Episode Show Notes

							
			

JACK: Good versus evil. This is something I think about a lot, and I’ve come to the conclusion that it’s not a fair fight. [MUSIC] The good team has virtues such as ethics and morals, and tries to do what’s right. But the evil team by definition lacks virtues. They have no problem breaking the law or playing dirty to complete their objectives, but the good team will uphold the law. So, if you have an evil hacker in the world, they’re not gonna play fair or with morals to accomplish their mission. They’re going to deceive, lie, cheat, threaten, break laws, and be reckless. It doesn’t matter what it takes for them to be successful, and the hackers on the good team don’t do that stuff. They’re accountable, responsible, honest, considerate, and strive to have excellence in all that they do. To me, this means it’s not a fair fight. One side fights dirty and acts in bad faith and can’t be trusted, while the other can’t fight like that since their hands are tied to morals and integrity. But as you get into the weeds, it’s so hard to figure out who’s good and who’s evil and what’s right and what’s wrong. Sometimes you have to break the law to do what’s right. Sometimes good people just don’t know they’re breaking the law because there’s so many stupid laws out there that just should be removed. Sometimes there’s good people with good intentions, but their actions have horrible consequences. There’s also people who seem to be evil but they’re just misunderstood. What they’re doing might be controversial or really hard, but they know someone has to do it to make the world right. But with all that said, I still believe this story is about how a bad company hired an evil group to hack into good people.

INTRO: [INTRO MUSIC] These are true stories from the dark side of the internet. I’m Jack Rhysider. This is Darknet Diaries. [INTRO MUSC ENDS]

JACK: I’m recording this call to use on the podcast Darknet Diaries. That’s alright with you, correct?

MATTHEW: Yes, that’s fine, yep.

JACK: Alright, so let’s start with what’s your name and what’s your title?

MATTHEW: My name is Matthew Earl. I’m the managing partner of ShadowFall Capital Research.

JACK: What is this ShadowFall?

MATTHEW: We are a short-focused firm that looks into companies that are listed that we think are either using aggressive accounting; sometimes that’s just aggressive accounting, sometimes that’s possibly fraudulent practices or unethical conduct by management. Or it might be…

JACK: [MUSIC] I’ve never heard of a short-focused firm before and had to spend some time figuring this out, but basically what Matt does is he looks for companies that are about to tank in the stock market and then short that stock, which means if their stock price goes down, Matthew makes money. As a short seller, he’s gotta do his homework into which companies are ripe to be shorted. Back in 2015, Matthew started watching a German payment company called Wirecard AG. They had announced that they were going to buy an Indian company for over 300 million euros which just didn’t seem right.

MATTHEW: When I looked at that acquisition, it didn’t look as though it was worth 340 million euros. I thought well, that’s kind of interesting, and I’ll dig a bit more into this company.

JACK: [MUSIC] Matthew was interested because an over-valued buy might mean that Wirecard [00:05:00] was misrepresenting themself or mismanaging their money or doing something wrong, which makes it a good target to short the stocks. As he looked into things, it became obvious.

MATTHEW: This looks like a classic accounting fraud.

JACK: To add to that, Wirecard also had a checkered past.

MATTHEW: As I looked into the history of the company, there were allegations that had been raised in the past against it that it was embroiled in money laundering.

JACK: These allegations went back a couple years. German prosecutors investigated Wirecard about money laundering connections to online gambling in the US. They even raided Wirecard’s offices but didn’t come up with anything. Wirecard insisted they weren’t doing anything wrong, but Matthew wasn’t convinced.

MATTHEW: Then when I conducted more research into the company, I worked out that it seemed as though they had set up an entire structure, a network of companies that were used for money laundering purposes.

JACK: At this point, Matthew invests in shorting Wirecard, believing that this company’s stocks are going to go down once the truth catches up with the company. [MUSIC] He also felt that authorities and the public needed to know about this, but he wanted to protect himself from backlash, so he published under an alias; Zatarra Research. The report dropped on February, 2016. It alleged that Wirecard was deceiving its shareholders, was tied up in money laundering, and had defrauded Visa and Mastercard. Wirecard didn’t like these accusations and pushed back, saying Zatarra’s claims were baseless. At this point, things took a bad turn for Matthew Earl because in the following months, his Zatarra cover got blown. In December, a document was spread around online, accusing him of criminal insider trading and market manipulation.

MATTHEW: It was extremely concerning because obviously very serious allegations were within the document, again, accusing me of being a criminal, of falsifying all the research, of being in – colluding with journalists.

JACK: Even worse, the document had creepy surveillance photos of Matthew.

MATTHEW: There were pictures taken of my house, of myself opening the front door, and it was very clear from those pictures that the photographs had been taken not in the winter months of December but they had been taken in the summer months.

JACK: [MUSIC] Someone had been watching Matthew for months, but he was just finding out about it now. This put him on high alert. It wasn’t much later that he noticed a strange car parked on his street. He lived in a cul-de-sac with only a few houses, so it was easy to spot something out of place.

MATTHEW: Suddenly I saw a black Mercedes Coupe that had parked outside, and there were a couple of guys that were looking around. It just seemed unusual as it happened. Because it seemed so unusual, I took a photo of it, of the vehicle and the license plate, and it was around 9:00 in the morning. I was going into London later that day and as I was driving up to the station, I noticed that their vehicle suddenly appeared. I realized that they had been – there was a car following me. Not quite certain, but then as I got out of the car to go to the station, I’d realized I had left my wallet at home. So, I turned ‘round and this black Mercedes Coupe; I don’t think he expected me to turn around. He just kind of froze and was staring at me. It was quite obvious that I was being followed at that point, so I just went straight home. I noticed then, when I got home, that there was another car where there was a guy sat in there with a camera taking photos as well.

