Dark Reading is part of the Informa Tech Division of Informa PLC

This site is operated by a business or businesses owned by Informa PLC and all copyright resides with them.Informa PLC's registered office is 5 Howick Place, London SW1P 1WG. Registered in England and Wales. Number 8860726.


11:50 AM
Fahmida Rashid, Contributing Editor
Fahmida Rashid, Contributing Editor

Darkode Shuttered But Cybercrime Still Alive And Well

Major international law enforcement takedown of exclusive criminal hacker forum highlights victory -- and challenges -- of global law enforcement of cybercrime.

Law enforcement authorities may have successfully shut down underground cybercrime forum Darkode and arrested dozens of members around the world, but it remains to be seen what the impact will be on the fight against international cybercrime.

The joint operation announced this week involved officials from the FBI, Europol, and 19 other countries, including Australia, Bosnia, Herzegovina, Brazil, Colombia, Israel, Germany, the United Kingdom, Nigeria, Sweden, Denmark, India, and Romania. The FBI arrested and indicted 12 individuals while the U.K.'s National Crime Agency arrested 28. The operation, known as Operation Shrouded Horizon, resulted in arrests, searches, and charges against 70 individuals across 20 countries worldwide.

“Through this operation, we have dismantled a cyber hornets’ nest of criminal hackers which was believed by many, including the hackers themselves, to be impenetrable,” said U.S. Attorney David J. Hickton of the Western District of Pennsylvania on Wednesday, when the indictments were announced.

Darkode was an invitation-only site where criminals could buy and sell stolen data such as personally identifiable information, server credentials, credit card information, and email addresses. Members could also buy, sell, and trade attack tools, information about software and hardware vulnerabilities, botnets, and malware to launch their own attacks.

"It was, in effect, a one-stop, high-volume shopping venue for some of the world's most prolific cyber criminals," the FBI said in its statement announcing the operation.

With between 250 to 300 active members, the forum was considered the most sophisticated English-speaking forum for cybercriminals. Members of the Lizard Squad, a group of pranksters who launched a series of crippling distributed denial of service attacks against Microsoft's Xbox 360 and Sony servers last Christmas, were allegedly active on the forum. It appears the two creators of SpyEye, Aleksandr Andreevich Panin of Tver, Russia, and Hamza Bendelladj, of Tizi Ouzou, Algeria, advertised the banking Trojan on Darkode. They pleaded guilty and are currently awaiting sentencing, the FBI said.

“Of the roughly 800 criminal Internet forums worldwide, Darkode represented one of the gravest threats to the integrity of data on computers in the United States and around the world," Hickton said.

Even so, it was not immediately evident what impact the Darkode takedown would have on global cybercrime.

While these operations feel like big victories for law enforcement, they are generally ineffective, says Bogdan Botezatu, a senior e-threat analyst at antivirus company BitDefender. Once a site shuts down, another site reach out to the customers and fill the void, he says. Cybercrime is not so different from street crime, as other dealers move in and pick up business after a drug dealer is arrested, he notes. Customers have plenty of other sources to get what they need.

"The authorities shut down this board, but everything will be back to normal in 6 months," Botezatu says.

Just because another forum will eventually take Darkode's place doesn't mean the police shouldn't be shutting down these criminal enterprises. Disrupting the supply chain will raise the cost of launching these attacks, says Tim Erlin, director of IT Security and Risk Strategy at Tripwire. "While it certainly doesn’t spell the end of the black market for stolen data and malware, it will make an impact in reducing overall threat for individuals and organizations," he says.

Among the 12 indicted in the US was the site's alleged administrator, a 27-year-old Swede named Johan Anders Gudmunds, whose online handles include Mafi, Crime, and Synthet!c. He was indicted for conspiracy, fraud conspiracy, and money laundering conspiracy, according to the indictment. Gudmunds allegedly operated his own botnet, which at times contained more than 50,000 computers, and used his botnet to steal data on approximately 200 million occasions, the FBI said.

