Euro Security Watch with Mathew J. Schwartz

Governance & Risk Management

Darkode Reboot: All Bark, No Bite?

Hacking Forum to Restart on Dark Web, Administrator Claims
Darkode Reboot: All Bark, No Bite?

Just two weeks after police disrupted the notorious hacking forum Darkode, one of the site's supposed administrators has claimed that the site will soon reboot.

See Also: OnDemand | The Cost of Underpreparedness to Your Business

The forum was the target of a two-year, international law enforcement effort dubbed "Operation Shrouded Horizon" - coordinated by the FBI and Europol - which earlier this month led to 70 arrests across 20 countries (see Police Shutter Darkode Cybercrime Forum).

But someone claiming to be Darkode site administrator "Sp3cial1st" - a.k.a. "s3xadd1ct" - this week said that Darkode will soon reboot as a "dark Web" onion site, meaning it can only be reached by using the anonymizing Tor browser.

"Originally the main admin known as 'Sp3cial1st' had posted a statement on pastebin declaring that he wanted to wait and see who all of the 70 users arrested were before bringing the forums back online, but about two hours ago he updated his jabber status to advertise, which appears to be a placeholder for the future site," says the U.K.-based malware researcher known as "Malware Tech" in a July 27 blog post.

That online announcement from Sp3cial1st reads: "Most of the staff is intact, along with senior members. It appears the raids focused on newly added individuals or people that have been retired from the scene for years. The forum will be back in onion land, it will be invite only, and members we can confirm are still active will be given an invite (no-one else). Each user will have their own Onion, authentication to the forum will be made via the Blockchain Api. We will not store any form of user information except a hash of the BTC Guid, a BTC Wallet (for default display NickName), and an alias if the user chooses to create one."

Malware Tech notes that the use of a unique onion address for each participant would be a clever way to prevent imposters from using hacked accounts, as well as "to better monitor who views what by creating an individual log file for each onion, meaning they could quickly weed out leakers."

All a Ruse?

One possibility, of course, is that the Darkode reboot is just a law enforcement ruse, and that Sp3cial1st is an undercover agent - or agents - tasked with trying to entrap cut-off Darkode users who still want to get their hacking-forum fix.

If so, however, it would be an elaborate ruse, according to Loucif Kharouni, a senior threat researcher at threat-detection firm Damballa, who notes that some observers believe that Sp3cial1st is also a major player in Lizard Squad. That group has been tied to disruptions of the Sony PlayStation and Xbox Live gaming networks on Christmas Day 2014, defacing the Malaysian Airlines website, and making a hoax Twitter threat involving the plane on which the president of Sony was traveling, which caused his plane to be diverted. The group has also continued to pitch its paid "Lizard Stresser" distributed denial-of-service attack service.

But as with many supposed cybercriminals or hacktivists, separating Sp3cial1st's bluster from fact remains difficult.

"We know very little about Sp3cial1st's criminal life before 2010," Kharouni says in a blog post. But he reports that by 2010, "Sp3cial1st" had been a member of the underground forum - which went offline in 2009 - and then introduced to Darkode by "Nassef," after which multiple members vouched for him, including "Mafi AKA Crim AKA Synthet!c" and "Fubar," according to leaked posts. And by 2013, along with Mafi and Fbuar, plus "187" and "Parabola," Sp3cial1st appears to have worked his way up to become a Darkode site administrator, Kharouni says.

Cybercriminals at Large

But Kharouni argues that despite Sp3cial1st's efforts, the Darkode brand is now defunct. Who would trust any attempted reboots, given that law enforcement agencies so successfully infiltrated the previous iteration?

Security experts say that while site administrator Mafi appears to have been arrested, many of the more advanced users appeared to have already deserted the site well before the July 2015 takedown, based on the information that has been gleaned to date from arrest reports. "It's interesting to note that only about two of the arrested members had even been active on Darkode in the past few years, suggesting that the FBI might have just grouped together a list of known criminals who were also on Darkode, rather than targeting the forum itself," Malware Tech says.

Despite the Darkode takedown or threatened reboot, security experts estimate that 800 hacking and cybercrime forums still remain active online, and numerous forum users - and cybercriminals - are still at large (see How Do We Catch Cybercrime Kingpins?). "Cyber criminals do not retire: they get caught, they get outed or they get better," Kharouni says.

About the Author

Mathew J. Schwartz

Mathew J. Schwartz

Executive Editor, DataBreachToday & Europe, ISMG

Schwartz is an award-winning journalist with two decades of experience in magazines, newspapers and electronic media. He has covered the information security and privacy sector throughout his career. Before joining Information Security Media Group in 2014, where he now serves as the executive editor, DataBreachToday and for European news coverage, Schwartz was the information security beat reporter for InformationWeek and a frequent contributor to DarkReading, among other publications. He lives in Scotland.

Around the Network

Our website uses cookies. Cookies enable us to provide the best experience possible and help us understand how visitors use our website. By browsing, you agree to our use of cookies.