JACK: Whoa, this is like a movie. Matthew called the cops and said to send someone by. Matthew also called his lawyer who offered to send an ex-special forces guy to come protect Matthew. Matthew turned him down; he wasn’t excited that people were watching his house and his family, but he didn’t feel like bodily harm was coming his way.

MATTHEW: It was just a very odd few days.

JACK: It got weirder. A couple of days later, two men from an investigative agency called Kroll showed up at his door.

MATTHEW: They asked me; they said, are you Matthew Earl? I said, yes. They said, you’ve got a strong interest in Wirecard, haven’t you? I said, well, I’ve written on the company. They said yes, but would you like to talk to us about it? They were quite sinister and quite creepy, in fact.

JACK: Matthew didn’t want to talk to them about anything. The two men let him know that they were there on behalf of Wirecard and gave him a letter. It was from Jones Day, a law firm representing Wirecard. Matthew says the letter accused him of collusion, conspiracy, defamation, liable, and market manipulation. That was just the beginning. The surveillance and threatening letters continued for months.

MATTHEW: With the sinister nature of the surveillance, what’s their ultimate intention? Is it to intimidate just from a distance or is it to go further beyond that, I guess? Because I can tell you it’s not nice having car – vehicles parked outside your house and being followed to the station. [00:10:00] When I drove out with my children in the car, there were the vehicles following me then. We had have our – the school have passwords put up with the school so that when we collected the children from the school, that those passwords had to be given so that no strangers could take them, had to have the police around. They took it so seriously with the surveillance that our home line was put on rapid response, so if we were to dial 999, your equivalent of 911, and even just hung up, then the police would automatically send a response vehicle ‘round. It was pretty stressful and frightening, certainly for the first couple of weeks.

JACK: What was the worst part of all this for you?

MATTHEW: I think it was the uncertainty as to what they would do, because obviously they had gone to the lengths to put me under surveillance, to try to discredit myself. It was, well, would they be satisfied with that or would there be anything else that they would – would there be any physical danger?

JACK: [MUSIC] On top of everything, Matthew started getting these suspicious e-mails.

MATTHEW: They were relentless. They came thick and fast. Ultimately, over I guess three years, I received well over 3,000 e-mails.

JACK: He could always tell that there was something a little bit off about these e-mails, but they were put together in a pretty convincing way. He got e-mails with links that looked like they came from his sister. He’d get a Dropbox link that supposedly came from his friends and family, and he’d get links to news articles about Wirecard.

MATTHEW: It was astonishing just how much information, detail, they had in order to craft these e-mails that they were sending to me.

JACK: Which surprised Matthew because he didn’t feel like he had much of a social media presence. He was on Twitter, but didn’t have Facebook or LinkedIn.

MATTHEW: Whoever was sending these e-mails clearly had an understanding as to what subject matters I was interested in, who my friends were, who my family were.

JACK: There were so many e-mails coming in. At one point, Matthew was worried that one of his kids might pick up his phone and play a game and accidentally click on a suspicious link.

MATTHEW: It was horrible, very stressful. Then ultimately, as time passed, it just became very frustrating because you think well, why won’t they ever stop? Just give it a rest, right? They didn’t. That was the thing.

JACK: Matthew believes that somehow he didn’t click on any of the bad links. [MUSIC] But who was sending these to him? He knew the Kroll investigators and Jones Day were with Wirecard, but were these e-mails from them, too? Matthew showed them to his lawyer.

MATTHEW: They were amazed. They said that this level of sophistication within the e-mails was something they thought could almost be state-sponsored. They said it was just unbelievable.

JACK: It turns out Matthew wasn’t the only person on the receiving end of these relentless hacking attempts. A journalist who had also written about Wirecard were getting these weird e-mails, too. Matthew told this journalist he’s getting the same e-mails and asked what to do. The journalist suggested Matthew send the e-mails to Citizen Lab in Toronto, Canada. In the spring of 2017, Matthew got in contact with Citizen Lab and started showing his e-mails to them. By this point, Citizen Lab already had quite a case built on who might be sending these e-mails. So, I called the researchers at Citizen Lab to get the story.

JOHN: [MUSIC] I’m John Scott-Railton. I’m a senior researcher at Citizen Lab at the University of Toronto’s Munk School, and with me is…

ADAM: I’m Adam Hulcoop, a research fellow at the Citizen Lab.

JACK: Citizen Lab is all about protecting free expression, transparency, and accountability on the internet. They put a real emphasis on helping defend human rights organizations and other groups from cyber-attacks, people that might not be able to defend themselves. John says the primary focus is to understand digital threats against civil society.

JOHN: This is like, threats against journalists and human rights defenders, opposition politicians, and so on. A big focus of our work is that these groups face the same kind of threats that are also pointed against governments and industry. They usually can’t pay for security.

JACK: In my mind, you’re superheroes because there are people who are desperately in need of help and you’re just gonna help them free of charge. It’s amazing what you do.

JOHN: It’s absolutely an area of need. You’d be amazed at how many organizations are doing really important work around the globe but are not really equipped to protect themselves. They’re too busy protecting others.

JACK: [MUSIC] That’s what made Matthew Earl a good fit with Citizen Lab. He was just one guy up against whoever was bombarding him with e-mails. Citizen Lab was able to step in and help. Adam says their work is rooted in open-source intelligence, or OSINT. Are you a forensics person, a [00:15:00] threat intelligent – how do you know these techniques?