Shutting down Darkode means there is a small window of opportunity for law enforcement to try to get others who escaped arrest as it will take some time for them to regroup elsewhere. Botezatu predicts that the criminals will just burrow deeper into the Dark Web when they resume operations, or just move to another one of the many existing forums.

This kind of law enforcement operation requires a tremendous amount of coordination, manpower, and time, Botezatu notes. Investigators spend time monitoring the suspects to gather intelligence before a takedown. The FBI said it was able to infiltrate the forum and interact with the members directly to collect evidence. While each country has different law enforcement entities and task forces, figuring out who to coordinate with and getting all the information to involved parties is a difficult task, he says.

The Darkode takedown just highlights the need for better coordination to speed up these operations, Botezatu says. If the criminal actors don't have the time to reestablish operations because law enforcement is moving quickly and shutting them down, then they don't have the opportunity to utilize sophisticated techniques to evade detection.

Cybercrime is thriving worldwide because there is no universal legal framework to make it easier for law enforcement to work together, Botezatu says. "We trace the attacks back to the operators and we can find the server the attacks originated from, but by the time we get the local police involved to take action, the criminals are long gone," he says.

The fact that the FBI was able to coordinate with authorities in 19 other countries even without an organized process in place shows that this kind of cooperation is still possible, and can be effective.

"Operation Shrouded Horizon is a prime example of why the most effective way to combat cybercrime—which operates globally—is a law enforcement response that also transcends national borders," the FBI said.






















































Dark Reading's Quick Hits delivers a brief synopsis and summary of the significance of breaking news events. For more information from the original source of the news item, please follow the link provided in this article. View Full Bio

Recommended Reading:

Comment  | 
Print  | 
More Insights
Newest First  |  Oldest First  |  Threaded View
Inside the Ransomware Campaigns Targeting Exchange Servers
Kelly Sheridan, Staff Editor, Dark Reading,  4/2/2021
Beyond MITRE ATT&CK: The Case for a New Cyber Kill Chain
Rik Turner, Principal Analyst, Infrastructure Solutions, Omdia,  3/30/2021
Register for Dark Reading Newsletters
White Papers
Current Issue
2021 Top Enterprise IT Trends
We've identified the key trends that are poised to impact the IT landscape in 2021. Find out why they're important and how they will affect you today!
Flash Poll
How Enterprises are Developing Secure Applications
How Enterprises are Developing Secure Applications
Recent breaches of third-party apps are driving many organizations to think harder about the security of their off-the-shelf software as they continue to move left in secure software development practices.
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
PUBLISHED: 2021-04-17
The overlayfs implementation in the linux kernel did not properly validate with respect to user namespaces the setting of file capabilities on files in an underlying file system. Due to the combination of unprivileged user namespaces along with a patch carried in the Ubuntu kernel to allow unprivile...
PUBLISHED: 2021-04-17
Shiftfs, an out-of-tree stacking file system included in Ubuntu Linux kernels, did not properly handle faults occurring during copy_from_user() correctly. These could lead to either a double-free situation or memory not being freed at all. An attacker could use this to cause a denial of service (ker...
PUBLISHED: 2021-04-17
A command injection vulnerability has been reported to affect QTS and QuTS hero. If exploited, this vulnerability allows attackers to execute arbitrary commands in a compromised application. We have already fixed this vulnerability in the following versions: QTS Build 20210202 and later Q...
PUBLISHED: 2021-04-17
An SQL injection vulnerability has been reported to affect QNAP NAS running Multimedia Console or the Media Streaming add-on. If exploited, the vulnerability allows remote attackers to obtain application information. QNAP has already fixed this vulnerability in the following versions of Multimedia C...
PUBLISHED: 2021-04-16
jose-node-esm-runtime is an npm package which provides a number of cryptographic functions. In versions prior to 3.11.4 the AES_CBC_HMAC_SHA2 Algorithm (A128CBC-HS256, A192CBC-HS384, A256CBC-HS512) decryption would always execute both HMAC tag verification and CBC decryption, if either failed `JWEDe...