Close up hand typing keyboard on laptop in darkness showing cyber criminals hacking

Cyber Criminal Warfare: How Hacker Behaviors Can Tell Us About Their Identities

Linking three major cybercriminal gangs to 30% of all global non-credit card data breaches

Starting in 2016, a hacking group called ‘TheDarkOverlord’ (TDO) gained massive attention from the media by terrorizing and extorting large organizations; in particular, medical providers. They would demand a ransom, and threaten to sell stolen medical records if it was not paid out. Some of the group’s first publicized hacks include medical facilities and law firms in Missouri.

Between 2016 and 2017, there are two distinct personalities that can be attributed to the TDO (or their spokesperson).  For ease of reference: TDO1, and TDO2.

In 2017, Nathan Wyatt, a 36-year old man from the UK, was arrested, and in 2020, was sentenced for crimes associated with TheDarkOverlord. Based on information provided in the public indictment, it appears that Wyatt played a role in the initial development of the group’s accounts and was involved in conversations. There is also evidence suggesting that Robert Purbeck, of Meridian, Idaho, played a role in TDO1. However, his federal indictment does not list any association with the group.

In 2017, the group transitioned its leadership, marking the beginning of TDO2. During this time period, the group gained additional headlines for extorting companies including Disney and Netflix, threatening to release advanced copies of their studio productions if their ransom demands were not met. Later that year, the group moved from traditional hacking and extortion schemes to terror-based attacks, where they threatened the lives of multiple Montana school district students if their ransom demands were not met. This act forced the closure of more than 30 schools for an entire week, affecting 15,000 children.

Ultimately, utilizing different tools and threat intel processes, investigations led us to identify Christopher Meunier, a 19 year old from Calgary, Canada, as one of the primary spokespeople involved in TDO.

Over the years, Night Lion Security has worked with various teams and agencies to gather evidence of the ongoing criminal collaboration between Meunier and his childhood friend, Karvouniaris (who acted under aliases including Ping, Peace of Mind and Overflow). The duo operated under the group names including ROR[RG], and NSFW. Recently, there’s been speculation on whether the friends have separated and continued down their own ways. However, we believe Meunier went on to start and collaborate with additional hacking groups known as GnosticPlayers and ShinyHunters.

The two individuals regularly shared aliases like NSFW and Peace of Mind in order to create confusion between their identities.  These two Canadian teens and their combined hacking efforts are presumed to be directly attributed to roughly 42% of all non-credit card related data breaches that occurred between January 2017 to June of 2020.

GnosticPlayers

Gnostic Players made their debut in 2018 with a 6-part sale of data breaches totaling more than 2 billion compromised records. Three of the group’s members were arrested in December 2019 following the group leader’s public admission to the hack of Gatehub, and the group’s theft of $10 million worth of Ripple cryptocurrency (XRP).

Gabriel Bildstein, under the alias ‘Nclay’ (and previously ‘Kuroish’), is another in a long line of patsies strategically put in place to take any attention away from the real hackers. Our conversations with Gabriel indicate that he lacks real technical knowledge, yet he maintains he is solely responsible for the hacking of hundreds of companies. Following his arrest, law enforcement confiscated several million dollars worth of crypto currency and 3 cars, including two Lamborghinis.

Criminal behavior protected by French law

We believe Gabriel was specifically chosen by Meunier to act as the group’s patsy because of his understanding of French and international law. According to Bildstein’s own admission, he knows France will never allow the extradition of its own citizens to the United States. Further, Gabriel’s myriad health conditions and previous hospitalizations give him what he believes is a ‘free pass’. To this point, he is not wrong. Any charges brought by the U.S. would need to be tried in French courts, which, given all of the previous factors, does not seem like it will ever happen.