ADAM: I think that’s just sort of the – that’s the study of computer forensics, of attacking techniques. As we’ve been doing this year over year and these are the things you learn, these are the techniques and tricks and investigative steps that you learn and you share in your community of investigators and with your peers.

JACK: Citizen Lab takes their work seriously. Their research is evidence-based, they’re ethical, and work with the victims to compile evidence and build cases. They rely on victims sending them suspicious e-mails or infected machines, and also on publicly-available data when building a case. Citizen Lab’s investigation into the hacking group began a bit before they heard from Matthew Earl. A Reuters journalist writing about Wirecard was the first to tip them off.

ADAM: Someone had sent us a ping saying hey, you know, something weird; I’ve gotten these – this strange set of e-mails and something seems wrong. Can you guys take a look at this?

JACK: John and Adam said it looked like a somewhat convincing phishing e-mail. So, this phishing e-mail that you first got, how good was it? Was it really good to the point where you would have been tricked or the average person would have been tricked to clicking it, or was it kind of lame?

JOHN: I would say it was like the kind of phishing e-mail that winds up being statistically effective against a certain percentage of any basic users. Adam, what do you think?

ADAM: Yeah, I would say it’s very convincing. I would say the majority of the samples that we examined, they really were copies of notification messages that everybody gets throughout the course of using the internet and communicating with friends and family.

JACK: [MUSIC] These e-mails were meticulously crafted specifically for the target victims. That much was certain, and it seemed like all of the victims were involved with researching Wirecard and exposing Wirecard, so the question was were the hackers within Wirecard sending these phishing e-mails, or who was behind this? If you clicked on them, what would they do? We’ll try to answer those questions after the break. Stay with us. The researchers at Citizen Lab got right to work investigating these e-mails. They created a sort of sandbox computer which let them click the link, a safe place to allow them to what they call ‘detonate the link’ to see what happens. When they clicked it, it took them to a site which asked for their login credentials. Adam says the page looked pretty legit.

ADAM: When you click that link, the phishing site you land on knows who is coming and they can pre-load that text and pre-load that screen to make it look like – you’ve already been signed into your Gmail; just re-enter your password for us.

JACK: That’s the goal, to get you to enter your password. If these hackers could get the password to the victim’s e-mail, they would have access to the e-mail and be able to read what that person was working on and what they’re gonna do next. That was the intention of these phishing e-mails. While John and Adam were looking over these e-mails, they noticed something about the phishing links. Here’s Adam.

ADAM: We took a look at an e-mail and sure enough, in there, we found some suspicious links that were shortened using a URL shortener. That kind of sparked the investigation.

JACK: Hm. A good example of a URL shortener is TinyURL or Bitly. Basically, what they do is take a really long URL, something that’s hard to type or memorize, and shorten it into something small and tidy. When you click on the shortened URL, it redirects you to the longer URL automatically. This makes it easier to share, but if you’re a hacker working with long phishing links, a URL shortener is a way to hide what the actual URL is, because you might be hesitant to click on a [MUSIC] website which is in another country or has some weird domain, but people use Bitly links all the [00:20:00] time, so it’s more common for us to see and therefore, we might click on it. John and Adam started to dig into these shortened URLs to use by this hacking group.

ADAM: We started to peel them back and take a look. Okay, where does this shortened URL come from? Where was it residing?

JACK: Fortunately for Citizen Lab, this hacking group didn’t use a commercial shortener like Bitly. They used shorteners created with open-source software, and this particular software conveniently sequenced each shortened URL which was an amazing find for Adam.

ADAM: As we started to look closely and examine this publicly-available URL shortener, we learned that hm, interestingly, you could enumerate the different short URLs that were generated by this software. So, that’s what we did. We started enumerating through the different short URLs that were already created and present hosted on the same shortener, the same site, if you will.

JACK: [MUSIC] Enumerating meant they could just add one more number to each URL and see the phishing URLs that the hacking team was sending out. The link shortener software they were using was easy to step through every shortened URL that was ever made, which gave Adam and the team a massive amount of information related to this hacking group. They were starting to collect enough information on this shady hacker group at this point, and they decided to give them a name. Dark Basin was what Citizen Lab named this hacking group. Adam and John and the team at Citizen Lab began walking through all of the shortened URLs, saving all of these pages to put in a sort of file that they were building on Dark Basin.

ADAM: We had to actually create scripts that would do this enumeration for us on a continuous basis. We would wake up in the morning and just be faced with thousands of new phishing links, like, daily for quite a period of time. Every day we were waking up to thousands and thousands of new phishing links and just this massive pile of information. To me, personally, that was very exciting in the sense that we knew we were onto something very, very big here with that quantity of attack telemetry. That was certainly, I would say from an investigative standpoint, the highlight to me. It got us very hooked into the investigation and it really made it clear to us that there’s definitely something worth the effort to uncover here.

JACK: E-mails were sent to victims with phishing links in them, but now Citizen Lab just uncovered a huge amount of those phishing links. They didn’t have the e-mails, but they could now see all the websites that they were trying to send victims to, websites that looked like logins to a victim’s account, but really weren’t. [MUSIC] Suddenly, they were able to see how wide this campaign was by looking through thousands of phishing websites and analyzing them. But they wanted to take this a step further. Adam had a plan.

ADAM: As we started to look at more and more of them, we were seeing that the operators of this shortener had encoded the target’s e-mail address into that un-shortened URL. This is where it really started to unravel.

JOHN: Yeah, so it’s a bonus when the threat actor provides a mechanism for the list of targets. We just crawled all the shorteners that we could find; first, the ones that we found in this message, and then others that were linked to it with infrastructure analysis.

