Darkode, the one-stop, high-volume shopping venue for some of the world’s most prolific cyber criminals shut down today after the FBI infiltrated and raided the site.
This underground, password-protected, online forum was a meeting place for those interested in buying, selling, and trading malware, botnets, stolen personally identifiable information, credit card information, hacked server credentials, and other pieces of data and software that facilitated complex cyber crimes all over the globe, the FBI said.
This invitation-only, English-speaking forum ended up infiltrated by the FBI which got into the communication platform at the highest levels and began collecting evidence and intelligence on Darkode members.
“Hackers and those who profit from stolen information use underground Internet forums to evade law enforcement and target innocent people around the world,” said Assistant Attorney General Leslie R. Caldwell of the Justice Department’s Criminal Division. “This operation is a great example of what international law enforcement can accomplish when we work closely together to neutralize a global cybercrime marketplace.”
“Of the roughly 800 criminal Internet forums worldwide, Darkode represented one of the gravest threats to the integrity of data on computers in the United States and around the world and was the most sophisticated English-speaking forum for criminal computer hackers in the world,” said U.S. Attorney David J. Hickton of the Western District of Pennsylvania. “Through this operation, we have dismantled a cyber hornets’ nest of criminal hackers which was believed by many, including the hackers themselves, to be impenetrable.”
The Department of Justice and the FBI, with the assistance partners in 19 countries around the world, unveiled Operation Shrouded Horizon, a multi-agency investigation into the Darkode forum.
Among those results of the operation were charges, arrests, and searches involving 70 Darkode members and associates around the world; U.S. indictments against 12 individuals associated with the forum, including its administrator; serving of several search warrants in the U.S.; and the Bureau’s seizure of Darkode’s domain and servers.
“Cyber criminals should not have a safe haven to shop for the tools of their trade, and Operation Shrouded Horizon shows we will do all we can to disrupt their unlawful activities,” said FBI Deputy Director Mark Giuliano.
During the investigation, the FBI focused primarily on Darkode members responsible for developing, distributing, facilitating, and supporting the cyber criminal schemes targeting victims and financial systems around the world, including in the United States.
The Darkode forum, which had between 250-300 members, operated very carefully — not just anyone could join. Ever fearful of compromise by law enforcement, Darkode administrators made sure prospective members ended up heavily vetted.
Similar to practices used by organized crime, a potential candidate for forum membership need to have a sponsorship by an existing member and sent a formal invitation to join. In response, the candidate had to post an online introduction — basically, a resume — highlighting the individual’s past criminal activity, particular cyber skills, and potential contributions to the forum. The forum’s active members decided whether to approve applications.
Once in the forum, members — in addition to buying and selling criminal cyber products and services — used it to exchange ideas, knowledge, and advice on any number of cyber-related fraud schemes and other illegal activities. It was almost like a think tank for cyber criminals, he FBI said.
This is believed to be the largest-ever coordinated law enforcement effort directed at an online cyber criminal forum. In addition to shutting down a major resource for cyber criminals, law enforcement infiltrated a closed criminal forum to obtain the intelligence and evidence needed to identity and prosecute these criminals.
The case was led by the FBI’s Pittsburgh Field Office, with assistance from offices in Washington, and San Diego. In addition, the FBI received support from Europol and other partners in 19 countries.
The following suspects face charges in the Western District of Pennsylvania:
• Johan Anders Gudmunds, aka Mafi aka Crim aka Synthet!c, 27, of Sollebrunn, Sweden, charged by indictment with conspiracy to commit computer fraud, conspiracy to commit wire fraud, and conspiracy to commit money laundering. He faces charges of serving as the administrator of Darkode, and creating and selling malware that allowed hackers to create botnets. Police said Gudmunds also operated his own botnet, which at times consisted of more than 50,000 computers, and used his botnet to steal data from the users of those computers on 200,000,000 occasions.
• Morgan C. Culbertson, aka Android, 20, of Pittsburgh, charged by criminal information with conspiring to send malicious code. He stands accused of designing Dendroid, a coded malware intended to remotely access, control, and steal data from Google Android cellphones. The malware was for sale on Darkode, police said.
• Eric L. Crocker, aka Phastman, 39, of Binghamton, NY, charged by criminal information with sending spam. He stands accused of being a part of a scheme involving the use of a Facebook Spreader which infected Facebook users’ computers, turning them into bots which Crocker controlled through the use of command and control servers. Crocker sold the use of this botnet to others for the purpose of sending out massive amounts of spam.
• Naveed Ahmed, aka Nav aka semaph0re, 27, of Tampa, FL; Phillip R. Fleitz, aka Strife, 31, of Indianapolis; and Dewayne Watts, aka m3t4lh34d aka metal, 28, of Hernando, FL, each charged by criminal information with conspiring to send spam. They stand accused of participating in a sophisticated scheme to maintain a spam botnet that utilized bulletproof servers in China to exploit vulnerable routers in third world countries, and that sent millions of electronic mail messages designed to defeat the spam filters of cellular phone providers.
• Murtaza Saifuddin, aka rzor, 29, of Karachi, Sindh, Pakistan, charged in an indictment with identity theft. Saifuddin stands accused of attempting to transfer credit card numbers to others on Darkode.
The following defendant faces charges in the Eastern District of Wisconsin:
• Daniel Placek, aka Nocen aka Loki aka Juggernaut aka M1rr0r, 27, of Glendale, WI, charged by criminal information with conspiracy to commit computer fraud. He stands accused of creating the Darkode forum, and selling malware on Darkode designed to surreptitiously intercept and collect email addresses and passwords from network communications.
The following defendants face charges in the District of Columbia:
• Matjaz Skorjanc, aka iserdo aka serdo, 28, of Maribor, Slovenia; Florencio Carro Ruiz, aka NeTK aka Netkairo, 36, of Vizcaya, Spain; and Mentor Leniqi, aka Iceman, 34, of Gurisnica, Slovenia, each charged in a criminal complaint with racketeering conspiracy; conspiracy to commit wire fraud and bank fraud; conspiracy to commit computer fraud, access device fraud and extortion; and substantive computer fraud. Skorjanc also stands accused of conspiring to organize the Darkode forum and of selling malware known as the ButterFly bot.
The following defendant faces charges in the Western District of Louisiana:
• Rory Stephen Guidry, aka firstname.lastname@example.org, of Opelousas, LA, charged with computer fraud. He stands accused of selling botnets on Darkode.