Dark Reading is part of the Informa Tech Division of Informa PLC

This site is operated by a business or businesses owned by Informa PLC and all copyright resides with them.Informa PLC's registered office is 5 Howick Place, London SW1P 1WG. Registered in England and Wales. Number 8860726.


11:50 AM
Fahmida Rashid, Contributing Editor
Fahmida Rashid, Contributing Editor

Darkode Shuttered But Cybercrime Still Alive And Well

Major international law enforcement takedown of exclusive criminal hacker forum highlights victory -- and challenges -- of global law enforcement of cybercrime.

Law enforcement authorities may have successfully shut down underground cybercrime forum Darkode and arrested dozens of members around the world, but it remains to be seen what the impact will be on the fight against international cybercrime.

The joint operation announced this week involved officials from the FBI, Europol, and 19 other countries, including Australia, Bosnia, Herzegovina, Brazil, Colombia, Israel, Germany, the United Kingdom, Nigeria, Sweden, Denmark, India, and Romania. The FBI arrested and indicted 12 individuals while the U.K.'s National Crime Agency arrested 28. The operation, known as Operation Shrouded Horizon, resulted in arrests, searches, and charges against 70 individuals across 20 countries worldwide.

“Through this operation, we have dismantled a cyber hornets’ nest of criminal hackers which was believed by many, including the hackers themselves, to be impenetrable,” said U.S. Attorney David J. Hickton of the Western District of Pennsylvania on Wednesday, when the indictments were announced.

Darkode was an invitation-only site where criminals could buy and sell stolen data such as personally identifiable information, server credentials, credit card information, and email addresses. Members could also buy, sell, and trade attack tools, information about software and hardware vulnerabilities, botnets, and malware to launch their own attacks.

"It was, in effect, a one-stop, high-volume shopping venue for some of the world's most prolific cyber criminals," the FBI said in its statement announcing the operation.

With between 250 to 300 active members, the forum was considered the most sophisticated English-speaking forum for cybercriminals. Members of the Lizard Squad, a group of pranksters who launched a series of crippling distributed denial of service attacks against Microsoft's Xbox 360 and Sony servers last Christmas, were allegedly active on the forum. It appears the two creators of SpyEye, Aleksandr Andreevich Panin of Tver, Russia, and Hamza Bendelladj, of Tizi Ouzou, Algeria, advertised the banking Trojan on Darkode. They pleaded guilty and are currently awaiting sentencing, the FBI said.

“Of the roughly 800 criminal Internet forums worldwide, Darkode represented one of the gravest threats to the integrity of data on computers in the United States and around the world," Hickton said.

Even so, it was not immediately evident what impact the Darkode takedown would have on global cybercrime.

While these operations feel like big victories for law enforcement, they are generally ineffective, says Bogdan Botezatu, a senior e-threat analyst at antivirus company BitDefender. Once a site shuts down, another site reach out to the customers and fill the void, he says. Cybercrime is not so different from street crime, as other dealers move in and pick up business after a drug dealer is arrested, he notes. Customers have plenty of other sources to get what they need.

"The authorities shut down this board, but everything will be back to normal in 6 months," Botezatu says.

Just because another forum will eventually take Darkode's place doesn't mean the police shouldn't be shutting down these criminal enterprises. Disrupting the supply chain will raise the cost of launching these attacks, says Tim Erlin, director of IT Security and Risk Strategy at Tripwire. "While it certainly doesn’t spell the end of the black market for stolen data and malware, it will make an impact in reducing overall threat for individuals and organizations," he says.

Among the 12 indicted in the US was the site's alleged administrator, a 27-year-old Swede named Johan Anders Gudmunds, whose online handles include Mafi, Crime, and Synthet!c. He was indicted for conspiracy, fraud conspiracy, and money laundering conspiracy, according to the indictment. Gudmunds allegedly operated his own botnet, which at times contained more than 50,000 computers, and used his botnet to steal data on approximately 200 million occasions, the FBI said.

Shutting down Darkode means there is a small window of opportunity for law enforcement to try to get others who escaped arrest as it will take some time for them to regroup elsewhere. Botezatu predicts that the criminals will just burrow deeper into the Dark Web when they resume operations, or just move to another one of the many existing forums.