JACK: John and Adam found almost thirty different URL shorteners used by this Dark Basin hacking group. They kept enumerating and pulling out long URLs, then extracting target e-mails. They figured they could look up some of the targets online, try to uncover who these people were in real life. Maybe this would shed some light on why they had been targeted in the first place which would lead to more clues about who Dark Basin is. Surprisingly, their target database grew to thousands of e-mail addresses. While one journalist and Matthew Earl were the victims that came to them with these e-mails to begin with, the team at Citizen Lab were uncovering that hundreds of people were actually being targeted by this same Dark Basin hacking group. They could see that these hackers were targeting unique victims because e-mail addresses of the victims were in the phishing URLs. Here’s John.

JOHN: Just very quickly gave us the sense of a massive scope of targeting. We went through the same analytical dance that I think most organizations do when they find a big threat actor which is like oh, this has gotta be Russia, right? We found a government actor for sure because of all the targets.

JACK: Because this was such a big hacking campaign, it meant that whoever did this had interests in people all over the world in many different sectors. Who would do that? Possibly a nation state actor. But you can’t just say oh, it’s Russia, without evidence. It’s a decent theory, but we need proof. They kept digging, analyzing the targets, building maps and clusters, like where the targets were in the world, and what kind of businesses do they work for, like, are they all journalists or do they all work in tech or something like that? [MUSIC] [00:25:00] Any commonalities between targets can help paint this picture because then you start asking who would have an interest in hacking people like that?

JOHN: As we expanded out our digging, it became pretty clear that our targets were not just the bread and butter of a nation state actor. I just say Russia as an example, but it wasn’t just energy companies. It wasn’t just journalists. It was like, people who appeared to be having semi-public divorces, random people or people who owned – two people who owned a house-building company somewhere. It became pretty clear that because of the sheer variety of the targeting, it didn’t make sense for this to be anything other than a bunch of different targeting requirements coming from very different kinds of players. We began getting this sense like, oh, you know what? This doesn’t look like a government. This looks mercenary.

JACK: Mercenary. That would mean these hackers are for hire, and a bunch of different people all over the world have hired this hacker group to carry out different objectives. Because they’re seeing so many random targets, it must mean it’s coming from a hacker group who takes random jobs from random people. This was a pretty good assumption, and sometimes you have to start with an assumption and work backwards to try to see if there’s evidence backing it up. John and Adam started going in this direction. [MUSIC] They wanted to figure out who this hacking group was, what motivated them, and maybe most important; who was hiring them?

JOHN: That kind of discovery really shaped how we began approaching, which is we have to then understand okay, there are clusters of targets within here who will all be part of the same package that this group was paid to target. We should take these groups and start engaging them, try to figure out why they might have been targeted, who might be behind it.

JACK: This meant doing all that open-source intelligence-gathering, or OSINT, for short. They’d have to crawl the web and do a digital investigation to figure out who the people were that were being targeted and if they were connected to other Dark Basin targets. John says it took a lot of work.

JOHN: A couple of colleagues at the Citizen Lab spent – I don’t want to say the best years of their lives, but they spent a substantial amount of time working with us to OSINT the shit out of all of these e-mail addresses to try to figure out who these people were and then to do clustering.

JACK: What they were trying to do is figure out if the targets had anything in common because if they found commonalities, [MUSIC] this could help define who the adversary might be. As groups of targets started to take shape, Adam says there were some that bubbled up to the top.

ADAM: Early in this investigation I would say, there was a lot of targeting that was going at these financial clusters and the short sellers and the people who were investigating Wirecard; the journalists and so forth.

JOHN: Basically, everybody who reported on or was critical of the financial practices of Wirecard got targeted by this group over years and very extensively. Some of those targets were in touch with the lab and were helping us track and understand the kinds of things that were hitting their inboxes.

JACK: Again, that’s the cluster that included that British short seller, Matthew Earl, and the Reuters journalist who helped kick off this investigation. But John says there’s another clue which really got Citizen Lab’s attention early on.

JOHN: We do an initial set of clustering. We’ve got clusters who are in the financial sector and we’ve got clusters who are kind of in politics that want international targets, and then one group really jumps out, and this is a whole bunch of American environmental NGOs with familiar names like Greenpeace and a bunch of others.

JACK: Some of these other groups that were being phished were people who were involved with the Rockefeller Family Fund, the Climate Investigations Center, and the Center for International Environmental Law.

JOHN: It wasn’t immediately clear why they were all connected. There were a lot of them and it seemed to be – in some cases – some very specific people had gotten really heavily targeted, then there were people who were kind of one-step-away connected to them. From what began as just desk research eventually wound up as like, me hopping on a plane and going and meeting with people and getting groups of people together to try to [MUSIC] figure out why on earth they were all being targeted at the same time.

JACK: John went to a conference at this point which was unrelated to this investigation.

JOHN: I was at a conference and doing the hallway track where you take a break from the sessions, and sitting at a little table. This guy and a couple other people sit down at a table and people go around, do the introductions, and he introduces himself. I have this holy smoke moment ‘cause he was one of the targets.

JACK: John was sitting face-to-face with one of the people he had been investigating for quite a while, a victim of this phishing campaign. At a large conference like this, it was just sheer luck to run into this guy. But John didn’t want to say anything in front of everyone at this table, so John got his business card and then called him up later, and things really snowballed from there.

JOHN: It was [00:30:00] from that initial connection that I pulled together meetings with these organizations, so one of the first pieces of feedback that came back was like, oh, we knew something was going on. We had this feeling. Some of the organizations had kind of a memory of getting a lot of weird e-mails. Some of the people were sort of like, I feel like I’m under attack. Well, link them all together, is that they were all doing advocacy on a campaign called the ExxonKnew Campaign.

