Darkode – Ode to Lizard Squad (The Rise and Fall of a Private Community)

For the 10 of you who don’t know, darkode was on of the most active English-speaking “underground” cybercrime boards. The forum was started around 2009 by a coder named “Iserdo” and gained popularity off the back of Iserdo’s bot, “Buterfly bot” (AKA Mariposa), which was sold there. ## In The Beginning

With Iserdo as admin, the main focus of darkode was selling and supporting his products; however, the success of butterfly bot lead to a rapid growth in user-base and quickly darkode became a popular malware marketplace, much sought after by English-speaking cybercriminals. As a result of growing popularity, the forum was turned invite-only and existing members were given a number of invites, which they could give out to whomever they chose. Of course the invite-only model just made membership more sought after and gained darkode a reputation as an elite underground forum. At some point around 2010, Iserdo left and the forum was handed over to Crim (the coder of CrimePack which was one of the early exploit kits), who also gave admin to fubar (the seller of the infamous NgrBot).## Access Refines

In march 2012 a new access model was announced, the community became layered with “fresh fish” (level 0) as the basic membership, and “Level 1” (Trusted) as the upgraded membership. For fresh fish access, an applicant would need to be invited by another member, followed by completing an interview with an admin, In order to get level 1 access, existing members would need to prove themselves to the community and if given access, would be able to view/use the level 1 marketplace, which featured more exclusive products. There was also a special “Buyer” level created, which would only allow the user access to the marketplace and not the discussion or coding sections.

Eventually access was further refined to disallow level 0 users from inviting people, and a level 2 section was created for highly trusted users (and was rumored to allow fraud, which was previously disallowed on the forum).

The Great Researcher War

With darkode as a cybercrime hotspot, it’s not really a huge surprise that people working in the security industry gained interest in getting access. Researchers such as Xylitol and Brian Krebs dedicated a big part of their blogs to having the inside scoop on darkode, and although admins were very proactive in seeking out and banning security researchers; there was always another hacker to pay off or account to hijack, resulting in numerous threads hating on researcher and Brian Krebs becoming a meme.

The forum began taking more an more precautions to root out security researcher, including mass demoting accounts, banning people who were unknown to them, embedding metadata to identify accounts used to post screenshots, even targeting the researchers directly (see here), all to no avail.

Members were already getting edgy about posting with so many security researchers on the site, but it wasn’t until sp3cial1st was voted for admin in 2013 that the final nail was driven into the darkode coffin. sp3cial1st’s approach to researchers was proactive with a touch of paranoia, it started with banning their accounts, then banning the people who invited them, even banning the people who vouched for them, which caused members to stop inviting for fear of getting banned, of course the researchers still found a way back.

With the new incredibly proactive anti-researcher strategy, researchers like Krebs would tease the admins with proof of their continued or re-gained access to the site, resulting in frequent pre-preemptive bans of just about any account that seemed remotely whitehat, I even personally witnessed legitimate cybercriminals getting banned for “being Brian Krebs”. Before long, the only people on darkode were the admins, undercover FBI agents, security researchers, and a few highly trusted members.

Re-population Attempts

With darkode on life support and still teaming with security researchers, the admin desperately tried to breath new life into the site. After giving out vast numbers of invite codes to the existing member failed, sp3cia1ist started posting threads on hackforums (a scriptkiddie hacking fourm), in order to obtain some interest, when that wasn’t enough, he resulted to sending out spam messages embedded with darkode invites to mailing lists that’d been acquired from old hacking forums (this obviously made even the die-hard darkode members doubt their “prestigious” position). | darkode recruitment email | |—| | darkode recruitment email |

It was quite clear that darkode had had its day, but it just didn’t stop there. The admin setup a public IRC server under irc.darkode.com where people could come to beg for invites, started posting replies to threads on any forum that made mention of darkode or private forums, even posting comments to entice people in the comment section of krebsonsecurity.com. | | |—| | Sp3cial1st’ advertising on hackforums |

Lizard Squad

Even I can’t explain how darkode got form where it was to here, but we can assume it was for publicity. Around the time LizardSquad became well known by DDoSing just about anything and everything, they decided to follow the same route as lulzsec(setting up a public IRC channel on freenode), unfortunately freenode was having none of this and banned them, along with everyone in their channel a few days later. The same week, LizardSquad had relocated to the darkode IRC, which the darkode admin appears to be fine with, he even allowed LizardSquad to spam the darkode url all-over the internet, something that was previously forbidden.

Of course, sharing an IRC only implies the darkode admin tolerated LizardSquad but may not have worked with them. I had noticed that lizardpatrol.com (the official LizardSquad website) was hidden behind cloudflare, so on a hunch I send a HTTP request to the darkode server, with the hostname set to “lizardpatrol.com”, and what would you know!

That’s right, the darkode server is also hosting the official LizardSquad website, oh dear.