Darkode Returns Following International Raids

When I was contacted asking for a comment about the darkode raid, I’d said that the main administrator was not arrested and that’d I’d be surprised if it wasn’t back within a week; well It’s been a little more than a week (I’ll put on my surprised face), but as expected darkode has returned. Originally the main admin known as “Sp3cial1st” had posted a statement on pastebin declaring that he wanted to wait and see who all of the 70 users arrested were before bringing the forums back online, but about two hours ago he updated his jabber status to advertise darkode.cc, which appears to be a placeholder for the future site.

Darkode’s new homepage

Currently we’re greeted with a message addressing the raids and containing some information about the new site; however, the page currently leads nowhere and the “Generate Onion” button doesn’t work (though the information given is quite interesting).

The message states that not only will darkode now operate from a Tor hidden service, but each user will be given their own onion address to the forum, which is admittedly quite a clever idea. Firstly it would allow the darkode admins greater control over who gets access, preventing people from accessing a hacked account without the owner’s onion url; it would also allow them to better monitor who views what by creating an individual log file for each onion, meaning they could quickly weed out leakers.
Even more interesting it states that bitcoin wallets would be tied to accounts and used for users to authenticate on the forums, this would mean that hackers could not use a hacked account to scam with unless they know the user’s private key.

These new security measured don’t come as a huge surprise seeming as darkode had a massive problem with people using hacked accounts to leak information to law enforcement and journalists as well as scam users. Ironically even the darkode administrators were compromised at one point after one of them had reused his password on another forum, which had its database leaked a few weeks prior. Remember: Password reuse is a much bigger risk than weak passwords.

Arrests

Due to the fact that most countries do not publicly publish detailed arrest information like the US does, there is no way to know who else was arrested other than those indicted by the FBI; however, due to terrible opsec practices a lot of them were known personally by other members, so word of mouth gives us a few more names to add to the list. It’s interesting to note that only about two of the arrested member had even been active on darkode in the past few years, suggesting that the FBI might have just grouped together a list of known criminals who were also on darkode, rather than targeting the forum itself.
As of now, this is the current list of arrested or allegedly arrested users:
Uncategorized
9
Why Open Source Ransomware is Such a Problem

A while back 2sec4u posted a poll asking if people considered open source ransomware helpful to detection and prevention, with 46% voting yes. Although the poll wasn’t limited to people working in the antimalware industry, 46% is scarily high. Trying to prove a point, help me out Twitter. Is open source ransomware helping …

Uncategorized
1
Mapping Mirai: A Botnet Case Study

Mirai is a piece of malware designed to hijack busybox systems (commonly used on IoT devices) in order to perform DDoS attacks, it’s also the bot used in the 620 Gbps DDoS attack on Brian Kreb’s blog and the 1.1 Tbps attack on OVH a few days later. Although Mirai isn’t even close to …

Uncategorized
1
Dridex Returns to the UK With Updated TTPs

With the exception of a few unconfirmed reports of Dridex targeting Baltic countries (which doesn’t make much sense economically), infection campaigns have ceased since mid August when Dridex briefly resumed spreading to propagate multiple new botnets aimed at Switzerland. This morning a friend of mine, Liam, reported receiving a malicious email which unusually didn’t …