Darkode: Extended Background Story

6 minute read

Posted by: Canahontra

July 20, 2015

Quite recently, we have broken the story on this site, of the infamous Darkode forum, a place rife with discussion of fraudulently stolen credit card data (even as against and about which it has, in the past, been warned to avoid speaking), those wishing to sell-sword their spammy flooding services, Distributed Denial of Service (DDoS) attacks – and through all different methods, e.g., SYN and DNS amplification, as well as authors or their designated cohorts vending malware products to the undergound community. First, one has to know, to comprehend the rest, how did this forum come into existence? This is what will be explained in the following.

Darkode started as a forum, as noted by MalwareTech to act as a support system for what was known as the Butterfly or Mariposa (Spanish for ‘Butterfly’) botnet. also known as Palevo (a deriviative fork of the ZeuS or Zbot family of crimeware). Its main functions were revolved around Spam, DDoS, and harvesting details – there was widely-prevalent spam as a result, and its DDoS module/component, the Butterfly Flooder was leaked to the web. Its author, known online as Iserdo (Matjaz Skorjanc), who lived in Slovenia, was running the support forum throughout 2009, until 2010, when he had sold the site to a man who used the online moniker, Mafi or Crim (he primarily used ICQ, and recruited, along with his associate administrators/moderators, people from a forum, well-known as the paradise to many inept but ambitious cybercrooks and others akin to the classification, whose products were simply re-sold in this next destination) – the author of several versions/variants (ver. 1, 2, 3) of the exploit kit (EK), Crimepack. This was a startlingly successful forum, in fact, and it actually expanded upon the Palevo/Mariposa (Butterfly) user-base, eventually garnering sellers of stolen data, and the wares to steal them, from across the globe (even though it was an English-speaking forum, at that). It attracted the likes of Gribodemon (Aleksander Panin: author of SpyEye – another ZeuS family branch and its logo modelled off of Synthetic Marijuana; he was arrested in the beginning of the year 2014, while travelling from his native Russo-Crimean homeland, to the Dominican Republic to meet a friend), whose partners went on to attempt to sell his work in this account, and others, and a particularly unique individual, having gone by the cyber-pseudonym of Bx1. Bx1 was an Algerian man who loved to brag about his crimes, and which, in fact, eventually led to his arrest by the FBI. Bx1 (Hamza Bendelladj) claimed to have helped develop SpyEye’s plugin systems, but was what is, in today’s information security world, known as a script kiddy. He was responsible for the arrest of another of this forum’s frequent miscreants, Symlink, by the Moldovan authorities, in the Eurasian or Eastern European region of that continent.

In 2013, a white-hat security researcher, and founder of the former and reverse engineer of the warez release group, RED, was able to infiltrate the forum, and post plenty of its insides as screenshots to the rest of the world, leaving the more sensitive data to only Law Enforcement. This was risky, not only because of the nature of Darkode, more casually and even colloquially referred to as DK, being a black-hat-centric hub, but also due to the fact that each user’s screenshot of any page from the forum, had a hidden watermark. These weren’t taken out, so the Darkode administration had a belovedly fun time weeding out white-hats and gray-hats, alike.

One thing had come to another, and an individual, a co-administrator to Mafi/Crim, as well as to Fubar, named Sp3cial1st and more casually as Sp3c (XMPP username was: “na,” on a notoriously underground-friendly server), eventually took Mafi’s place, which was when Mafi retired with announcement made. This was the beginning of the end, as more and more Law Enforcement officers and agents had infiltrated the site, having led to several data leaks and breaches, then posted to Pastebin and around, made Sp3cial1st very paranoid – banning was very quite prevalent, even against truest members to the cause, and paved the way in driving away all of its long-time oldies, and opening the doors to a whole new universe of more script kiddies.

The process for getting into the forum was not the simplest, and was made of several tiers before full access had been attributed, but it was not very effective either. Every member was given a handful of invitation codes (you could also be invited by Sp3cial1st if you’d sell a coding project, deemed as worth selling to their semi-exclusive community-standards), after which you would be vetted in an intro process. During the intro process, its already currently-established members would either vouch for you or disapprove – this was what decided whether or not you would be admitted, and whether or not, should you have been denied, the inviting party should have been warned or banned.

This was all “fun and games,” that was, until Sp3cial1st became embedded in the script kiddy brigade of “hacker” groups, the Lizard Squad. This was the nail in the coffin, because the Lizard Squad has, since their DDoS attacks on Microsoft/X-box and Sony, and so on, sustained arrest-after-arrest. Their famous stress tester, built upon the shambles of hijacked home routers, infected with a simplistic, even archaic IRC bot (its source code is on Github by a Unix Sysadmin and spare-time pentester, linked on his Twitter profile at the beginning of this year), was bound to fall, especially since the mediocre payment system engineered to support patronage in it, was not encrypted fully, nor had the credentials of all their users, been. This was leaked as well, in the form of an SQL export-file.

Alongside all of these antics, also came an earlier stint of the Darkode administrators cooperating with a Bulletproof hosting provider named Offshore (sells on a Russian board called Exploit), to disrupt Spamhaus and Cloudflare’s operations, in a formed coalition of several, otherwise-competing Bulletproof service providers, who clearly had left a European bulletproof hosting company, in an old, previously-abandoned World War II bunker, naming it Cyberbunker (this was a previous home to Wikileaks as well as ThePirateBay, before they had moved on to Cambodia, after which it was raided in the Autumn of 2014, re-launching as a promised return, in February of 2015, initially hosted in Moldova behind Cloudflare, and later, elsewhere), as a scapegoat. This operation was the anti-type of Spamhaus, and named accordingly as StopHaus. It ended with another arrest, following a particularly nasty chain of heavy DDoS attacks through a method called DNS amplification, where DNS queries are made to a target server, spoofed as having not come from its own, subjecting the server to endless traffic volume, beyond what a simple SYN or TCP attack could afflict.

If you have checked out the list of those arrested during the raid which took down Darkode just a few days ago, one might notice that Sp3cial1st is quite conspicuously, much like the friends from Hackforums, Sky and Pernicious, M.I.A. in that report – this is, by educated speculation, due to the likelihood that he was working with Law Enforcement, in the coming moments of this inevitably doomed forum’s ultimate demise. To further speculate, one has to wonder whether, should he have been arrested, and considering that he was buddies with the now well-known LizardSquad, that was how he might have ended up in negotiations with the federal authorities; the fact he is missing from the report is signal of that, by itself.

Updated: 2015-07-20