Darkode dismantled; hacker forum had been linked to millions of data thefts

A global hacker forum that authorities said served as a bazaar where Internet thieves could buy, sell and trade stolen data from millions of people worldwide was dismantled Wednesday by investigators from the U.S. Justice Department and 19 other countries, officials said.

Darkode, a password-protected forum where users could buy and sell stolen credit card information and the malware used to infiltrate personal computers, was considered "one of the gravest threats to the integrity of data on computers in the United States and around the world," federal investigators said.

"Hackers and those who profit from stolen information use underground Internet forums to evade law enforcement and target innocent people around the world," Asst. U.S. Atty. Gen. Leslie Caldwell said in a statement. "This operation is a great example of what international law enforcement can accomplish when we work closely together to neutralize a global cybercrime marketplace."

At least 70 members of Darkode were either charged, arrested or had their homes searched on Wednesday, the Justice Department said. Among those arrested was Johan Anders Gudmunds, the Sweden-based administrator of Darkode.

Gudmunds, 27, who went by the online handle "Synthet!c," used his network to steal data from computer users on about 200 million separate occasions, investigators said. He did so by creating a “botnet,” a network of nearly 60,000 computers infected with his malware, and sold access to the computers on Darkode, according to a criminal complaint. The program allegedly gave Gudmunds and other Darkode members access to bank account numbers and other personal information stored on the infected devices.

Another Darkode member, Eric Crocker, 39, of Binghamton, N.Y., created a program called the “Facebook spreader” that allowed him to gain control of accounts on the popular social media site, according to the complaint. Infected accounts would spit messages containing a link to the user’s Facebook friends. The computers of other users who clicked on the link would then be infected with malware, the complaint said.

Crocker was paid between $200 and $300 for every 10,000 accounts or devices he infected, according to the complaint.

The takedown comes in the wake of a series of high-profile data breaches that have left Americans unsure if any of their digitized information is safe. Earlier this month, the federal Office of Personnel Management was the victim of two separate hacks, leading to the theft of more than 21 million Social Security numbers and other data. 

Cyberattacks in the last six months have also resulted in the theft of tax filings from the Internal Revenue Service and the release of a trove of embarrassing emails from Sony executives.

According to federal investigators, Darkode was a closed community that only accepted new members on the recommendation of someone who was already inside the forum. New members had to prove their skills and demonstrate their usefulness to the group, generally by providing new and effective spyware, before gaining membership.

In its statement, the Justice Department said Darkode was one of nearly 800 active Internet bazaars, murky marketplaces where hackers can buy and sell stolen information and the tools they would need to steal more. Darkode was created in 2007, according to a criminal complaint in the case.

Forums such as Darkode have their roots in what were known as "Carder forums," bulletin boards where data thieves would buy and sell personal information during the dial-up Internet era in the early 2000s, according to Clifford Neuman, director of USC's Center for Computer systems Security.

------------

For the Record

1:37 p.m.: An earlier version of this post mistakenly referred to “Carder forums” as “Carter forums.”

------------

Darkode, however, is part of an evolution that has amplified hackers' reach to a global scale. While members of "Carder forums" might have been buying and selling credit card information stolen off a physical card, Neuman said, Darkode allows data thieves to marry skill sets and reach a wider array of machines than ever before.

Members of Darkode could sell access to computers through "botnets," networks of computers that have been compromised by malware, he said.

About 20% of the people reading this article, Neuman said, "probably have at least one machine that they use on a regular basis that is part of a botnet."

Neuman said Darkode members likely sell their services to one another. A forum member who is proficient at finding new vulnerabilities in websites or computers might go to Darkode and find a co-conspirator who specializes in actually executing the cyberattack.

“There’s a specialization that has occurred and they do the same thing for this underground economy that cloud computing and the Internet and e-commerce do for above-ground economies," Neuman said.

Times Staff Writer Paresh Dave contributed to this report.

Follow @JamesQueallyLAT for breaking news

Copyright © 2016, Los Angeles Times

UPDATE

1:54 p.m.: This post was updated with more specific acts carried out by Darkode, according to authorities.

This post was originally published at 12:48 p.m.

64°