In an exclusive interview with DataBreaches.net, TheDarkOverlord discusses government attempts to compromise them and the commercial success of their operations.
While reporting on TheDarkOverlord hack involving the information of Flathead, Montana students, Matt Hoffman of the Billings Gazette included a somewhat surprising detail:
At one point, unsuccessful raids were conducted in London attempting to locate hackers, Lawrence said. But hackers use programs that cycle rapidly through IP addresses, which can show where someone is connecting to the internet, masking their location.
“They actually kicked down a couple of doors,” Lawrence said.
It was not clear from the news report whether the raid occurred before or after the hackers claimed to have become aware of attempts to de-anonymize them. Another surprising detail was the open reporting that both the CIA and NSA had gotten involved in investigating the Flathead incident. When subsequently asked about the reported raids, a spokesperson for TDO responded,
“We were recently made aware that law enforcement conducted unsuccessful efforts to locate us. While their effort is admirable, it’s futile. It’s far easier to cooperate with us than work against us. We believe, at this time, the only result of these ‘door kicking down’ raids is that a few innocent chaps have had to contract threshold repair companies.”
The spokesperson was unwilling to answer this site’s query as to whether they knew whose doors were kicked down. They also declined to answer a question as to whether any of their members had been arrested for hacking-related matters in the past month.
The chat became really interesting, however, when we started discussing whether law enforcement considered them terrorists and how many agencies might be investigating them. At that point, the conversation started to sound like the plot for a spy thriller.
TDO: It’s been publicly reported that the CIA, NSA, DHS, FBI, JTTF, NCA, MI5, and a plethora of other, smaller, agencies have committed investigations or are currently in committed investigations against us.
DataBreaches: Ok, but apart from what’s been reported, you tend to maintain access to networks. Have you seen communications or evidence in your victims’ networks/in their communications that confirms that agencies other than the FBI and local police are involved?
TDO: We’ve seen CSINT confirmation that nation-state intelligence agencies are in an active investigation against us.
DataBreaches: Can you tell me where/how you’ve seen it?
TDO: We’re not at liberty to discuss anything more specific…. […] We’d like to publicly state that we’ve uncovered conclusive evidence of an attempted usage of a NIT in an effort to compromise our operations.
DataBreaches: Whom do you suspect?
TDO: At this time, we’re only at liberty to disclose that in at least one case of a NIT usage, a widely used internet service, used by millions, was a witting accomplice in the NIT’s usage. We can confirm that this widely used internet service is under a legal order. We’ve solicited the assistance of a globally recognised and highly reputable cyber-security firm to further unravel the NITs. We believe these NITs are highly disruptive, and far too dangerous to be in the wild.
Although they were unwilling to expand on their answers, they did add:
We’re witnessing growing attempts by law enforcement to utilise highly valuable NITs against the “sophisticated” threat actor community. We believe that some of our non-public operations have been a contributing factor in law enforcement’s decision to roll out these exploits.
Apart from any non-public operations that this site would have no knowledge of, DataBreaches.net was aware of two hacks involving government contractors that might have had some national security implications. One of the hacks involved ATS, whose employees had their personnel files dumped. Many of those employees had security clearances because ATS created software, METBENCH, that is installed on 160 Navy surface ships, 28 submarines and multiple Navy shore calibration labs. Those numbers would appear to include some offensive nuclear submarines, where the software is involved in calibrations. Is there a national security threat there? And what about a navy contractor in California who was also hacked by TDO after they gained a foothold via a third-party vendor?
Could hacks like these – which generally did not get a lot of press or media coverage – have worried the government enough that it justified using a NIT to help catch TDO? Or is this all a fiction and Hollywood-type script that TDO has concocted to boost their image as a serious threat? It is certainly tempting to write it all off as fiction – until you remember that we already know about about 50-60 hacks attributable to TDO and the reality that they have not been caught even after more than one year.
DataBreaches.net sought comments from NSA, CIA, FBI, and DHS. The agencies did not reply at all, other than the NSA which stated, “sorry we don’t have anything for you on this story.” When asked whether having nothing for us on this story meant they knew nothing or just wouldn’t comment, they did not respond.
Perhaps one of the most surprising parts of the interview was TDO’s willingness to provide proof of the commercial success of their extortion model. In the past, this blog and blogger have expressed considerable skepticism about victims paying up. When Larson Studios went public and admitted paying the extortion, this site noted it, but had no evidence of any other entity paying up, despite TDO’s repeated claims that they were commercially successful.
“We’re sitting on many hundreds of BTC,” TDO informed me.
And then they gave me a number of wallet addresses. These were not all of their wallets, they stated to this site. By prior agreement with TDO, DataBreaches.net is not reporting the wallet addresses, the dates, nor the specific amounts in each wallet. What I can state is that for this relatively small number of wallets, I was looking at transactions involving the equivalent of more than $1 million USD when I used today’s rate for converting BTC to USD.
To prove that these wallets were TDO’s, they signed a personalized message to me from each of the wallets they showed me. DataBreaches.net verified the signed message for each of the wallets.
“What’s it like to be wrong about us?,” their spokesperson subsequently asked me.
Is there an emoji for looking down at the floor and scuffing your toes? If not, there should be. But when I’m wrong, I’m wrong, and it appears that clearly I was wrong and that TDO has been making a lot of money using their extortion model.
I would love to know more about who paid, why, and which sector is most likely to pay extortion, but I’m not likely to get more specific answers on that from TDO soon. In fact, I am surprised they revealed as much as they did, but it must serve some purpose for them to have me publicly report on this.
In the meantime, and although the money is an element of the criminal enterprise, the best reason for law enforcement to continue trying to identify and catch TDO is the fact that they acquire and may leak highly personal and sensitive information. It makes no difference to me whether the sensitive information is about a member of a royal family somewhere or an abused teenager in Montana. Everyone has a right to privacy and for some people and situations, revelations of sensitive medical or personal information could put their lives or livelihood at risk.
TDO has always been forthright with me in chats about their lack of emotions – that all they care about is getting lots and lots of internet money. And I’ve always understood that they use this site and blogger, in part, to promote their agenda. I use this site for my agenda, though – which is to make more people aware of the risks of collecting and storing sensitive information without adequate protection. Because there are bad actors out there. If not TDO, then it will be others. And if we don’t protect information well, some of the problems people may experience from leaks of sensitive data should be- and will be – morally and ethically on us.
So go kick down doors, law enforcement, and I’ll chip in for a pair of steel-toed boots if that’s what it takes. But I fear it will take much more than that to catch TDO. Because people can sit around and call them scum or other names, and experts can criticize their hacking skills, but the bottom line for me is that they’re still out there and they haven’t been caught.