The Dark Overlord (hacker group)

Last updated

The Dark Overlord (also known as the TDO) is an international hacker organization which garnered significant publicity through cybercrime extortion of high-profile targets and public demands for ransom to prevent the release of confidential or potentially embarrassing documents. [1]

Contents

The group gained its initial notoriety through the sale of stolen medical records on TheRealDeal, a darkweb marketplace. [2] [3] Major targets for the group included the extortion of Netflix, which resulted in the leak of unreleased episodes of the series Orange Is the New Black , [4] and Disney. [5]

In 2017, the group broke its trend of hacking and extortion, and began a series of terror-based attacks starting with the Columbia Falls school district in Montana. [6] [7] The group sent life-threatening text messages to students and their parents, demanding payment to prevent the murder of children. [8] These attacks forced the closure of more than 30 schools across multiple school districts, resulting in more than 15,000 students being home from school for an entire week. During a senate committee hearing Senator Steve Daines (MT) referred to these attacks as "unprecedented".

On December 31, 2018, TDO announced the Lloyd's of London and Silverstein Properties "9/11 Papers" hack on Twitter, with thousands of incriminating documents [9] [10] [11] to be released in stages unless US$2,000,000 in bitcoin were paid. [12] TDO was subsequently banned from many social media platforms including Twitter, Reddit, Pastebin and removed from the front end of an uncensorable blockchain called Steem/Hive. [13] Platforms unrelated to TDO such as www.hpub.org also had their social media accounts eliminated or followers deleted for serving as mirrors of TDO hacked documents. [14] [15] [16]

Arrests

Nathan Wyatt, a member of The Dark Overlord hacking group was extradited from the UK to the US in December 2019 to face charges in St. Louis for his involvement in the group. [17] [18] According to the charges, Wyatt "conspired to steal sensitive personally identifying information from victim companies and release those records on criminal marketplaces unless victims paid Bitcoin ransoms. [19] In September 2020 Wyatt was sentenced to 5 years in federal prison on a charge of " conspiring to commit aggravated identity theft and computer fraud" and was ordered to pay almost $1.5 million in restitution. [20]

Attribution

In 2020, the group became the feature of Hunting Cyber Criminals, a non-fiction book by cybersecurity author Vinny Troia (Wiley Books). In the book, Troia suggest the core members are two teenage boys, Christopher Meunier and Dionysios "Dennis" Karvouniaris, living in Calgary, Canada. [21] He also claimed that members of The Dark Overlord became part of ShinyHunters and GnosticPlayers. [22]

The majority of research on the group's history and attribution was published in an investigative report titled "The Dark Overlord: Cyber Investigation Report", published by Night Lion Security and authored by security researcher Vinny Troia. [23] The report claims that the core members of the group can be directly linked to other major database hacking groups Gnostic Players and Shiny Hunters, and that Wyatt was nothing more than the group's patsy.

Related Research Articles

<span class="mw-page-title-main">Extortion</span> Criminal offense of obtaining benefit through coercion

Extortion is the practice of obtaining benefit through coercion. In most jurisdictions it is likely to constitute a criminal offence; the bulk of this article deals with such cases. Robbery is the simplest and most common form of extortion, although making unfounded threats in order to obtain an unfair business advantage is also a form of extortion.

Ransomware is a type of cryptovirological malware that permanently block access to the victim's personal data unless a ransom is paid. While some simple ransomware may lock the system without damaging any files, more advanced malware uses a technique called cryptoviral extortion. It encrypts the victim's files, making them inaccessible, and demands a ransom payment to decrypt them. In a properly implemented cryptoviral extortion attack, recovering the files without the decryption key is an intractable problem, and difficult-to-trace digital currencies such as paysafecard or Bitcoin and other cryptocurrencies are used for the ransoms, making tracing and prosecuting the perpetrators difficult.

<span class="mw-page-title-main">Timeline of Internet conflicts</span>

The Internet has a long history of turbulent relations, major maliciously designed disruptions, and other conflicts. This is a list of known and documented Internet, Usenet, virtual community and World Wide Web related conflicts, and of conflicts that touch on both offline and online worlds with possibly wider reaching implications.

