Cybercrime , Fraud Management & Cybercrime

Noose Tightens Around Dark Overlord Hacking Group

Serbia Makes Arrest; UK Close to Sentencing Another
Noose Tightens Around Dark Overlord Hacking Group

The noose appears to be tightening around the Dark Overlord, a group of international hackers who have stolen and held for ransom sensitive information from dozens of companies, organizations and U.S. public schools.

See Also: Close the Case on Ransomware

At least three people suspected of being linked to the group have been either arrested or charged.

The latest development came on Wednesday. Serbia's Ministry of Internal Affairs says it has arrested a suspected member of the group. The person was identified only by initials, S.S., born in 1980. The operation was executed with U.K. police and the FBI, the ministry says.

Serbia's Special Prosecutor's Office for High-Tech Crime is considering charges of criminal access to a protected computer and extortion, the ministry says.

But the Dark Overlord is still active, with law enforcement giving chase on bare threads of electronic clues. The group remains defiant. Late Wednesday, a Twitter account affiliated with the group tweeted: "Law enforcement has proven to be most incompetent."

On Thursday, ISMG briefly communicated with a person who controls the Twitter account, who wrote: "We're still around."

Nabbed On The Train

The latest arrest in Serbia follows other law enforcement actions that have increased the pressure. But the group has proved elusive to trace due to its use of well-known evasion techniques - encryption and anonymity software.

One of those actions was made public earlier this month. U.K. police announced the arrest of Grant West, 26, who operated out of a caravan in Sheerness, Kent, the Daily Mail reported on May 2.

Grant West. (Source: Metropolitan Police)

U.K. police did not link West to the Dark Overlord. But according to a security industry source who did not want to be identified, it is believed West was affiliated with the group.

West, who admitted to several crimes, is due for sentencing May 25, according to the Metropolitan Police. West was accused of attacking more than 500 companies, including Uber, Sainsbury's, T Mobile and the Finnish Bitcoin Exchange, the Mail reports.

The Mail reports that he admitted to counts relating to conspiracy to defraud, computer hacking, cannabis possession, possession of criminal property and money laundering related to bitcoin.

It is unclear when West was arrested, but video from the Metropolitan Police shows police nabbing him while riding on a train. His girlfriend admitted to unauthorized use of computer material but was released with a two-year community order on May 2, the Mail reports.

Grant West crouches as officers detain him on a train, while his red laptop is seized. (Source: Metropolitan Police)

Police seized from West £500,000 ($678,000) in bitcoin, which is the first time U.K. police had seized virtual currency, the Mail reports. West allegedly possessed personal details for 78 million usernames and passwords and 63,000 credit and debit card details, which were stored on an SD card in the caravan, the publication says.

West is accused of selling stolen on the AlphaBay underground marketplace under the nickname "Courvoisier."

West allegedly stole personal information on the AlphaBay underground market. (Source: Metropolitan Police)

Fringe Member Charged

A fringe member of the Dark Overlord was arrested early last year in the U.K.

Nathan Wyatt, 36, of Wellingborough, England, was sentenced last November to three years in prison. Wyatt pleaded guilty to pleaded guilty to 20 counts of fraud, two counts of blackmail and one count of possession of an identity document with intent to deceive (see Fraudster Tied to 'The Dark Overlord' Jailed for 3 Years).

Nathan Wyatt (Source: Metropolitan Police)

Wyatt was also accused of hacking a British law firm and demanding a ransom of around $12,000 in bitcoins. The ransom demand was signed "The Dark Overlords," according to the Daily Mail.

In an instant messaging chat with ISMG prior to Wyatt's sentencing, a member of the Dark Overlord confirmed the group had some limited contact with him.

"While he had some shrivel of association for a particular operation, his capture meant no loss," the person told ISMG.

Wyatt was suspected but never charged in 2016 over the theft of private photos from the iCloud account of Pippa Middleton, the younger sister of Kate Middleton.

School Attacks

The Dark Overlord's extortion attempts, including the targeting of several U.S. public schools last year, triggered an urgent effort by international law enforcement.

Last September, the group's threats caused the shut down of 30 public and private schools in Montana's Columbia Falls School District for one week, affecting some 15,000 students. The group had obtained information on students from a school network and sent threatening notes to parents over SMS (see Cyber Ransom Group Hits Soft Targets: US Schools).

Later that month, the group sent text messages and emails to parents of students within the Splendora Independent School District in Montgomery County, Texas. A school district spokeswoman described the communications as "violent and graphic."

Around that time, a member of the Dark Overlord sent ISMG brief audio recordings from parents who had called back the number from which they received threatening text messages.

As far as attack methodology, security experts say the group takes advantage of relatively simple security misconfiguration and oversights, which opens an avenue to steal data.

The group then blackmails organizations, sending threatening letters and faux legal agreements, demanding a ransom in bitcoin in return for not releasing the information publicly. Victims have included healthcare organizations, manufacturing and technology companies and law firms.

The effort appears to have been profitable: The Dark Overlord has claimed to collect many ransoms, some of which have been confirmed. Larson Studios, Hollywood post-production studio, paid $50,000 in bitcoin after a season of the series "Orange is the New Black" was stolen from its network in 2016 (see Hollywood Studio Hit By Cyber Extortion Says: 'Don't Trust Hackers').

One ransom letter sent by the Dark Overlord to a company, which was seen by ISMG, contained a copy of Adolf Hitler's signature. Underneath, it read: "thedarkoverlord."

About the Author

Jeremy Kirk

Jeremy Kirk

Executive Editor, Security and Technology, ISMG

Kirk was executive editor for security and technology for Information Security Media Group. Reporting from Sydney, Australia, he created "The Ransomware Files" podcast, which tells the harrowing stories of IT pros who have fought back against ransomware.

Around the Network

Our website uses cookies. Cookies enable us to provide the best experience possible and help us understand how visitors use our website. By browsing, you agree to our use of cookies.