HOST: [MUSIC] Guess who knew about climate change decades before most people had even heard of it; Exxon Mobile, one of the world’s biggest oil companies. They knew this from their own research back in 1977. Ironic, ‘cause now they’re one of the leading opponents of climate change science.

JACK: This ExxonKnew Campaign involved a bunch of environmental groups that alleged that Exxon knew about climate change but lied to the public about it. The gist is that this deception strategy helped Exxon make billions of dollars while slowing the response to climate change. ExxonKnew compares to what Big Tobacco did in the ‘90s which was misleading people about the harmful effects of smoking. For some reason, all these environmental groups that were against Exxon were getting phished big-time, and probably hacked. For John and Adam, their new acquaintances were a way to get more data on Dark Basin. They coached them up to look for phishing e-mails past and present, and put them in a timeline of attacks.

JOHN: [MUSIC] One of the most remarkable things that came out of our digging was that there was this private e-mail thread that had made its way into the US press and some articles that were critical of the campaign; ultimately, sort of accusing these organizations of somehow conspiring to make the oil industry look bad.

JACK: This e-mail thread had an agenda for an early meeting between ExxonKnew organizers. It included people’s names and e-mail addresses in the header. It outlined a group of goals for de-legitimizing Exxon, like devestment and potential media campaigns. The leak popped up in the news cycle, and Exxon also posted it to their website with a bunch of information about ExxonKnew. They used it as evidence that activists were leveraging the press and public officials to damage the company. But for John and Adam, the leak was important because of how it matched up with their timeline of Dark Basin phishing against ExxonKnew.

JOHN: What was fascinating is that when we timelined some of that stuff, some of that – we could say, leak-flavored product against the phishing, it became clear that [MUSIC] this was this big wave of phishing that happened and then stopped right before that leak material was made public.

JACK: They noticed another wave a few months later. The New York Attorney General who had launched a year’s long investigation into Exxon made a court filing that accused Exxon of misleading investors about how it accounted for climate change risks. Dark Basin phishing e-mails rained down on ExxonKnew members after the filing. Wirecard and ExxonKnew offered a ton of circumstantial evidence that showed that the Dark Basin hacking group was trying to hack the people who were actively exposing these companies’ wrongdoing. But John and Adam found that Dark Basin went way beyond these two stories. Their spread was massive. They hit government officials, political candidates, financial firms, pharmaceutical companies, advocacy groups, and smaller targets like divorce cases. It’s alarming how wide their reach was, but all this data was being collected by Citizen Lab to try to understand who Dark Basin was. John and Adam had loads of historical data and they’d regularly get new stuff rolling in. The trail was never really cold.

JOHN: There would be a moment where we’d just be like oh, man, we got nothing. We’re no longer – we have all this retrospective stuff but we can’t track them today. Then, as often as not, a target would get in touch and say hey, I just got this e-mail today. Here you go, and there would be our next piece of infrastructure and we would claw back some visibility.

JACK: Which was important because John and Adam were still trying to figure out who was behind Dark Basin and where they were. We can start kind of with you’re – trying to figure out who’s doing this.

JOHN: Yeah, so this was an interesting challenge for us because we got to the mercenary part long before we figured out who the sort of mercenaries were in this case.

JACK: Fortunately, John and Adam had some help with their investigation into these mercenaries, some additional clues to help guide them. [MUSIC] They collaborated with NortonLifeLock which is a security application, and they were also tracking Dark Basin, but they called this group Mercenary.Amanda. There was this other report from the Electronic Frontier Foundation. Back in 2017, EFF had identified an advanced spear phishing campaign that attacked internet freedom advocacy groups. The attackers sent out legit-looking e-mails asking people to go to Google, Dropbox, and LinkedIn to log in. If they did, [00:35:00] it would steal their login credentials. Sounds familiar, right? EFF figured out that whoever was running the attacks was probably working out of an office in a particular timezone. John says they saw that, too.

JOHN: We began spotting all of these different things that started pointing to a particular player. The first thing that really clued us in was that the timing of the attacks appeared to fit the time frame of India’s timezone.

JACK: India is a big country, but it only has one timezone, India Standard Time, which is GMT+5:30. What John and Adam saw was that the attacks happened within what would be a typical work day in India. They also saw that India Standard Time was stamped into some of Dark Basin’s phishing code. But some threat actors put in fake clues to throw people off, and so it’s possible they faked the timezone in the code and purposely were active during business hours in India to hide themselves, but the Indian connection didn’t stop with the timezone. Adam says the names of the URL shorteners were another clue.

ADAM: As we tracked these URL shorteners, they were using an open-source shortening software and that software, one of the things that it had was a web UI, like a web front end. They had given them titles, and the titles in several cases reflected things that had cultural significance in India.

JACK: A couple were named after important events like Holi and Rongali. Adam says they came across even more helpful information because Dark Basin didn’t do much to cover their tracks. They left stuff out in the open sometimes.

ADAM: We also were able to collect log files from the credential phishing websites. They just left them there, left them open.

JACK: In these log files, John and Adam could see Dark Basin hackers running tests to make sure their phishing code worked. The IPs running these tests were from India.

ADAM: But there were other cases where they worked, where they were – you’d have a test with a VPN and then right away, the same link would have been tested again, but it was actually coming from an Indian-based broadband provider.

JACK: This was another piece of the pie. They had the timestamps, the URL shortener names, and now IP addresses all linking this to India.