The dark web is the World Wide Web content that exists on darknets: overlay networks that use the Internet but require specific software, configurations, or authorization to access. Through the dark web, private computer networks can communicate and conduct business anonymously without divulging identifying information, such as a user's location. The dark web forms a small part of the deep web, the part of the web not indexed by web search engines, although sometimes the term deep web is mistakenly used to refer specifically to the dark web.

Lizard Squad Hacker group

Lizard Squad was a black hat hacking group, mainly known for their claims of distributed denial-of-service (DDoS) attacks primarily to disrupt gaming-related services.

Monero is a cryptocurrency which uses a blockchain with privacy-enhancing technologies to obfuscate transactions to achieve anonymity and fungibility. Observers cannot decipher addresses trading Monero, transaction amounts, address balances, or transaction histories.

TheRealDeal was a darknet website and a part of the cyber-arms industry reported to be selling code and zero-day software exploits.

Lazarus Group is a hacker group made up of an unknown number of individuals, alleged to be run by the government of North Korea. While not much is known about the Lazarus Group, researchers have attributed many cyberattacks to them between 2010 and 2021. Originally a criminal group, the group has now been designated as an advanced persistent threat due to intended nature, threat, and wide array of methods used when conducting an operation. Names given by cybersecurity organizations include Hidden Cobra and ZINC or Diamond Sleet. According to North Korean defector Kim Kuk-song, the unit is internally known in North Korea as 414 Liaison Office.

Marcus Hutchins, also known online as MalwareTech, is a British computer security researcher known for stopping the WannaCry ransomware attack. He is employed by cybersecurity firm Kryptos Logic. Hutchins is from Ilfracombe in Devon.

GnosticPlayers is a computer hacking group, which is believed to have been formed in 2019 and gained notability for hacking Zynga, Canva, and several other online services.

REvil was a Russia-based or Russian-speaking private ransomware-as-a-service (RaaS) operation. After an attack, REvil would threaten to publish the information on their page Happy Blog unless the ransom was received. In a high profile case, REvil attacked a supplier of the tech giant Apple and stole confidential schematics of their upcoming products. In January 2022, the Russian Federal Security Service said they had dismantled REvil and charged several of its members.

Vastaamo was a Finnish private psychotherapy service provider founded in 2008. On 21 October 2020, Vastaamo announced that its patient database had been hacked. Private information obtained by the perpetrators was used in an attempt to extort Vastaamo and, later, its clients. The extorters demanded 40 bitcoins, roughly worth 450,000 euros at the time, and threatened to publish the records if the ransom was not paid. To add pressure to their demands, the extorters published hundreds of patient records a day on a Tor message board.

On May 7, 2021, Colonial Pipeline, an American oil pipeline system that originates in Houston, Texas, and carries gasoline and jet fuel mainly to the Southeastern United States, suffered a ransomware cyberattack that impacted computerized equipment managing the pipeline. The Colonial Pipeline Company halted all pipeline operations to contain the attack. Overseen by the FBI, the company paid the amount that was asked by the hacker group within several hours; upon receipt of the ransom, an IT tool was provided to the Colonial Pipeline Company by DarkSide to restore the system. However, the tool required a very long processing time to restore the system to a working state.

DarkSide is a cybercriminal hacking group, believed to be based in Russia, that targets victims using ransomware and extortion; it is believed to be behind the Colonial Pipeline cyberattack. It is thought that they have been able to hack and extort money from around 90 companies in the USA alone. The group provides ransomware as a service.

On November 13, 2021, a hacker compromised the FBI's external email system, sending thousands of messages warning of a cyberattack by cybersecurity CEO Vinny Troia who was falsely suggested to have been identified as part of The Dark Overlord hacking group by the United States Department of Homeland Security.

Clop is a cybercriminal organization known for its multilevel extortion techniques and global malware distribution. It has extorted more than $500 million in ransom payments, targeting major organizations worldwide. Clop gained notoriety in 2019 and has since conducted high-profile attacks, using large-scale phishing campaigns and sophisticated malware to infiltrate networks and demand ransom, threatening to expose data if demands are not met.

