Illegal malware and hack exploits marketplace, Darkode returns on Dark Web with new features and same admin
Despite of being shut down by an international operation of law enforcement, the illegal malware hacker Darkode is back, this time on the dark web, and would be strictly “an invite-only” forum relying on Blockchain authentication.
The hacking forum listed by FBI as “one of the most dangerous cyber crime forum” has returned within a time span of mere two weeks after it was shut down by the law enforcement agencies on 15 July.
Europol conducted an 18 month operation, codenamed Shrouded Horizon, which involved the law enforcement from 20 countries and finally shut down the hacking forum Darkode.
In all 28 people were arrested in the sting operation including three hackers who had developed the hacking tools that was being traded on the forum.
As per Europol it is estimated that between 250-300 members were a part of the “most prolific English-speaking cyber-criminal forum to date… to trade and barter their hacking expertise, malware and botnets, and to find partners for their next spam runs or malware attacks.” Besides buying, selling, trading attack tools and stolen goods the members were also able participate in discussion forums wherein they were able to share their ideas and information regarding hacking.
Currently, darkcode.cc, is a holding site and on Monday the administrators have announced its new and improved services thus indicating the law enforcement agencies that they cannot keep a dedicated hacker down for a long time!
The new Darkcode homepage revealed that the ringleaders are operational and not behind the bars, further it also had a placeholder message specially for its returning members.
The initial post states: “Most of the staff is intact, along with senior members. It appears the raids focused on newly added individuals or people that have been retired from the scene for years.”
Next, the post confirms that “the forum will be back in onion land” thus referring to a secured and anonymous router Tor. The post continues stating “it will be invite only, and members we can confirm are still active will be given an invite (no one else)” thus indicating that it will be strictly “an invite-only” forum.
As of now a “generate onion” button is present on the page that is currently under non operational mode. The homepage of the site mentions: “Each user will have their own Onion, authentication to the forum will be made via the Blockchain API,” indicating that the forum will be accepting only its known members which it will confirm by using the Blockchain API.
The post continues: “We will not store any form of user information except a hash of the BTC Guid, a BTC Wallet, and an alias if the user chooses to create one.” It is quite clear that Darkode administrators have purposely designed the home page with an aim to attract the users back and assure them that their details will be safeguarded. It has further given instructions to its members to avoid any one who publicly claims to be a member of the forum and also those who have joined Darkode in the last six to eight months as they most probably would be the informants.
The post then also states that there could be queries as to why the information has been made public and thus explains: “We believe full disclosure on how the new forum will function is necessary to allow members to have confidence in its security. Our mission is to cast out any doubts in the setup as well as allow the world to critique the new system.” Thus, it seems now any attacker would require the personal Onion as well as Guid of the user before they can attempt any kind of fishyness.
As per The Register, it seems Malware Tech, who is a 21 year UK programmer and malware analyst, has certain information regarding the site operators and it has also suggested that raids conducted by the FBI and European Cybercrime Centre in July seems to have missed the main admin at Darkode.
Malware Tech wrote: “Originally the main admin known as ‘Sp3cial1st’ had posted a statement on pastebin declaring that he wanted to wait and see who all of the 70 users arrested were before bringing the forums back online.”
It seems after making the statement ‘Sp3cial1st’ had also launched darkcode.cc as a holding page for few hours.
As per Malware Tech, this new format of Darkcode where all its members would have their individual onion address “would allow the darkode admins greater control over who gets access, preventing people from accessing a hacked account without the owner’s onion url. It would also allow them to better monitor who views what by creating an individual log file for each onion, meaning they could quickly weed out leakers.”
It further mentions: “Even more interesting is that it states that bitcoin wallets would be tied to accounts and used for users to authenticate on the forums, this would mean that hackers could not use a hacked account to scam with unless they know the user’s private key.”
In all it not only appears that the site has been revived in just a matter of two weeks of being shut down but also it has returned with much stronger security.
Just two weeks back, when Europol had successfully raided the Darkcode, Assistant Attorney General Leslie Caldwell in the US said: “This is a milestone in our efforts to shut down criminals’ ability to buy, sell, and trade malware, botnets and personally identifiable information used to steal from US citizens and individuals around the world… This operation is a great example of what international law enforcement can accomplish when we work closely together to neutralise a global cybercrime marketplace.”
It seems Darkode’s members were a part of the Lizard Squad, the major group behind the 2014 Sony hacks.
Law enforcement from 20 countries had to coordinate to make the sting operation a success and finally in July it lead to an arrest of almost 70 members of the most dangerous cyber criminal group. Though, law enforcement group have not yet disclosed the names, most of the arrested hackers had already been identified in the criminal community through word of mouth as reported by Malware Tech.
As per the programmer: “It’s interesting to note that only about two of the arrested members had even been active on Darkode in the past few years, suggesting that the FBI might have just grouped together a list of known criminals who were also on Darkode, rather than targeting the forum itself.”
As of now it is unclear as to how many of the original Darkode members would actually return to the new site.
As per the US Department of Defense (DoJ) Darkcode has a strict cross check process for its new members and thus one requires to be an existing member to invite any prospect to the forum. Once invited, the candidate would also need to prove their skills and show their usefulness to the members of the forum to be a part of it.
It is essential to know that Darkode is not the first hacker forum who has made a comeback following its take-down operation. Other hacking operation forums to make a comeback after its take-down are Silk Road which was shut down in 2013; however made a come back as Silk Road 2.0 mere weeks later its take-down. Another one was Gameover Zeus botnet, which was shut down in June 2014 and it came back with a tougher version GameOver Zeus botnet in July 2014.
The FBI and National Crime Agency have been contacted for comments by Wired, The Register and Business Insider. However, for now the agencies have not commented on the return of Darkode.