FBI Cybercrime Crackdown – Blackshades

Marcus Hutchins

It would seem the FBI is cracking down on cybercrime (well script-kiddies at least), with a bunch of international raids carried out in the past few days and more said to come. As of today it seems that the raids are only targeting users of “blackshades” a popular remote administration tool. Blackshades is a remote administration tool (RAT) used for remotely accessing and controlling computers over the internet. Although RATs have many legal uses and are sold by software companies, they can also be used for malicious purposes such as data theft, spying and distributed denial of service attacks. Due to the fact that most legitimate RATs require a user to go through the standard installation process, hackers write their own versions that can invisibly infect a computer by running a single executable, this is what blackshades does.

In almost all international law, there is a grey area between what constitutes a legal RAT and an illegal one, as there is no black and white definition that separates software from malware. The authors of blackshades used the gray area to sell their malware for many years, with absolutely no legal implications. When it comes to the actual use of remote administration tools, the law is pretty clear cut: If you have permission from the owner of the computer, it’s legal; if you don’t it’s not. Although the sales team were only marketing their product on hacking forums full of criminals, it had little legal implications for them and they made a lot of money. Blackshades was structured a lot like a regular company in the way they had a website, were registered as an LLC, accepted payments with paypal through a payment gateway, and kept detailed transaction logs; Most of this leading customers to believe that because the software was “legal”, what they were doing with it was also legal, as a result most customers were paying for the software with their personal accounts, not making any effort to cover their tracks, and even posting threads about how many people they had infected online.
Threads with users bragging about how many computers they had infected are not uncommon.

On Tuesday 13th May 2014 the FBI appears to have begun executing international raids with the help of local law enforcement. Although there appears to have been no arrests as of yet, many users of blackshades have reported police or federal officers entering their homes and confiscating any computer equipment. It is widely believe the FBI came into possession of the transaction log kept by the blackshades staff, which contained personal information of customers such as: names, addresses, and IPs. The raids coincide with a statement released by the FBI at the “Reuters Cybersecurity Summit”, where they stated they would be taking “a much more offensive approach to cybercrime”.

Rickey Gevers also has some interesting information on the raids: http://rickey-g.blogspot.nl/2014/05/international-ongoing-blackshades.html

Update 19th Nay 2014:
The FBI has released an official statement here, confirming that it was them orchestrating the international raids against blackshades users. The statement also confirms what many suspected for a while now, that Alex Yucel AKA marjinz, the creator of blackshades, had been arrested in Moldova (now waiting extradition to the US).

Also interesting is that they mention “operation card shop” as what put them onto the scent of blackshades. For those who don’t know: Operation card shop was an FBI string operation that involved undercover agents running a carding forum for about 2 years. During the sting operation, “omniscient”, the owner of hackforums, urged members to register on the carding forum and even gave the owner a free upgraded account, it was later revealed that the same FBI agent had tried to buy hackforums a few months earlier. a member of the blackshades team, xvisceral, fell victim to this trap after he accidentally gave away a free copy of blackshades (complete with free bots) to an undercover FBI agent, in return for vouching for his product.

You can see a copy of the indictments below:
http://www.justice.gov/usao/nys/pressreleases/May14/BlackshadesPR/Blackshades,%20Hogue%20Information%2013%20Cr.%2012.pdf
http://www.justice.gov/usao/nys/pressreleases/May14/BlackshadesPR/Blackshades,%20Yucel%20Indictment%20S1%2013%20Cr%20%20834_Redacted.pdf

Now for the bit I’m sure everyone is waiting for.

Stay Informed

Marcus Hutchins
Threat intelligence analyst, programmer, ex-hacker.

Featured Posts

It might Be Time to Rethink Phishing Awareness
A Realistic Look at Implications of ChatGPT for Cybercrime
How I Found My First Ever ZeroDay (In RDP)
Best Languages to Learn for Malware Analysis
How to Accidentally Stop a Global Cyber Attacks
Hard Disk Firmware Hacking (Part 1)

Explore Topics

Explainers
14
Malware
12
Windows Internals
6
Hacking
11
Vulnerability Research
10
News
10
Analysis
9
Malware Analysis
16
Programming
1
Threat Intelligence
13
Opinions
10
Stories
3
WannaCry
2
Videos
3
You may also like