<span class="mw-page-title-main">Lockbit</span> Criminal hacking organization

LockBit is a cybercriminal group proposing ransomware as a service (RaaS). Software developed by the group enables malicious actors who are willing to pay for using it to carry out attacks in two tactics where they not only encrypt the victim's data and demand payment of a ransom, but also threaten to leak it publicly if their demands are not met.

<span class="mw-page-title-main">Vinny Troia</span> American ethical hacker and cybersecurity researcher

Vincenzo Troia is an American ethical hacker and cybersecurity researcher who is known for reporting and identifying The Dark Overlord and hacker pompompurin, who was the owner-operator of the website BreachForums and was also involved in the 2021 FBI email hacking. He is also known for disclosing the Shanghai police database leak in 2022.

References

  1. "The Dark Overlord was recruiting employees and looking for attention before 9/11 data dump". 8 January 2019. Retrieved 12 January 2019.
  2. Whittaker, Zack. "A hacker is advertising millions of stolen health records on the dark web". ZDNet. Retrieved 2020-04-17.
  3. Storm, Darlene (2016-06-27). "Hacker selling 655,000 patient records from 3 hacked healthcare organizations". Computerworld. Retrieved 2020-04-17.
  4. "cybersecurity hacking". axios. 10 January 2019. Retrieved 12 January 2019.
  5. Newman, Lily Hay (2017-05-18). "High-Profile Extortion Hacks Aren't Paying Off". Wired. ISSN   1059-1028 . Retrieved 2020-04-17.
  6. Graham, Taylor (2017-09-19). "Flathead hackers found to have..." KECI. Retrieved 2020-04-17.
  7. ""Ransom note" released after cyber-threats to Montana schools". www.cbsnews.com. 19 September 2017. Retrieved 2020-04-17.
  8. Cox, Joseph (2017-10-05). "'Dark Overlord' Hackers Text Death Threats to Students, Then Dump Voicemails From Victims". The Daily Beast. Retrieved 2020-04-17.
  9. "ndex: Hacker group releases '9/11 Papers', says future leaks will 'burn down' US deep state". HuffpoClub. Retrieved 13 January 2019.
  10. "The Dark Overlord Hackers Threaten To Release TOP SECRET Files of 9/11 Litigation Unless Paid In Bitcoin". HuffpoClub. Retrieved 13 January 2019.
  11. "Hacker Group Dark Overlord Threatens to Dump Insurance Files Related to 9/11 Attacks". HuffpoClub. Retrieved 13 January 2019.
  12. "9/11 Papers Megalink". Busy.org. Retrieved 12 January 2019.
  13. "Thedarkoverlord | Hive".
  14. "ndex: 9/11 Docs Drop From Dark Overloard[sic]". HuffpoClub. Archived from the original on 2019-01-14. Retrieved 13 January 2019.
  15. "Checkpoint 8". Anonfiles. Retrieved 12 January 2019.
  16. "Darkoverlord Banned". heavy.com. 11 January 2019. Retrieved 12 January 2019.
  17. "'The Dark Overlord' hacking group member facing charges in St. Louis". KSDK. 18 December 2019. Retrieved 2020-04-17.
  18. Goodin, Dan (2019-12-19). "Dark Overlord taunted, threatened, and extorted. Now alleged member is behind bars". Ars Technica. Retrieved 2019-12-28.
  19. "Member of "The Dark Overlord" Hacking Group Extradited From United Kingdom to Face Charges in St. Louis". www.justice.gov. 2019-12-18. Retrieved 2020-04-17.
  20. "UK National Sentenced to Prison for Role in "The Dark Overlord" Hacking Group". www.justice.gov. 2020-09-21. Retrieved 2022-03-06.
  21. Troia, Vinny (January 2020). Hunting Cyber Criminals. Wiley. p. 544. ISBN   978-1-119-54099-1 . Retrieved 25 November 2020.
  22. "Researcher: Two Hackers Linked to 42% of Data Breaches".
  23. "The Dark Overlord - A Cyber Criminal Investigation Report". Night Lion Security. 2020-07-16. Retrieved 2021-12-17.


This page is based on this Wikipedia article
Text is available under the CC BY-SA 4.0 license; additional terms may apply.
Images, videos and audio are available under their respective licenses.