In the wonderful world of cyber threat intelligence and research, we often analyze the impact that cybercrime or nation-state activity has on the cyber threat landscape. Digital Shadows (now ReliaQuest)’ latest research, for example, includes analysis on recent ransomware attacks, new methods used in cybercriminal extortion, advanced persistent threat (APT) activity, dark web marketplace news, criminal forum member behavior — the (very exciting) list goes on!
Yes, we love writing about new discoveries and breakthroughs in the dynamic and ever-evolving cybersecurity realm, but this time around, we wanted to switch things up and flip our modus operandi on its head. Let’s talk about law enforcement and their impact on the cyber threat landscape.
The information security industry has been rocked by news of arrests on top of arrests, spanning between individual threat actors, nation-state affiliate groups, and drug-pushing cybercriminals. In response to this, we’ve been mulling over what this means for the threat landscape as a whole. Is this the end of the dark web golden era? Will cybercriminals be held accountable for their dirty deeds? Only time will tell, but we want to try and make a few inferences about what may be on the horizon, specifically as it relates to:
- The sentencing of Nathan Francis Wyatt, a member of TheDarkOverlord (TDO) threat collective
- The arrest of 179 cybercriminals across various marketplaces in the wake of DisrupTor, the joint operation conducted by the Department of Justice and Europol
- The charges brought to seven cyber threat actors for their connection with computer intrusion campaigns against more than 100 global victims.
Go to jail (go directly to jail), TDO.
In 2016, a hacking group known as The Dark Overlord (TDO) began terrorizing and extorting organizations and quickly became known to extort medical providers and sell stolen medical records. In 2017, the group made headlines for extorting media companies, like Netflix, and threatening to leak advanced copies of their products if they did not meet the ransom. Later in 2017, TDO successfully targeted Johnston Community School District in Iowa and leveraged their stolen data to send text messages to students’ parents, including threats of killing students at the high school. Additionally, TDO dumped the stolen data on Pastebin and stated the data was released to “help child predators.”
Nathan Francis Wyatt was part of TDO since 2016; he was responsible for contacting victims and demanding ransom payments. However, as many criminals do, he made a mistake: Wyatt registered phone numbers in his name to contact some of the victims. Through this, law enforcement connected him to the group, and Wyatt was arrested in the UK in 2017 and extradited to the US to face charges in December 2019.
In a St. Louis federal court, Wyatt pleaded guilty to identity theft and computer fraud charges. He reportedly apologized for his part in TDO attacks and stated he never wanted to touch a computer again. He was sentenced to five years in prison and ordered to pay USD 1.4 million in restitution to the group’s victims. In court, Wyatt admitted that the group obtained sensitive data from companies and threatened to release the data unless the companies paid a ransom of between USD 75,000 and 350,000.
TDO has not appeared to have been active since January 2019.
What does this mean for cyber threat actors?
In May 2018, Serbian authorities arrested another TDO-associated member; however, further details have not been released. TDO has always claimed to be a three-person team, and with two of the members arrested, it’s likely that their operations are significantly affected. The remaining member attempted to recruit new members by posting on the now-defunct hacking forum, KickAss, which ceased operations a few months later. An unsuccessful attempt to recruit new members indicates that law enforcement potentially succeeded in creating fear among cybercriminals, at least when operating with this trio.
Nathan’s arrest and conviction may have steered threat actors away from working with TDO. Still, given the ransomware groups’ activity throughout 2020, they were not successful in ultimately driving groups away from extortion tactics. With some groups reporting more than USD 29 million made since March 2020, it’s likely we won’t see a decline in these attacks anytime soon.
The end of the so-called “Golden Era” of dark web marketplaces
On 22 Sep 2020, a joint international operation resulted in 179 individuals’ arrest and the seizures of USD 6.5 million and 500 kilograms of illicit substances. The successful outcome of Operation DisrupTor (pause for appreciation of the operation name) elicited some strong words from the head of Europol’s European Cybercrime Centre (EC3). According to the EC3, “the hidden internet is no longer hidden, and your anonymous activity is not anonymous,” followed by Europol claiming that “the golden age of the dark web marketplace is over.”
