A user claiming to be the notorious darkoverlord extortionist threat actor has appeared on a dark web cybercriminal forum offering breached datasets for sale. In this blog, Digital Shadows (now ReliaQuest) analyzes whether this is a case of a copy-cat actor hoping to profit from thedarkoverlord name, or whether this marks a genuine return for the group that has been the scourge of healthcare and pharmaceutical companies since 2016.


What happened?

In September 2018 Digital Shadows (now ReliaQuest) observed a user on ‘KickAss’, a closed-source dark web cybercriminal forum, referring to themselves as ‘thedarkoverlord’. This user announced that they had joined the forum to sell large datasets from previous attacks and breaches. Around the same time the user opened a thread in the marketplace section of the forum advertising nearly 200,000 records, including personally identifiable information (PII) and protected health information (PHI) from six medical entities and one dentistry. The bulk of the information – 131,00 records – came from an undisclosed gaming company.


Figure 1: Introductory post by ‘thedarkoverlord’ on KickAss marketplace


Figure 2: Marketplace listing for US dentistry


The user did not disclose prices, stating that these were negotiable; however, the option was given for individuals to buy the datasets exclusively at a higher price.


Who is thedarkoverlord?

thedarkoverlord is an English-speaking threat group that has been active since June 2016. During that time, it has targeted large data sets, typically from healthcare and pharmaceutical companies, and used the pressure of social media and exposing the data on open sources to extort money from companies and individuals. thedarkoverlord has also been responsible for a number of high-profile attacks against media companies, including against Netflix in June 2017, which led to the release of unaired episodes of ‘Orange is the New Black’.

thedarkoverlord began by selling data sets on the criminal forum The Real Deal in June 2016. The group advertised a number of healthcare datasets valued between $16,000 and $490,000. Following several instances of The Real Deal being taken offline, either from denial of service attacks or law enforcement action, the group appears to have migrated to Twitter, where it used its first Twitter account (@tdohack3rs) to extort companies into paying by threatening to release their data. This period, between September 2016 and September 2017, saw the group perform several well-publicized attacks, and built up the its reputation as a legitimate threat actor.


Figure 3: A timeline of mentions and activities of thedarkoverlord between September 2016 and September 2018.


This Twitter account was taken down by Twitter in September 2017. Following this, the current account (@tdo_hackers) was subsequently set up. However, a change in tactics, techniques and procedures (TTPs) led to a reassessment of the group’s capability, and questions around the legitimacy of the account itself. The group no longer tweeted links to leaked data, or tweeted links that quickly became inactive or where taken down, and started compounding extortion threats with physical threats to schools and the education sector to encourage payment. The new Twitter account also only had 245 followers, as opposed to over 9,000 followers on the previous account. It’s plausible that the new account was run by a member of the group striking out on their own, or by an unconnected threat actor seeking to capitalize on the reputation of the group.


So what?

thedarkoverlord has not been active on dark web markets since the group’s presence on The Real Deal in 2016, indicating that perhaps this was an unconnected threat actor seeking to capitalize on their name; however, on 18 September, shortly before the initial advert went up on KickAss, the Twitter account currently associated to thedarkoverlord (@tdo_hackers) tweeted the word ‘KickAss’ (see Figure 4). This tweet was left up for several hours and then taken down.


Figure 4: A tweet from “tdo_hackers” from 18th September 2018. The post has since been removed.


The association of the KickAss account with the tweet on the group’s current Twitter feed indicates that the three entities (the first and second Twitter accounts, and the KickAss account) are linked. Although unconfirmed, activity on the KickAss forum very likely represents a return to form for the group. Its current offerings appear to be data sets from historic breaches, likely attacks between September 2016 and September 2017. If the group get more attention in the KickAss forum than with its current Twitter account, we anticipate that it will sell data breaches online rather than attempting to extort companies first.

Closed forums are, of course, more challenging for organizations to monitor; you need to either be vouched for or pay a fee to enter. However, exclusively focusing on the darkoverlord’s Twitter account as a source of intelligence will miss significant activity. A blend of open and closed source collection is required to get the full intelligence story. Furthermore, if this proves to be a profitable move for the group, we would anticipate more high-profile attacks, similar to those seen in the first phase of activity against healthcare and pharmaceutical companies.

To stay up to date with the latest digital risk and threat intelligence news, subscribe to our threat intelligence emails here.