Cybercrime , Fraud Management & Cybercrime , Fraud Risk Management

Alleged Dark Overlord Member Extradited, Pleads Not Guilty

But Most of the Notorious Hacking Group Remains Elusive
Alleged Dark Overlord Member Extradited, Pleads Not Guilty
Nathan Wyatt pleads not guilty. (Photo: London Metropolitan Police Service)

An alleged member of The Dark Overlord hacking group who apparently made dumbfounding operational security mistakes while trying to extort U.S. organizations has pleaded not guilty in federal court in Missouri.

See Also: Check Kiting In The Digital Age

Nathan Wyatt, 38, was extradited from the U.K. within the last week and arraigned in federal court in St. Louis, according to court documents and the Justice Department.

Nathan Wyatt’s indictment

Wyatt, of Wellingborough, England, was indicted by a grand jury in November 2017 on charges of conspiracy, two counts of aggravated identity theft and three counts of threatening to damage a protected computer. He has pleaded not guilty to all charges, according to the Associated Press.

Wyatt received much media attention in 2016 when it was suspected he was involved in the theft of private photos from the iCloud account of Pippa Middleton, the younger sister of Kate Middleton, who is married to Prince William. He was cleared of that incident, but U.K. prosecutors charged him in separate incidents allegedly involving fraud, blackmail and ID theft.

He was accused of hacking a British law firm and demanding a ransom of around $12,000 in bitcoins. The ransom demand was signed "The Dark Overlords." He pleaded guilty, serving 14 months of a three-year sentence (see: Fraudster Tied to 'The Dark Overlord' Jailed for 3 Years).

Dark Overlord's Beginnings

The Dark Overlord, which authorities believe may have a handful of members, emerged around early 2016. In those early days, the group stole data from small healthcare organizations, trying to extract bitcoin ransoms in exchange for not publicly releasing the data.

The group apparently often capitalized on poor security practiced by its victims. Analysts believed that The Dark Overlord used internet-wide scans to find systems running Microsoft’s Remote Desktop protocol and then executed brute-force credential attacks.

After compromising an organization, the group would often use harvested personal data to harass people who worked there via phone calls, intimidating emails and text messages.

Prosecutors allege that Wyatt, who went by the pseudonym "Crafty Cockney," was central to this kind of harassment. They believe that Wyatt was responsible for trying to extract ransoms.

The Dark Overlord’s victims mentioned in Wyatt’s indictment included a healthcare provider in Farmington, Missouri., a healthcare records company in St. Louis, a medical records provider in Swansea, Illinois., a certified public accountant in St. Louis, and a healthcare provider in Athens, Georgia (see: 4 Stolen Health Databases Reportedly for Sale on Dark Web).

Digital Trail

While law enforcement has had difficulty in tracking down other Dark Overlord members, Wyatt apparently left a detailed trail.

An affidavit that was part of the U.S.’s extradition request to the U.K. alleges that Wyatt set up phone numbers and email accounts from an IP address linked to his mother’s home in Wellingborough.

He set up a VOIP number from the same IP address, prosecutors say. Linked to that VOIP number was a Gmail account, which was also often accessed from the same IP address. The Gmail account was used to harrass several victims, and the phone number was also used make threatening text messages and leave voice mail, according to court documents.

Authorities allege Wyatt sent these threatening messages to a healthcare provider in Farmington, Missouri, in July 2016.

In an inexplicable move, Wyatt used the same VOIP number to set up a WhatsApp account, which he used a real photo of himself as the avatar, according to the affidavit.

Wyatt made further dumbfounding mistakes, court records show. The Dark Overlord demanded a ransom of 500 bitcoins from the healthcare provider in Athens, Georgia. After back-and-forth communication, The Dark Overlord asked for £400,000 paid in four £100,000 increments to four bank accounts. “The email included true bank account information for accounts in Wyatt’s name and his girlfriend’s name,” according to the affidavit.

‘Not Typical Cybercriminals Anymore’

At least two other people linked to the group have been arrested.

In May 2018, Serbia’s Ministry of Internal Affairs arrested a suspect member of the group, identified by his initials, S.S. It’s unknown what happened to that case. Also, in May 2018, U.K. authorities arrested Grant West, who one security expert believes had at least a loose association with the group (see: Noose Tightens Around Dark Overlord Hacking Group).

But other members have remained elusive, illustrating the difficulty in tracing people who are well-verse in applications and techniques to avoid being traced online. After early this year, The Dark Overlord has been quiet.

“They’ve kind of disappeared,” says Gene Yoo, CEO of Resecurity, a Los Angeles-based threat intelligence firm. “Maybe they are spooked or there were some changes.”

The group’s targets have also changed over time, which also dramatically increased media attention to its exploits. In December 2016, the group claimed responsibility for breaching the post-production facility Larsen Studios in Hollywood.

According to Variety, the studio paid a $50,000 ransom in bitcoins, but the group released some of the stolen data, including season five for the hit Netflix TV series "Orange Is the New Black," which had yet to be released.

The group also had a run at school districts in the U.S., stealing data, calling in bomb threats and using stolen personal information to harass parents. Several districts were forced to close school due to the threats.

One of the last major hits by the Dark Overlord occurred in 2018 when it stole files related to litigation from the terrorist attacks against the United States on Sept. 11, 2001.

The hack was obliquely acknowledged by insurer Hiscox in April 2018, which said the incident affected one of its advisory companies. Early this year, The Dark Overlord released some of the files after it had sought a ransom.

A tweet from The Dark Overlord promoting its hack of a legal advisory firm

Yoo says it’s difficult to determine whether other groups of hackers perhaps co-opted The Dark Overlord’s moniker because it drew attention. There’s also a possibility a state actor may have be involved, perhaps by recruiting a team of blackhats and cybercriminals, Yoo says. The 9/11 document breach saw the group enter the political realm by suggesting that the files would expose a scandal (see: Ransom Moves: The Dark Overlord Keeps Pressuring Victims).

“There is a lot of mystery and overlap with potential state actors,” Yoo says. “My feeling is that they’re not typical cybercriminals anymore.”

About the Author

Jeremy Kirk

Jeremy Kirk

Executive Editor, Security and Technology, ISMG

Kirk was executive editor for security and technology for Information Security Media Group. Reporting from Sydney, Australia, he created "The Ransomware Files" podcast, which tells the harrowing stories of IT pros who have fought back against ransomware.

Around the Network

Our website uses cookies. Cookies enable us to provide the best experience possible and help us understand how visitors use our website. By browsing, you agree to our use of cookies.