This discovery caused us to have a retrospective look at the history of dark web marketplaces, a gander down dark web memory lane if you will. How can one forget Silk Road and the “Dread Pirate Roberts”? Silk Road was one of the first dark web marketplaces to conduct sales using the once-strange concept of Bitcoin in February 2011. It quickly gained notoriety and popularity, but popularity drew attention from criminals and law enforcement alike. In 2013, as a result of action taken by the FBI, Silk Road was no more, and dark web marketplaces took off in the wake of its demise. Dread Pirate Roberts, Silk Road’s founder, received a life sentence, which was likely meant to be a deterrent. Still, some reports claim that dark web activity and drug listings multiplied after the fall of Silk Road.
In a post-Silk Road dark web world, it was a matter of time to before a new market took over the reins; Silk Road 2.0 was created by some of the former Silk Road admins, but its tenure didn’t last – the FBI and UK’s National Crime Agency took it down via Operation Onymous. Enter Agora marketplace, which survived Operation Onymous and, in April 2015, surpassed the number of listings that Silk Road maintained at its height. Many dark web criminals were victims of exit scams during this time frame, where marketplace admins close down shop and take everyone’s funds. However, Agora remained a key contender for the dark web marketplace supreme until its disappearance in August 2015, which paved a path for the alpha of dark web marketplaces, AlphaBay.
AlphaBay took over a large portion of Agora’s customers and vendors and, by October 2015, held the dark web marketplace crown. That is until its downfall in July 2017, at the hands of Operation Bayonet, one of the most significant shakeups of the dark web marketplace landscape. The removal of AlphaBay and Hansa sent a message to the criminal underground; law enforcement agencies maintain a presence in these marketplaces – they even put this ominous splash page over AlphaBay and Hansa:
Following AlphaBay and Hansa’s fall, Dream Market reigned supreme for a while, alongside other notables such as Empire and Apollon. A more recent example of a marketplace that got the law enforcement treatment was Wall Street Market (WSM). WSM, at its peak, was booming with more than a million user accounts and 5,400 vendors. On 23 April 2019, rumors of an exit scam emerged as WSM admins claimed the site was going down for “maintenance.” As a part of that “maintenance,” the admins transferred customers’ funds to their accounts. Reports indicate WSM admins may have initiated an exit scam because of looming law enforcement activity. It’s also possible that reports of a potential exit scam caught law enforcement’s attention, and they wanted to catch the responsible parties before they got away and went into hiding. Regardless WSM ceased operations in May 2020.
Clearly there is a trend here. Dark web marketplace is created, dark web marketplace becomes popular, dark web marketplace is taken down, rinse and repeat. While Operation DisrupTor (again kudos to whoever is naming these things) was, in many ways, a successful operation and a landmark for law enforcement activity from a dark web marketplace perspective, the belief that the “Golden Era” of dark web market activity is over is a bit far fetched. It would be naive to assume that cybercriminals are unaware of law enforcement representatives maintaining a presence in these forums and marketplaces. In turn, this presence doesn’t stop them from continuing their wicked ways as the risk of being caught and likely will not outweigh the monetary reward they are achieving. The historical seizures of dark web marketplaces and marketplace exit scams have continually resulted in marketplace successors quickly taking over as top dog.
What does this mean for cybercriminals?
More than likely, law enforcement takedowns will be a powerful reminder of the importance of operational security (OPSEC). OPSEC is not just reinforced in the security world, but criminals practice this just as much, if not more. The screenshot below illustrates the level of detail that threat actors place in their OPSEC practices:
As law enforcement agencies continue to grow in their capabilities and establish footholds within the criminal underground, criminals will continue to adapt and adjust their tactics to circumvent compromise. That’s just how it has always been, and what would law enforcement agencies be without criminals? Batman needed the Joker, The Beatles needed The Rolling Stones, even Diane Sawyer needed Katie Couric.
“Hack the Planet” doesn’t sound as fun as it once did
Last week, the Department of Justice (DOJ) announced that they were able to track down and charge five members of the suspected People’s Republic of China (PRC) state-sponsored group, APT41 (aka Winniti Group). The hackers belonging to this group had become notoriously known for launching supply-chain attacks and intruding more than 100 technology companies and government entities worldwide. The group was also responsible for what some would consider unethical attacks, such as an incident where the group launched a ransomware attack on a non-profit organization designed to combat global poverty.
