Law enforcement authorities may have successfully shut down underground cybercrime forum Darkode and arrested dozens of members around the world, but it remains to be seen what the impact will be on the fight against international cybercrime.
The joint operation announced this week involved officials from the FBI, Europol, and 19 other countries, including Australia, Bosnia, Herzegovina, Brazil, Colombia, Israel, Germany, the United Kingdom, Nigeria, Sweden, Denmark, India, and Romania. The FBI arrested and indicted 12 individuals while the U.K.'s National Crime Agency arrested 28. The operation, known as Operation Shrouded Horizon, resulted in arrests, searches, and charges against 70 individuals across 20 countries worldwide.
“Through this operation, we have dismantled a cyber hornets’ nest of criminal hackers which was believed by many, including the hackers themselves, to be impenetrable,” said U.S. Attorney David J. Hickton of the Western District of Pennsylvania on Wednesday, when the indictments were announced.
Darkode was an invitation-only site where criminals could buy and sell stolen data such as personally identifiable information, server credentials, credit card information, and email addresses. Members could also buy, sell, and trade attack tools, information about software and hardware vulnerabilities, botnets, and malware to launch their own attacks.
"It was, in effect, a one-stop, high-volume shopping venue for some of the world's most prolific cyber criminals," the FBI said in its statement announcing the operation.
With between 250 to 300 active members, the forum was considered the most sophisticated English-speaking forum for cybercriminals. Members of the Lizard Squad, a group of pranksters who launched a series of crippling distributed denial of service attacks against Microsoft's Xbox 360 and Sony servers last Christmas, were allegedly active on the forum. It appears the two creators of SpyEye, Aleksandr Andreevich Panin of Tver, Russia, and Hamza Bendelladj, of Tizi Ouzou, Algeria, advertised the banking Trojan on Darkode. They pleaded guilty and are currently awaiting sentencing, the FBI said.
“Of the roughly 800 criminal Internet forums worldwide, Darkode represented one of the gravest threats to the integrity of data on computers in the United States and around the world," Hickton said.
Even so, it was not immediately evident what impact the Darkode takedown would have on global cybercrime.
While these operations feel like big victories for law enforcement, they are generally ineffective, says Bogdan Botezatu, a senior e-threat analyst at antivirus company BitDefender. Once a site shuts down, another site reach out to the customers and fill the void, he says. Cybercrime is not so different from street crime, as other dealers move in and pick up business after a drug dealer is arrested, he notes. Customers have plenty of other sources to get what they need.
"The authorities shut down this board, but everything will be back to normal in 6 months," Botezatu says.
Just because another forum will eventually take Darkode's place doesn't mean the police shouldn't be shutting down these criminal enterprises. Disrupting the supply chain will raise the cost of launching these attacks, says Tim Erlin, director of IT Security and Risk Strategy at Tripwire. "While it certainly doesn’t spell the end of the black market for stolen data and malware, it will make an impact in reducing overall threat for individuals and organizations," he says.
Among the 12 indicted in the US was the site's alleged administrator, a 27-year-old Swede named Johan Anders Gudmunds, whose online handles include Mafi, Crime, and Synthet!c. He was indicted for conspiracy, fraud conspiracy, and money laundering conspiracy, according to the indictment. Gudmunds allegedly operated his own botnet, which at times contained more than 50,000 computers, and used his botnet to steal data on approximately 200 million occasions, the FBI said.
Shutting down Darkode means there is a small window of opportunity for law enforcement to try to get others who escaped arrest as it will take some time for them to regroup elsewhere. Botezatu predicts that the criminals will just burrow deeper into the Dark Web when they resume operations, or just move to another one of the many existing forums.
This kind of law enforcement operation requires a tremendous amount of coordination, manpower, and time, Botezatu notes. Investigators spend time monitoring the suspects to gather intelligence before a takedown. The FBI said it was able to infiltrate the forum and interact with the members directly to collect evidence. While each country has different law enforcement entities and task forces, figuring out who to coordinate with and getting all the information to involved parties is a difficult task, he says.
The Darkode takedown just highlights the need for better coordination to speed up these operations, Botezatu says. If the criminal actors don't have the time to reestablish operations because law enforcement is moving quickly and shutting them down, then they don't have the opportunity to utilize sophisticated techniques to evade detection.
Cybercrime is thriving worldwide because there is no universal legal framework to make it easier for law enforcement to work together, Botezatu says. "We trace the attacks back to the operators and we can find the server the attacks originated from, but by the time we get the local police involved to take action, the criminals are long gone," he says.
The fact that the FBI was able to coordinate with authorities in 19 other countries even without an organized process in place shows that this kind of cooperation is still possible, and can be effective.
"Operation Shrouded Horizon is a prime example of why the most effective way to combat cybercrime—which operates globally—is a law enforcement response that also transcends national borders," the FBI said.