Among the other French members arrested for Gnostic’s crime was Nassim Benhaddou (aka Prosox), 18, one of Gabriel’s personal friends. In 2018, Nassim and Gabriel were arrested together in Paris for replacing YouTube content related to the song ‘Despacito’ by Luis Fonsi.  After some time, Gabriel disappeared, and it is believed that Nassim continued to work with Meunier (now under the alias Megadimarus) to start a new group called ShinyHunters.

ShinyHunters

In 2020, a new group emerged with the news of a 90 million user data breach of the Indonesian firm, Tokopedia. Shortly after the breach announcement, a slew of other data breaches followed, with promises by “Shiny Hunters” that more breaches would continue following in “stages”, the exact M.O. used by GnosticPlayers.

While ShinyHunters initially came into the media spotlight after news of their Tokopedia hack, the reality was very different. In fact, chat logs and other evidence conclusively show that the database was hacked much earlier by the group NSFW (Meunier / Karvounaris).

Connecting the group members

The evidence needed to connect each group was provided by several of their victims. Night Lion’s forensic team began collecting IP addresses used in many of the victim’s attacks. As the IP addresses were cataloged using Maltego, a clear pattern began to emerge.

The graphic below shows IP 195.5.53.40 used to attack a ShinyHunters victim (redacted, in red) and a GnosticPlayers victim (in green). These attacks occurred more than two full years apart.

Connecting the Group Members

Additional charts and IP addresses are available in our complete Investigative report on TheDarkOverlord group. Additional graphs show victims being attacked by IP addresses shared by groups NSFW, GnosticPlayers, and ShinyHunters.

Shielded by international cyber law

As of May 2021, ShinyHunters is still very active in breaching and releasing data on cybercrime forums. It is unclear as to why French authorities have not moved forward with their arrest and prosecution.  However, our best guess is that they are simply overwhelmed.

As for Meunier, it is our opinion that the evidence provided in the book Hunting Cyber Criminals, and TheDarkOverlord investigation report, more than meet the burden of proof needed for a search warrant.  However, Canadian law operates quite differently.

Having been involved in several conversations with law enforcement in Calgary, it appears both Meunier and Karvournaris are well shielded by Canadian law. Without a literal smoking gun, it appears that both individuals will be walking away, free to continue committing crimes.

The hackers’ advanced technical knowledge and understanding of international law makes them especially dangerous. They have no real reason to stop committing crimes, and their methods for covering their actions will only continue to get more sophisticated. If international cyber law requires a literal smoking gun (e.g., an IP directly tied to both a crime originating directly from someone’s house), it will never happen.

Regardless, both actors are presently active on various forums, consistently operating under several presumed aliases.

Establishing relationships in threat intelligence

Certainly, the most difficult part of this entire process can be the necessity to establish credible relationships with each of the threat actors on their preferred forums or marketplaces. Many Gray and Whitehat hackers understand the necessity for these types of relationships, which can cross boundaries of ethical and legal behavior.

In 2020, The Department of Justice released guidance for “security practitioners who gather information from Dark Market forums”. According to the guidelines,

  • “It may be easier for an undercover practitioner to extract information from sources on the forum who have learned to trust the practitioner’s persona, but developing trust and establishing bona fides as a fellow criminal may involve offering useful information, services, or tools that can be used to commit crimes.”
  • “Forums operated by criminal actors may require proof that someone seeking access to the forum has bona fide criminal intent. For instance, the forum operator may require the purchase or delivery of malware or stolen personal information.”
  • “Engaging in such activities may well result in violating federal criminal law. Whether a crime has occurred usually hinges on an individual’s actions and intent. A practitioner must avoid doing anything that furthers the criminal objectives of others on the forums. Even though the practitioner has no intention of committing a crime, assisting others engaged in criminal conduct can constitute the federal offense of aiding and abetting.”
Two Canadian teens and their combined #hacking efforts are presumed to be directly attributed to roughly 42% of all non-credit card related #databreaches that occurred between January 2017 to June of 2020. #cybersecurity #respectdataClick to Tweet