Two Malaysian businessmen who conspired with the group were also successfully arrested and charged with Malaysia’s government aid. The five accused members were nationals of the PRC and remained fugitives in the country. While law enforcement could not arrest all individuals involved, the FBI released a wanted poster on their website, exposing each member’s name and picture.
The court charged Zhang Haoran and Tan Dailin with 25 counts of aggravated identity theft, conspiracy, wire fraud, money laundering, and violations of the Computer Fraud and Abuse Act (CFAA). Court records also stated that Zhang and Tan participated in a “video game conspiracy,” where the group targeted video game companies and sought to generate video game currency to sell for a profit. Tan had also been formerly known to develop a fraudulent anti-virus company named “Anvisoft.” https://www.fbi.gov/wanted/cyber/apt-41-group
The other three members, Jiang Lizhi, Qian Chuan, and Fu Qiang, were charged with nine counts of racketeering conspiracy, conspiracy to violate the CFAA, identify theft, aggravated identity theft, money laundering, and access device fraud. These three members were associated with a Chinese company called Chengdu 404 Network Technology, which acted as the legal front for the members’ activities.
What does this mean for nation-state threat groups?
Considering the Chinese government allegedly sponsored the group, arrest and extraction may not be possible for China’s five fugitives. The charging documents even stated that the group’s connections with the PRC led the criminals to believe that they were provided with a “free license to hack and steal across the globe.” However, the indictment sent a strong and powerful message – the United States is cracking down on cybercriminal activity and will do everything in its power to bring justice. FBI Deputy Director, David Bowdich, stated:
“Today’s announcement demonstrates the ramifications faced by the hackers in China, but it is also a reminder to those who continue to deploy malicious cyber tactics that we will utilize every tool we have to administer justice. […] This case demonstrates the FBI’s dedication to pursuing these criminals no matter where they are, and to whom they may be connected.”
Is this indictment likely to deter future activity from APT41 and other nation-state threat actors? Perhaps not, but it is a step in the right direction. The arrests in Malaysia have shown that threat actors will be brought to justice for crimes against the United States whenever it is possible. Furthermore, it will remind threat actors that cyberattacks against the US will not be without consequences.
Progress is progress, but we still have work to do
Ideally, we would love to say that these law enforcement actions have spooked criminals into dropping off from the cybercriminal scene altogether; however, it’s not realistic. While we are still monitoring for chatter surrounding behavioral changes, criminals will likely continue to carry out their wicked schemes. There’s still so much more money to be made and intelligence to gather.
Online users will likely comment that these events provide a reminder for the importance of OPSEC and not getting complacent. Cybercriminals will probably use law enforcement action as a learning curve and improve their methodologies in the future. As the story goes, it’s always a story of the good guys trying to catch up to the bad, and that will continue to remain.
The significance of law enforcement coalitions tackling cybercriminal vendors on marketplaces, and their ability to track down vendors, may encourage criminal marketplace administrative teams to take more security-aware approaches, such as implementing PGP encryption, two-factor authentication (2FA), and leveraging Monero (XMR) to avoid tracking. Ultimately, cybercriminal marketplaces still have a purpose; it just might be in a different guise as to what it is now. While this may be the end of the golden era of marketplaces as we currently know them, vendors will still need to advertise via an open platform to acquire as many buyers as they can.
While many law enforcement entities have adjusted their processes to enable nation-state threat actor arrests, there’s still plenty of red tape to consider, such as extradition laws. Law enforcement has progressed leaps and bounds throughout the last decade; however, many government-sponsored threat groups remain protected. As nation-state operations are investigated and pieced together, the US will likely continue to file indictments against associated actors to add pressure and bring awareness to current cybersecurity events.
We still have a way to go when it comes to holding criminals accountable for their dirty deeds. We look forward to seeing policy changes, improvements, and progression in law enforcement activity and its impact on the cybercriminal threat landscape.