ADAM: We had these pieces falling into place that were suggestive; each piece was another little bread crumb suggesting operators working out of India.

JACK: To me, at least, all this information Citizen Lab was collecting from their investigation was really impressive. I wouldn’t have thought to try to enumerate the URL shortener or even look to see if there were log files visible in the phishing websites. But with all this information, Citizen Lab now had an idea of where Dark Basin was. But they were still hunting for the who.

JOHN: [MUSIC] Then we get – we get sort of the next layer of clues.

JACK: John says Dark Basin hackers made some glaring errors when testing their phishing kits.

JOHN: What really caught our attention is that the operators didn’t just do some tests. Their compartmentation was not great. Where it got really interesting is that in some cases, to test out things, operators would share stuff that might be more personally relevant to them on the shorteners.

JACK: See, since the hackers set up this URL shortener, they actually used it to send links between each other. In one case, a Dark Basin hacker shared a link with another Dark Basin hacker which took them to a shared drive, and that had a resume or a CV there.

JOHN: The CV described a bunch of skills and responsibilities like information-gathering about target, create phishing page and campaign for target, e-mail investigation, e-mail tracking.

JACK: Of all the things a hacker could share to test their phishing kit, these guys shared something personal. It was a job description that seemed to look a lot like what Dark Basin hackers were doing. Because of this CV, Citizen Lab had somebody’s name and the name of a company in India they worked for. John looked the guy up.

JOHN: The guy, when we looked at him, listed his job description as a penetration tester for a company called BellTroX InfoTech Services. It didn’t end there. We also found another person who also listed his employer as BellTroX InfoTech Services posting online on a message board.

JACK: This other guy was offering up more than just a job description. He was sharing company secrets, pulling back the curtains.

JOHN: He’s like hey, let me show you this cool technique that I’ve got. Look at these swank-looking phishing pages that I’ve generated. The screenshots included the infrastructure that belonged to this operation.

JACK: [MUSIC] These employees were evidence that BellTroX, a company based in New Delhi, was into phishing and probably hacking, too. John and Adam dug deeper.

JOHN: BellTroX had a web presence [00:40:00] and the web presence described them as doing penetration testing, certified ethical hacking, and also medical transcription, and a couple of other strange activities. In the marketplace for e-mail compromise, certified ethical hacking and penetration testing are unfortunately often used as code language for ‘we’ll hack inboxes for you.’ We were never able to find out whether they actually did do medical transcription, but it seemed like a clever front for their real activity.

JACK: Was that real activity being Dark Basin a massive hack-for-hire mercenary outfit? John says BellTroX left a lot of incriminating info out there in the open.

JOHN: One of the things that made this investigation possible is that BellTroX was noisy. Their people had a lot of stuff that were publicly exposed. This meant that they would do things like post online. They had LinkedIn pages with likes and that often described exactly what it was that they did, [MUSIC] like e-mail hacking and penetration. The LinkedIn profiles ranged a bit, but some of the guys looked like they had been at this game for a while and they had profiles, pictures of hacker types with sunglasses and binary streaming by in the background and goofy e-mail addresses with 007 in them, offering all kinds of wares. Then others seemed a bit more professionalized. It was very clear that some of the people who worked at BellTroX were offering what were clearly illegal services.

JACK: This wasn’t a case of a few bad apples in an otherwise innocent IT company. BellTroX’s history of illicit activities went all the way to the top to the guy running the show; Sumit Gupta. John says Sumit Gupta has a history in the hack-for-hire business.

JOHN: The owner of BellTroX has been indicted and charged and is currently a fugitive from justice in the US, but not because of this latest case, but because there’s an earlier set of cases where he was part of a group working with American private investigators to do exactly the same kind of activity.

JACK: The prior case offers important insight into understanding Sumit Gupta, the work that BellTroX was doing, and where their clients were coming from. But to understand this, we’ve got to turn back the clock to 2012. It’s a time before NortonLifeLock and Citizen Lab were tracking Dark Basin at all, and before the EFF reported about an advanced spear phishing campaign. Back in 2012, there were two competing American companies that sold nutritional supplements. One was named Visalus and the other was named Ocean Avenue. Some of Visalus’ distributors had signed on with Ocean Avenue, so Visalus sued, accusing the distributors of violating a non-compete agreement. Amid the ensuing court battle, Visalus hired two private investigators to look into Ocean Avenue. They wanted information to bolster their case, but things went a little too far. The private investigators hired hackers to break into Ocean Avenue’s computers which was totally illegal. One of the hackers was Sumit Gupta.

[MUSIC] These guys successfully got into Ocean Avenue’s computers, but their operation came unglued. One of the hackers got cold feet and confessed to one of the targets. This led to a 2015 federal grand jury indictment which named five members of the scheme and charged them with ten counts related to conspiracy, accessing protected computers, and intercepting electronic communications. Everyone but Sumit, who was believed to be in India, pleaded out. The two PIs and their Visalus contact were sentenced to probation. The hackers who had fessed up actually had a prior record and were sentenced to three years in prison. Sumit’s case was turned into a fugital criminal one. The FBI got in touch with their New Delhi branch, but Sumit remained at large. It’s been eight years since Sumit was known to be involved in this hack-for-hire scheme with the Visalus case. It seems like he’s been busy, too. Sumit has taken this model of working with private investigators to the next level. The PI thing is something John says they saw with BellTroX.

