SpyEye, a malicious banking trojan designed to steal unsuspecting victims’ financial and personally identifiable information. Bendelladj and Panin advertised SpyEye to other members on Darkode. One of the servers used by Bendelladj to control SpyEye contained evidence of malware that was designed to steal information from approximately 253 unique financial institutions around the world. Panin and Bendelladj will be sentenced at a later date.