This kind of law enforcement operation requires a tremendous amount of coordination, manpower, and time, Botezatu notes. Investigators spend time monitoring the suspects to gather intelligence before a takedown. The FBI said it was able to infiltrate the forum and interact with the members directly to collect evidence. While each country has different law enforcement entities and task forces, figuring out who to coordinate with and getting all the information to involved parties is a difficult task, he says.

The Darkode takedown just highlights the need for better coordination to speed up these operations, Botezatu says. If the criminal actors don't have the time to reestablish operations because law enforcement is moving quickly and shutting them down, then they don't have the opportunity to utilize sophisticated techniques to evade detection.

Cybercrime is thriving worldwide because there is no universal legal framework to make it easier for law enforcement to work together, Botezatu says. "We trace the attacks back to the operators and we can find the server the attacks originated from, but by the time we get the local police involved to take action, the criminals are long gone," he says.

The fact that the FBI was able to coordinate with authorities in 19 other countries even without an organized process in place shows that this kind of cooperation is still possible, and can be effective.

"Operation Shrouded Horizon is a prime example of why the most effective way to combat cybercrime—which operates globally—is a law enforcement response that also transcends national borders," the FBI said.






















































Dark Reading's Quick Hits delivers a brief synopsis and summary of the significance of breaking news events. For more information from the original source of the news item, please follow the link provided in this article. View Full Bio

Recommended Reading:

Comment  | 
Print  | 
More Insights
Newest First  |  Oldest First  |  Threaded View
Manchester United Suffers Cyberattack
Dark Reading Staff 11/23/2020
As 'Anywhere Work' Evolves, Security Will Be Key Challenge
Robert Lemos, Contributing Writer,  11/23/2020
Cloud Security Startup Lightspin Emerges From Stealth
Kelly Sheridan, Staff Editor, Dark Reading,  11/24/2020
Register for Dark Reading Newsletters
White Papers
Cartoon Contest
Write a Caption, Win an Amazon Gift Card! Click Here
Latest Comment: This comment is waiting for review by our moderators.
Current Issue
2021 Top Enterprise IT Trends
We've identified the key trends that are poised to impact the IT landscape in 2021. Find out why they're important and how they will affect you today!
Flash Poll
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
PUBLISHED: 2020-11-29
An issue was discovered on V-SOL V1600D V2.03.69 and V2.03.57, V1600D4L V1.01.49, V1600D-MINI V1.01.48, V1600G1 V2.0.7 and V1.9.7, and V1600G2 V1.1.4 OLT devices. It is possible to elevate the privilege of a CLI user (to full administrative access) by using the password [email protected]#y$z%x6x7q8c9z) for the e...
PUBLISHED: 2020-11-29
An issue was discovered on V-SOL V1600D4L V1.01.49 and V1600D-MINI V1.01.48 OLT devices. During the process of updating the firmware, the update script starts a telnetd -l /bin/sh process that does not require authentication for TELNET access.
PUBLISHED: 2020-11-29
An issue was discovered on V-SOL V1600D V2.03.69 and V2.03.57, V1600D4L V1.01.49, V1600D-MINI V1.01.48, V1600G1 V2.0.7 and V1.9.7, and V1600G2 V1.1.4 OLT devices. TELNET is offered by default but SSH is not always available. An attacker can intercept passwords sent in cleartext and conduct a man-in-...
PUBLISHED: 2020-11-29
An issue was discovered on V-SOL V1600D V2.03.69 and V2.03.57, V1600D4L V1.01.49, V1600D-MINI V1.01.48, V1600G1 V2.0.7 and V1.9.7, and V1600G2 V1.1.4 OLT devices. Command injection can occur in "upload tftp syslog" and "upload tftp configuration" in the CLI via a crafted filename...
PUBLISHED: 2020-11-29
An issue was discovered on V-SOL V1600D V2.03.69 and V2.03.57, V1600G1 V2.0.7 and V1.9.7, and V1600G2 V1.1.4 OLT devices. A hardcoded RSA private key (specific to V1600D, V1600G1, and V1600G2) is contained in the firmware images.