The cyberpunk novels of the 1980s and 1990s were rife with visions of “hack-for-hire” services openly doing business on the wrong side of the law, but that particular fantasy never seemed to materialize. Though underground markets have certainly developed, the world of threat actors has been dominated by state-sponsored groups and private criminal cliques that tend to be paranoid about keeping to themselves.
That’s not to say that hack-for-hire outfits don’t exist, but they have tended to be small fish in the sea. The recent unmasking of a globe-spanning group called Dark Basin is an indication that this market may be significantly expanding. Dark Basin reportedly has been operating in the shadows for years while targeting hundreds of institutions and thousands of individuals around the world, seemingly with a particular focus on activists and journalists.
Exposing the hack-for-hire kingpins
The report on Dark Basin is a result of three years of research by a team at the University of Toronto’s Citizen Lab, an academic research lab that specializes in studying threats to civil society.
Dark Basin appears to have been operating behind a public front called “BellTroX InfoTech Services,” an India-based company purporting to offer cybersecurity and web design services. The Citizen Lab researchers note numerous pieces of evidence that tie Dark Basin to BellTroX: phishing messages sent during Indian business hours, phishing kit source code with Indian IP addresses and references to national holidays, the use of personal documents of BellTroX employees (such as CVs) in some of the phishing attempts, and BellTroX social media posts that implicate the company in Dark Basin attacks. A link to Dark Basin was also established as BellTroX appears to have participated in testing their link shorteners.
Another connection is that BellTroX company director Sumit Gupta, who also goes by the alias Sumit Vishnoi, was arrested in California in 2015 for running a similar hack-for-hire operation under the guise of being a private investigator.
Paul Bischoff, privacy advocate with Comparitech, notes that the group appears to have had substantial legal room to maneuver right out in the open: “India is home to many phishing and scam operations that go about their business in broad daylight. Even if Dark Basin is shut down, another hack-for-hire business could replace it. So perhaps the best course of action is further investigation to reveal its clients and take legal action against them.”
Who hired the hackers?
In addition to the size and scope of the effort, the most interesting aspect of the story is the nature of the clients that appeared to be engaging Dark Basin’s services.
The Citizen Lab found that the hack-for-hire group was active on six continents as it targeted a broad range of organizations and industries. There is a common theme of targeting public figures and activism or advocacy organizations, however, presumably with the intention of digging up dirt on them or spying on their plans. The report notes that Dark Basin targeted non-profit activist organizations, government officials and journalists among other targets that would not have been particularly lucrative for cyber crime purposes.
For example, Dark Basin appears to have been heavily involved in phishing campaigns directed against net neutrality advocacy groups. It also targeted an activist group that was asserting that ExxonMobil had hid information about climate change for decades. The report notes that Dark Basin’s clients were ” … often on only one side of a contested legal proceeding, advocacy issue, or business deal.” Other prominent targets in this area include Greenpeace, the Rockefeller Family Fund, Public Citizen and 350.org.
There are also some questionable connections to governments. BellTroX staff appear to have openly listed items like “corporate espionage” and “email penetration” on their LinkedIn resumes, which have received endorsements from a handful of figures in Canadian and United States federal government and local law enforcement positions.
The Citizen Lab does not name any potential clients, but notes cases (such as the attack on the Exxon advocacy group) that show that Dark Basin had extensive knowledge of the internal structures of some organizations guiding its phishing attempts, information that would not have been available to the general public.
Not all of the targets were political or advocacy-oriented, however. Dark Basin also did a lot of work in the financial industry primarily targeting hedge funds, government regulators conducting investigations, short sellers and journalists. The hack-for-hire group also attacked several international banks, investment firms and law firms.
Dark Basin also appears to have been contracted by wealthy individuals to intervene in personal disputes, such as one side of a divorce.
A new world of hackers-for-hire?
Nothing about Dark Basin’s methods was particularly sophisticated or original; The Citizen Lab attributes their successes to sheer persistence, being willing to send hundreds of targeted phishing emails on a diverse array of subjects to the victim until something finally worked. Colin Bastable, CEO of Lucy Security, also noted that Dark Basin was likely paid well to polish its work: “The University of Toronto’s Citizen Lab’s report reads like a movie script. Half the time I’m thinking that the bad guys left so many trails that it must be an exercise in misdirection. Only State actors could pull something like this together. The quality of the phishing site landing pages is excellent, and the English grammar is very good – too good, unless you were running a very professional well-financed and targeted operation. The subdomains are also well designed, especially for mobile users.”
The report concludes with a warning that the hack-for-hire market is likely already large and is poised to grow even further in the coming years. One of the key factors driving it is the normalization and increasing availability of private investigation and intelligence firms, which allow hack-for-hire groups like Dark Basin to create webs and layers of plausible deniability while hiding behind various shell companies and payment handlers.