Cybercrime as-a-service , Fraud Management & Cybercrime , Incident & Breach Response

'Rex Mundi' Hacker Extortion Group: Busted

Seven Gang Members Arrested in France, Eighth Busted in Thailand, Police Say
'Rex Mundi' Hacker Extortion Group: Busted

In a demonstration of the increasingly cross-border nature of cybercrime, a 25-year-old French man accused of working with a cyber extortion group has been arrested in Thailand on a French international arrest warrant. His arrest was thanks, in part, to information shared by the London Metropolitan Police with Europol, which said it tied the information to the French individual in just one hour.

See Also: Cyber Insurance Assessment Readiness Checklist

The subsequent May 18 arrest of the unnamed suspect, described as being "a French national with coding skills," marked the eighth and final arrest in a year-long law enforcement effort to shut down a notorious cyber extortion group Rex Mundi, says Europol, the EU's law enforcement intelligence agency.

Rex Mundi - Latin for "king of the world" - appears to have been operating since 2012. It regularly hacked into organizations, stole sensitive data and threatened to release it unless a ransom was paid, typically in bitcoins (see Hackers Wield Extortion).

Victims of the shakedown gang included Domino's pizza, Swiss bank Banque Cantonale de Geneve, French loan company Credipret, Belgian payroll firm Easypay Group and French diagnostic laboratory Laboratoire de Biologie Médicale, or "Labio," which offers blood testing and other services, among others.

Source: Pastebin

"Rex Mundi is a collective of hackers. We hack for fun, for the thrills and, most importantly, for profit," the group announced in a January 2015 post to the Pastebin text-sharing website.

It also shared a bitcoin address for anyone who might want to donate to support its activities. The bitcoin address listed by the group for donations at one time contained 20 bitcoins - at current market values, worth $130,000 - although it's not clear how that balance may have been amassed.

Other bitcoin wallets that routed payments to that attacker-controlled wallet had balances in one case of 11,652 bitcoins, and another of 2,000 bitcoins - respectively worth $75 million and $12.9 million - although it's not clear if those wallets were controlled by attackers, belonged to exchanges or might have been used by bitcoin tumbling services (see Cybercrime-as-a-Service Economy: Stronger Than Ever).

Shakedown Triggers International Investigation

Rex Mundi's undoing appears to date from May 2017, when it claimed credit for stealing "a large amount of customer data" from a British organization that authorities have declined to name.

"A few days later, the company received a phone call from a French-speaking person explaining that he was a member of Rex Mundi," Europol says. "This person shared a large number of credentials with the company to prove that they had access to the data. He also demanded [a] ransom of either almost €580,000 ($770,000) for the non-disclosure of the customer data or over €825,000 ($1.1 million) for information on the security breach and how to handle it."

As is typical with such cyber extortion schemes, the gang threatened to penalize the victim for not paying quickly.

"For each day the company failed to pay, there would be a ransom of €210,000 ($278,000)," Europol says. "The ransom was to be paid in bitcoin."

Police Arrest Eight Suspects

Instead, the business reported the hack to police (see FBI to DDoS Victims: Please Come Forward).

In response, authorities launched an investigation into the extortion group, backed by Europol's European Cybercrime Center, based in The Hague, and its Joint Cybercrime Action Taskforce, or J-CAT.

That operation led to the arrest of five people in June 2017 in France, including a primary suspect in the attack. "The main suspect admitted his involvement in the blackmail but hired the services of a hacker on the dark web to carry out the cyberattack," Europol says.

Subsequently, French National Police arrested two more hacking suspects in October 2017, and the final suspected member of the group was arrested last month in Thailand by Royal Thai Police.

Group Attacked Bank, Pizza Chain

Rex Mundi regularly released customer data from victim organizations that declined to give in to its ransom demands.

In June 2014, Rex Mundi stole approximately 600,000 records from Domino's Pizza in France and Belgium. At the time, Domino's Pizza confirmed to Information Security Media Group that it had been the victim of a breach and a related ransom demand. But Domino's noted that no payment card or bank account information had been stolen (see Ransom Sought in Domino's Pizza Breach).

In January 2015, Rex Mundi released customer information that it said it stole from Banque Cantonale de Geneve, after officials there refused to pay an initial €25,000 ($26,400). The hackers subsequently offered to reduce the ransom payment to €10,000 ($10,580), but BCGE again refused to pay. Subsequently, the group dumped what it described as "30,192 private e-mails sent by both Swiss and foreign customers, in addition to various other interesting data" (see Hackers Release Info from Swiss Bank).

"We chose not to give in to blackmail and chose instead the path of transparency," a spokeswoman for the bank told Reuters at the time.

Hackers Pressure Victims to Pay

Like many other cyber extortion groups, Rex Mundi attempted to make an example of anyone who didn't follow its demands (see Hollywood Studio Hit By Cyber Extortion Says: 'Don't Trust Hackers').

In December 2014, it launched a portal, reachable only via the anonymizing Tor browser, to host data from organizations that it said had failed to pay a ransom.

Rex Mundi's portal attempted to pressure future victims into paying the group's ransom demands by posting customer data stolen from previous victims who apparently refused to pay.

"The data from most of the websites we hacked is now archived on our new onion website," the group said via Twitter. "On this page, you will find leaks belonging to most of the websites that we hacked. Please note that those are leaks belonging only to companies that declined to pay us. As per our agreement with the companies that did pay us, we will never release those leaks."

Cyber Extortion Attacks Continue

Now, however, it's "game over for Rex Mundi," says cybercrime expert Alan Woodward, a computer science professor at the University of Surrey, via Twitter. "Law enforcement are patient and crime never pays."

Perhaps so, but these types of hacking-enabled shakedowns continue. Earlier this month, for example, hackers have demanded a ransom of 1 million Canadian dollars ($770,000) each from Canada's Bank of Montreal and Simplii Financial, payable in the cryptocurrency exchange system Ripple's XRP token (see Hackers Demand $770,000 Ransom From Canadian Banks).

"Cyber-related extortion remains a common tactic among cybercriminals," Europol says, noting that medium and large-size organizations are most at risk.

"For financially motivated extortion attempts, attacks are typically directed at medium-sized or large enterprises, with payment almost exclusively demanded in bitcoins," according to Europol's most recent Internet Organized Crime Threat Assessment. "Such attacks often target specific victims to coincide with specific events or occasions when they are likely to be doing more business - florists during St. Valentine's day or online gambling sites around large sporting events, for example."

About the Author

Mathew J. Schwartz

Mathew J. Schwartz

Executive Editor, DataBreachToday & Europe, ISMG

Schwartz is an award-winning journalist with two decades of experience in magazines, newspapers and electronic media. He has covered the information security and privacy sector throughout his career. Before joining Information Security Media Group in 2014, where he now serves as the executive editor, DataBreachToday and for European news coverage, Schwartz was the information security beat reporter for InformationWeek and a frequent contributor to DarkReading, among other publications. He lives in Scotland.

Around the Network

Our website uses cookies. Cookies enable us to provide the best experience possible and help us understand how visitors use our website. By browsing, you agree to our use of cookies.