JOHN: One of the things that we learned pretty quickly is that BellTroX and their people would openly solicit online. One of the big audiences that they seemed to be targeting was American and Western private investigators, offering all kinds of e-mail based targeting services with, in some cases, coded language and in other cases just saying exactly what they would do for you. Their pages had endorsements from hundreds of Western private investigators. It doesn’t take a very sophisticated person to feel that there’s something off about this company. It led to this question; why have all these private investigators vouched for this random Indian medical transcription/penetration testing company? Imagine if a private investigator is hiring a bunch of hackers; they’re not gonna splash it all over the place which is why it was so [00:45:00] interesting that private investigators did still feel comfortable vouching for these guys on LinkedIn.

JACK: This was a big, loud clue along with the others that something wasn’t right with this company, BellTroX. This supposedly innocent Indian company was up to something, although the PI thing kind of makes sense, right? There’s a vast network of professional investigators out there. Why not tap into their market and position yourself and services as a go-to tool in their toolbox? Forget the legalities.

JOHN: [MUSIC] It made us think that maybe the kind of practice that BellTroX is engaged in is not that uncommon in the field of private investigations. Subsequent discussions with private investigators and others has made it clear that is the case, and that a lot of PIs do use this kind of service as part of their investigations.

JACK: Here’s something else to support that; Sumit Gupta has a Pod.io profile still up on the internet. He’s listed as Sumit Vishnoi, one of his known aliases which is also in his court records. His profile says he’s with BellTroX which is described as a cyber-intelligence company. The clients he’s interested in are private investigators, corporate lawyers, corporate investigators, corporate firms, celebrities, and politicians. There’s nothing about medical transcription. It’s pretty clear that he and BellTroX were interested in and hooked in with private investigators. But what remains unclear is who might’ve been on the other end of this client chain. Who hired the PIs? That’s hard for Citizen Lab to say.

JOHN: The challenge for us is to apply the same level of rigor to all of our investigative pieces, and there are pieces that can be seen about these groups and pieces that are not seeable by us. For example, it’s very likely the case that anybody who is a big company who hired BellTroX may have done it through layers. Maybe they hired a law firm who hired an investigator who hired an intermediary who hired BellTroX. We don’t really know. It’s very hard to make statements like so-and-so hired so-and-so, even. We want to be careful to get these things right.

JACK: Citizen Lab doesn’t have hard evidence on somebody like Exxon or Wirecard directly hiring BellTroX or even having it done through a middle-man. What they can see is that there were all these phishing attacks on sets of targets, and they have a lot of circumstantial evidence linking those attacks. You never know for sure when it comes to this, so all you can say is that you have a high confidence in your assessment.

JOHN: Our mental model for what goes on is that private investigators hire BellTroX to gain access to material that could then be used in all sorts of different ways. It could be leaked to the press, it could be used in a legal dispute to apply leverage, it could be about figuring out an opposing party’s strategy in something political. Indeed, we think we felt evidence of all those things.

JACK: When looking at the big picture of this hack-for-hire scheme, John says the motivations seemed different than other types of attacks.

JOHN: What this really showed us was that there is a very large industry that does this and that pretty much wherever you scratch, whatever vertical you’re looking at, a component of the hacking that large organizations and small organizations face is this kind of stuff which is different than ransomware. It’s different than business e-mail compromise. It’s different than CEO fraud. It’s just part of the complete breakfast of bad stuff that maybe points at an organization. What’s different about this from some of those other cases, that the motivations here do not appear to be primarily financial. They’re not trying to get into bank accounts. They’re not trying to trigger wire transfers. They’re looking for, in some ways, the even more valuable commodity which is a commodity that’s directly beneficial to the adversary of a company which is real different than a parasitic commercial operation trying to steal a bunch of money.

JACK: In their report, Citizen Lab calls large-scale hacking operations like Dark Basin a threat to democracy. They say it’s a tool for the powerful and can be used to attack people who can’t defend themselves. It’s a brazen approach that really stood out to Adam. He says the way BellTroX went about their business was shocking.

ADAM: From my perspective, this kind of activity coming from an organization that – it has the public face; like, BellTroX is a company. They’re out there. They’re publicly advertising services in and around this sphere, and they’re out there operating completely in the open. To me, that’s just even more egregious than what we know is out there. For example, on the dark web, you know that there are contractors and people working piecemeal to selling services of this kind, of hacking e-mail and hacking social media accounts and so forth, sort of onesie-twosie style. But having a company basically existing in public and operating like this is especially egregious.

JOHN: [MUSIC] Yeah, to build on what Adam’s saying, there’s another problem which is it doesn’t look that different from some of the other kinds of phishing that companies face where they just look at it [00:50:00] and they’re like, okay, caught this, right? Caught the doing business. But the risk behind this is in some ways a lot greater because it’s part of a package of things, right? The targeting doesn’t end with the successful exfiltration of an e-mail. It would end with the successful use of the information in that e-mail to harm somebody, a company, to harm a reputation. Very different stuff, but on the initial technical end, it kind of looks the same. We’ve also gotten the sense that big platforms are just starting to really come to terms with how bad the problem is. We know that Google, earlier this year, for the first time in one of their publications from the TAG Group, they’re talking about this. We hope to see other big platforms taking these groups seriously and adding them to their list of threat actors that need to be constantly tracked and mitigated against.

JACK: Keeping tabs on such a big operation takes a lot of committed organizations like the Google Threat Analysis Group that John just mentioned. Yet in the end, a lot of these groups can only go far because like Citizen Lab, they’re using open-source methods. They can’t hack BellTroX to get hard information. That’s illegal.

JOHN: I think one of the challenges with a group like this though is that there’s only so much that researchers – whether it’s like NortonLifeLock or Citizen Lab – we can actually do once we get to that – the front door of an enterprise and then maybe the personal postings of people. Part of what was very important in this case was that there was a criminal investigation that got kicked off because those investigations have access to legally-authorized resources that we just don’t.

