MORE THAN 70 people have been arrested around the world in the takedown of one of the most active underground cybercrime web forums, according to authorities.
Darkode, which had been in operation since 2007, was an online marketplace catering to cybercriminals buying and selling hacking tools, zero-day exploits, ransomware, stolen credit card numbers and other banking data, as well as spamming and botnet services, before authorities seized it this week.
“Of the roughly 800 criminal Internet forums worldwide, Darkode represented one of the gravest threats to the integrity of data on computers in the United States and around the world and was the most sophisticated English-speaking forum for criminal computer hackers in the world,” US Attorney David Hickton said in a statement. “Through this operation, we have dismantled a cyber hornets’ nest of criminal hackers which was believed by many, including the hackers themselves, to be impenetrable.”
The crackdown, dubbed Operation Shrouded Horizon by the FBI, was initiated two years ago by that agency’s Pittsburgh, Pennsylvania, office but eventually included Europol and law enforcement agencies in more than 20 countries.
So far at least 12 people have been arrested in the US, and another 28 are known to have been arrested on Tuesday in Denmark, Germany, India, Israel, Romania, Sweden, and the UK.
The alleged administrator of the site at the time of the crackdown was Johan Anders Gudmunds, a 27-year-old Swede who went by the online handles “Mafi,” “Crim,” and “Synthet!c,” and who took control of the forum from its founder in May, 2010, according to authorities.
Gudmunds allegedly created and sold a number of malware exploit packages (such as CrimePack, Antiklus and Pandemiya 2014), according to the indictment (.pdf) against him. He also allegedly created a botnet malware called Blazebot and controlled and sold access to a Zeus botnet that was 60,000 computers strong. The Zeus malware was designed to steal bank account credentials.
He allegedly sold access to botnets at a rate of $80 per 1,000 compromised computers and sold—for the bargain price of just $50—root access to hacked servers at the University of Erlangen-Nurnberg in Germany and the University of Pisa in Italy. In 2010, an undercover FBI agent ensnared him in a trap when Gudmunds allegedly offered and sold the Fed root access to three servers he had hacked in the US and Europe. To complete the transaction, he supplied the undercover Fed with his banking information, including a Web Money account.
The Birth of an Underworld
The forum was created sometime in 2007 by an unindicted co-conspirator who used the hacker handle “Iserdo” and who authorities identify in the Darkode documents only as M.S. Iserdo, however, has long been identified publicly as Matjaž Škorjanc, a 27 year old Slovenian, who was arrested in 2010 in Slovenia and charged with creating the massively popular botnet malware known as Mariposa. Mariposa (“butterfly”in Spanish) was designed to steal banking credentials and other passwords and was responsible for infecting an estimated 8 to 10 millions computers, including at least 40 banks and hundreds of companies. Škorjanc wassentenced to five years in prison in 2013.
According to the Darode documents, Iserdo/M.S. created the site with another unindicted co-conspirator who used the monikers “nocen” and “Loki.” He allegedly created the site initially as a means to market his Mariposa toolkit and other products, but eventually it expanded into a wider marketplace as the user base grew.
As it developed, the aim became to provide an underground gathering place for the top hackers and cybercriminals online, but it was soon discovered by white hat security researchers, journalists and so-called script kiddies, who brought unwanted attention to the forum.
Darkode eventually became one of the hangouts of the notorious Lizard Squad—a loud and boisterous hacking crew who took credit for numerous DDoS attacks against Sony’s PlayStation Network and others and who famously caused a stir last year when it managed to get a flight carrying Sony Online Entertainment President John Smedley to make an emergency landing after the group sent out a tweet suggesting that the plane might have explosives on board.
As the quality of the Darkode forums degraded, Gudmunds allegedly grew frustrated with the clientele it was attracting, complaining at one point in 2012 to another member that he wanted help bringing in new members “instead of the every day script kiddies.” By then, however, the site had already attracted the attention of undercover Feds who were working to unmask its administrator and members.
The Denizens of Darkcode
Those who have been arrested in the US in association with Darkode include:
Morgan C. Culbertson, a 20-year-old from Pittsburgh who was known online as “Android,” allegedly created and sold a malicious program known as Dendroid for stealing data from Google Android phones.
Eric L. Crocker, 39 and from Binghamton, New York, allegedly used a Facebook Spreader to infect Facebook users with bonnet malware before selling access to the botnet to others for spreading spam.
Naveed Ahmed, 27, of Tampa, Florida; Phillip R. Fleitz, 31, of Indianapolis; and Dewayne Watts, 28, of Hernando, Florida, who have been charged with maintaining a spam botnet that authorities say used “bulletproof” servers hosted in China and vulnerable routers in third world countries to send millions of spam messages designed to cell phone users. According to an information sheet (.pdf) from Pittsburgh authorities, they used a program to generate a random list of millions of phone numbers, then added service provider domains to them to send SMS spam to the phone users attached to those accounts, offering free Best Buy gift cards.
Daniel Placek, 27 from Glendale, Wisconsin, is accused of creating the Darkode forum and selling malware designed to intercept and collect e-mail addresses and passwords from networks.
Rory Stephen Guidry of Opelousas, Louisiana is also accused of selling botnet access on Darkode.
But that is just the beginning. Arrests are ongoing.