Fraud Management & Cybercrime

Police Shutter Darkode Cybercrime Forum

Alleged Fraudster Forum Specialized in Malware, Zero Days
Police Shutter Darkode Cybercrime Forum

An international police operation has resulted in charges being filed against dozens of suspected fraudsters, as well as the shuttering of infamous hacking forum Darkode. But it is not yet clear if the operation will take a serious bite out of cybercrime.

See Also: Small Business. Large security risks.

Officials first confirmed the details of the international operation July 15. It involved 20 countries - ranging from Australia, and Bosnia and Herzegovina to Brazil and Colombia, to the United Kingdom and the United States - working together to disrupt Darkode, and resulted in 28 arrests worldwide. "Today's global action caused significant disruption to the underground economy and is a stark reminder that private forums are no sanctuary for criminals and are not beyond the reach of law enforcement," says Rob Wainwright, director of the European association of police agencies, known as Europol.

In the United States, the Department of Justice has filed charges against 12 individuals allegedly associated with the forum. It says that in total, 70 alleged Darkode members - or their associates - were recently searched, charged or arrested worldwide. Officials say that forum members advertised everything from stolen usernames and passwords to Social Security numbers, and that the related charges filed range from hacking, identity theft and racketeering to extortion, money laundering and bank fraud.

The investigation was led by the Pittsburgh office of the FBI, working with Europol and its European Cyber Crime Center, known as EC3, which is based in the Netherlands. The FBI says during the course of the 18-month operation - dubbed Operation Shrouded Horizon - it had successfully infiltrated the ranks of Darkode's invitation-only membership base, gaining access to the online-only, password-protected forum.

Officials say Darkode specialized in the buying and selling of malware, zero-day exploits and access to compromised servers. The site reportedly also functioned as a collective with 250 to 300 active members. Those members aimed to recruit new members who could enrich the forum with new skills or software that would allow the group to infect an ever-expanding number of PCs with malware, and then use them for criminal purposes.

Alan Woodward, a visiting professor at Surrey University, as well as a cybersecurity adviser to Europol, says the Darkode disruption and related arrests are significant. "I don't want to sound too Star Wars-y about it, but it is the police striking back," he says. "There's been a lot of hackers thinking they were operating with impunity, and particularly on Darkode."

Participating in a forum on which hackers advertised their skills - in effect, a LinkedIn for cybercrime - turned out to be a "naïve" move, he says. "In some ways it was a bit like they shot themselves in the foot, because they were effectively all walking around with a big badge saying, 'I'm a really good hacker.'"


Europol cybersecurity adviser Alan Woodward discusses the Darkode disruption.

Charged: Alleged Darkode Admin

The FBI says one of the defendants charged in connection with the case is the alleged Darkode administrator, 27-year-old Swede Johan Anders Gudmunds, a.k.a. Mafi, Crime, Synthet!c. He faces multiple computer fraud, wire fraud and money laundering charges related to his allegedly administering the site, as well as developing and selling botnet-building malware. "Gudmunds also allegedly operated his own botnet, which at times consisted of more than 50,000 computers, and used his botnet to steal data from the users of those computers on approximately 200 million occasions," the FBI alleges.

The FBI also announced charges against a number of others who allegedly advertised goods via Darkode, including:

  • Pittsburgh-based 20-year-old Morgan C. Culbertson, a.k.a. Android, who's been accused of designing and selling on Darkode remote-control malware for infecting Android devices;
  • Eric L. Crocker, a.k.a. Phastman, 29, of Binghamton, N.Y., who's been charged with using a "Facebook Spreader" to infect Facebook users' PCs, then using them to distribute massive quantities of spam;
  • Americans Naveed Ahmed, 27; Phillip R. Fleitz, 31; and Dewayne Watts, 28 - who were charged with conspiring to send spam to mobile phones in part by using bulletproof servers in China;
  • Slovenian Matjaz Skorjanc, a.k.a. iserdo, 28, who's been charged with helping to organize Darkode, as well as with selling malware known as the ButterFly bot, which was used to build the Mariposa botnet, which Spanish police dismantled in 2009.

In a related case, Russian national Aleksandr Andreevich Panin, a.k.a. Gribodemon, who's 26, and Algerian national Hamza Bendelladj, a.k.a. Bx1, who's 27, pleaded guilty in January 2014 and June 2015, respectively, in U.S. federal court to charges related to "developing, distributing and controlling SpyEye, a malicious banking Trojan designed to steal unsuspecting victims' financial and personally identifiable information," the FBI says. Officials say their malware has been tied to attacks against 253 financial institutions worldwide. Panin and Bendelladj have not yet been sentenced.

Cybercrime Ecosystem Disrupted?

What effect might some well-targeted arrests have on the overall cybercrime ecosystem? While arresting a bank-robbery gang, for example, arguably only leads to the cessation of that gang's bank robberies, law enforcement officials and information security experts estimate that there are only between 100 and 200 people who enable the majority of the world's cybercrime by providing today's most-used "cybercrime-as-a-service" offerings (see How Do We Catch Cybercrime Kingpins?). Those range from so-called bulletproof hosting sites, which promise to not look at what people are using the service to host or launch; to botnets-for-hire; to automated exploit kits; to "infection-as-a-service" providers, who sell access to pre-infected PCs.

Darkode, however, was just one of numerous online forum devoted to crime, and it's unclear how much of an impact its disruption might have on the cybercrime landscape. Still, Europol says Darkode was the world's most popular English-speaking hacking forum, ranking "in the top five of the most prolific criminal forums worldwide - a ranking otherwise dominated by Russian-speaking criminal platforms."

David J. Hickton, U.S. Attorney for the Western District of Pennsylvania, says that while the FBI is currently tracking about "800 criminal Internet forums worldwide, Darkode represented one of the gravest threats to the integrity of data on computers in the United States and around the world, and was the most sophisticated English-speaking forum for criminal computer hackers in the world."

That English-language caveat is crucial, because U.S. and European police agencies have no legal perogative to extradite or charge suspects located in some countries, such as Russia or China, where a significant number of cybercriminals are based. But then again, the United States, Europe and South America are also hotbeds for online crime operations - and the alleged Darkode administrator was based in Sweden (see OPM Breach: Get Your Priorities Straight).


About the Author

Mathew J. Schwartz

Mathew J. Schwartz

Executive Editor, DataBreachToday & Europe, ISMG

Schwartz is an award-winning journalist with two decades of experience in magazines, newspapers and electronic media. He has covered the information security and privacy sector throughout his career. Before joining Information Security Media Group in 2014, where he now serves as the executive editor, DataBreachToday and for European news coverage, Schwartz was the information security beat reporter for InformationWeek and a frequent contributor to DarkReading, among other publications. He lives in Scotland.




Around the Network

Our website uses cookies. Cookies enable us to provide the best experience possible and help us understand how visitors use our website. By browsing databreachtoday.com, you agree to our use of cookies.