7.8.17 Dark Web and Cybercrime Roundup

MalwareTech Arrested for Creating the Kronos Banking Trojan

One of the more controversial topics of the week involved Marcus Hutchins, the malware researcher who accidentally slowed the WannaCry ransomware outbreak by finding and purchasing a domain that served as a “kill switch.” The discovery slowed the outbreak enough that some countries were able to apply critical OS patches, resulting in the researcher’s “accidental hero” status. However, the most recent news painted the the 23-year-old in a new light.

Instead of another act of malware heroism, a grand jury indictment accused Hutchins of creating the Kronos Banking Trojan. The indictment also charged Hutchins and an unknown co-defendant of distributing the banking trojan on internet forums and marketplaces. One, in particular, was the now-defunct Alphabay Market.

Less than a few hours away from his flight home, Hutchins went dark. His friends reported his disappearance on Twitter and elsewhere. Motherboard contributor Joseph Cox then found some information: the indictment. Infosec Twitter flew into a whitehat v. blackhat debate. Some believed the Department of Justice incorrectly indicted Hutchins. Others (jokingly?) tweeted that the day was the best day of their lives. Information trickled down after a local reporter covered the story and spoke with his attorney. Hutchins pleaded not guilty was granted a $30,000 bail. DeepDotWeb

Meet one of the Rippers who Distributed Kronos

A handful of people posted about forum.exploit.in, a forum where malware trades once thrived. The website is not new. Nor is the knowledge of the forum’s existence—for most people. However, one pseudo well-known ripper by the name of VinnyK paraded around the forum, scamming and/or peddling his wares. Very people said anything positive about the Kronos trojan. Those who reviewed it pointed out that the trojan lacked XYZ feature. One forum user, maybe two, said anything that worked in Vinny’s favor. He routinely scammed users.

The site’s admins eventually banned him as he nor Kronos carried a reputable name. Incidentally, although blurred out in the previous article, VinnyK appears to have been the seller of Kronos on Alphabay. Confusingly, the list price is somewhat higher than in the indictment. Furthermore, the listing showed no sales whatsoever. Granted, VinnyK—although he could be an unrelated entity—did sell numerous copies on the forum.

He often claimed to work with another party. When someone would pay Vinny, Vinny allegedly turned around and sent it to this outside entity. In one conversation, Vinny claimed that he had built the trojan, but contradicted himself elsewhere. At best, he was no more than a ripper/seller. Several members of similar forums claimed to sell the trojan. Leaked copies exist and some wrote of rebuilding the front end and doing something else for the backend.

However, from the information available, Vinny was the only vendor who had listed Kronos on Alphabay. Exploit.in

DHL Goes Down After Hacker Exposes Clearnet IP Address

In a self-proclaimed effort to make the marketplaces safer, a Reddit user known as “t0mcheck” (t0m) posted vulnerability disclosures pertaining to Sourcery Market and the Darknet Heroes League (DHL). The hacker, self-described as being a “2-3 out of 10” on a “master hacker” skill chart, immediately caused a state of panic in the already dwindling community. Sourcery Market, one of the newer markets in the scene, and DHL, a marketplace veteran, responded in completely opposite fashions. From here, only a handful of outcomes seemed viable. One came from t0m’s disclosure: “this market shouldn’t exist,” the hacker wrote.

In DHL’s case, t0m “reported [the full disclosure] to support.” Yet, despite the apparent willingness to work with DHL administration on fixing the flaws, a DHL moderator responded by telling t0m the vulnerabilities had existed for two years and were of no importance to the administration. Back and forth between the two ran for hours—possibly days—until t0m seemingly grew weary of the discourse.

He posted again, Part 2: “All private messages leaked.” And again with a third piece: “Operation Return To Sender.” T0m all but doxed an admin of the marketplace. And not at random. DHL has been down for roughly 100 hours at the time of this past. Reddit users raised the exit scam alarm. With admin identities easy to trace, if law enforcement could make arrests with little effort. As one user explained, “[DHL administration] won’t get too far, the man is wanted by both parties, LE and the darknet community.”

Sourcery, despite commenting on the past about their vulnerabilities, went through the ordeal without drawing attention. They stayed online, answered questions, and released a statement. A fairly boilerplate one, but a statement nonetheless.

Relevant links:

• DHL Security Advisory – URL Redirect CAPTCHA Bypass – found by a non “resident hacker.”
• DHL Market Security Vulnerabilities Part 2 – Read and Overwrite all Private Messages – t0m’s second disclosure
• DHL will give an official truthful response to allegations and account for everything in a few hours. – one user commented, prior to the exit, “It would be funny if the just exit scammed, aha.”

And the full DeepDotWeb story.

Georgia FBI Allegedly Identified an Alphabay Staff Member

The FBI believed and publicly announced that the capture of Icyeagle contributed to the Alphabay takedown. The FBI Atlanta Twitter account tweeted “Details of @FBIAtlanta and @NGDAnews role in the takedown of the largest online “Dark Market” Alphabay.” (NGDAnews is the official account of the US Attorney’s Office of the Northern District of Georgia). Granted, they claimed more than the 2016 arrest of the stolen credit card vendor. According to the GA FBI, they aided in the discovery that an Alphabay staffer was “living in the United States.”

Our full article touches the background, including the Alphabay staff that live outside the grasp of the United States. Although I had researched the Alphabay staff during the marketplace’s reign, as had many community members, the post seemingly caused readers to believe a specific staffer was next in line. The candidates are not difficult to sort through, but aside from an Alphabay staff member that remains active oversees and a dead Administrator, any member could, in theory, live in the United States now.

One user commented that the federal government could have mentioned DeSnake in the Cazes indictment with ulterior motives. Some have speculated that Cazes was Alpha02 and DeSnake. The feds are aware of the subreddits and forums; they know how to plant fear into the minds of darknet market users. Maybe the “identified staffer” never even existed. Maybe the staffer exists.

That aside, for those unfamiliar, Icyeagle sold fraud-related items on Alphabay. Some drugs too, and according to the attorney, weapons. “Glende allegedly sold stolen bank account information on a website designed to traffic criminal goods and services, including weapons, stolen credit cards, and illegal narcotics,” U. S. Attorney John Horn said. “Cyber criminals increasingly trade financial information for cash, citizens must be vigilant with their account information.” Icyeagle was convicted of “bank fraud, access device fraud, and aggravated identity theft.”

Europol, the FBI in Langley, the Dutch National Police, and the DEA, among others, need to thank the FBI in Georgia for their work. And the NGDA of the USAO deserve similar appreciation for prosecuting the 35-year-old fraudster. Maybe IcyEagle, a vendor of $40 SunTrust bank accounts, also moderated Alphabay. He would not be the first darknet market staff to also distribute on a now-defunct marketplace as well. DeepDotWeb