JACK: See, this brings us back to the whole good versus evil thing. Adam and John at Citizen Lab will only investigate this up to what they’re legally allowed to do. They’re not gonna break the law to figure this out, yet whoever is behind Dark Basin apparently has no problem breaking laws by hacking into their victims’ accounts. I think Dark Basin is evil, but they’re just the weapon here. Whoever is hiring them is the real villain here, right? But when you break down good and evil, things turn gray really fast. Because, suppose Wirecard or Exxon did hire Dark Basin to spy on journalists and activists. The executives in those companies probably saw the journalists and activists as being the evil people trying to wreck the company. The decision-makers were trying to protect the company they worked for because in their eyes, the company is great and worth fighting for, and there’s a lot of shareholders who also believe in the company. I don’t know. I’m trying to find a way that the evil side has an out here, but I’m struggling.

I just don’t see that whoever hired Dark Basin to hack people’s accounts was acting in good faith or had any morals or integrity, because if I saw activists or journalists exposing crimes my company committed and I felt that my company was great and worth fighting for, I think the right thing to do would be to investigate the crimes and to put a stop to them, repair what was done wrong and not silence the news about it or threaten people just so I could keep getting away with breaking the law. At the request of some of the targets they were working with, Citizen Lab got in touch with the US Department of Justice who started a criminal investigation. So far, a guy named Aviram Azari has been indicted and arrested for engaging in a hack-for-hire scheme. A lot of the stuff in the indictment sounds pretty familiar at this point. Aviram is an Israeli private investigator. He’s charged with conspiring with others to hack computers. He allegedly exchanged e-mails with an unnamed co-conspirator who said he had a team of sophisticated developers that could break into e-mail accounts. Aviram was invited to India to meet with the senior management of this organization which to me sounds like it could be BellTroX or Dark Basin.

This June, Citizen Lab released their Dark Basin report, and it was widely covered by the press. Reuters was able to interview Sumit Gupta, but he denied any wrongdoing. He said all he did was help private investigators download e-mails after they gave him login information. He added that he was just providing tech support. Although he’s been a fugitive in the US since 2017, it appears he’s still at large in India. The Citizen Lab report also prompted responses from some of the companies like Exxon and Wirecard. To be clear, the report didn’t accuse them of anything. In a New York Times article, an Exxon spokesperson said the company didn’t know of any involvement with this specific hacking group identified in the Citizen Lab report. Wirecard also told the Financial Times that they didn’t have anything to do with this hacker group in India. But coincidentally, Wirecard tanked not long after this Dark Basin report came out.

JOHN: [MUSIC] What’s interesting is that not long after our report dropped, it became clear that there were very serious problems with financial management at Wirecard.

JACK: [00:55:00] The timing was total coincidence, but in June 2020, things did go sideways at Wirecard. Journalists and short sellers like Matthew Earl for years had accused Wirecard of financial wrongdoing, but the company had strongly defended its position, saying that its critics were colluding to bring them down. In the years after Matthew Earl’s report came out, Wirecard’s stock had actually gone up and Matthew had to unload his short position. But according to The Wall Street Journal, this year, an audit came back saying Wirecard was missing over two billion dollars in money. The fallout was quick. On June 5th, Wirecard headquarters in Germany was raided by prosecutors and police. CEO Markus Braun was arrested and the COO, Jan Marsalek, had vanished. By the end of June, Wirecard had filed for insolvency; unable to cover its debts. John says the collapse of Wirecard and the Citizen Lab report are a welcome atonement for some.

JOHN: It was a very quick and sort of coincidental turn of events that our reporting happened just before that, but it does have the feature of vindicating the targets who for years had been saying look, there’s something wrong with this company.

JACK: That was a big deal for Matthew Earl. He had been harassed with surveillance, legal letters, and phishing e-mails for years. It had been going on for so long, it just became normal for him. He was relieved when the Citizen Lab report came out linking the phishing to BellTroX.

MATTHEW: There was a vindication to it as well and also, it made it easier to tell people about this whole affair, because if you were to tell someone that there’s a German bank that’s had you under surveillance for several years and they’re operating – they’ve got an approach where they’re trying to hack into your e-mail and discredit you, then you’d sound a bit like a conspiracy nut despite the fact that it’s all true. If you’ve got a reputable organization such as Citizen Lab that is able to highlight this and to add credibility to that, then that’s incredibly helpful in able to – in being able to tell people about it and describe your experience, and know that actually yes, it is true, and you haven’t made it all up.

OUTRO: [OUTRO MUSIC] A big thank-you to Matthew Earl, Adam Hulcoop, and John Scott-Railton for sharing this incredible story with us. You can learn more about Citizen Lab at citizenlab.ca. As always, you can visit darknetdiaries.com to see additional links and information, as well as original artwork I make for each episode. Speaking of artwork, I’ve been busy making tons of designs into t-shirts. You gotta check out the shop which has dozens of shirts right now, and I’m sure you’ll find a design you will love. Visit shop.darknetdiaries.com and of course, I ship worldwide. This show is made by me, the karate skid, Jack Rhysider. Sound design and original music created this episode by Garrett Tiedemann who probably dreams in music. This episode was produced by the outdoorsman, Charles bolstere, and editing help this episode by the dream-weaver, Damienne. Our theme music is by the advanced persistent beat known as Breakmaster Cylinder. Even though I’m in security, it doesn’t mean I’m insecure. This is Darknet Diaries.

[OUTRO MUSIC ENDS]

[END OF RECORDING]

Transcription performed by LeahTranscribes