Paid hackers targeted thousands of people and hundreds of institutions worldwide, report says


A hackers-for-hire group dubbed “Dark Basin” has targeted thousands of individuals and hundreds of institutions around the world, including advocacy groups, journalists, elected officials, lawyers, hedge funds and companies, according to the internet watchdog Citizen Lab.

Researchers discovered almost 28,000 web pages created by hackers for personalized “spear phishing” attacks designed to steal passwords, according to a report published Tuesday by Citizen Lab, part of the University of Toronto’s Munk School.

“We see them again and again in areas where business and politics is contentious,” said John Scott-Railton, the lead author of the report, who said the hackers were “brazen — they seem to think they are untouchable”.

The report said a large cluster of targeted individuals and organizations were involved in environmental issues and had campaigned against ExxonMobil, the U.S. oil producer. They included the Rockefeller Family Fund, the Climate Investigations Center, Greenpeace, the Conservation Law Foundation and the Union of Concerned Scientists. Exxon declined to comment before “reviewing the full report.”


“The growth of a hacking-for-hire industry may be fueled by the increasing normalization of other forms of commercialized cyber-offensive activity, from digital surveillance to ‘hacking back,’ whether marketed to private individuals, governments or the private sector,” the report said.

It added that relevant material had been shared with the U.S. Department of Justice. The cyber-security group NortonLifeLock also carried out a parallel investigation into the hacking.

Sophisticated hackers infiltrated U.N. offices in Geneva and Vienna last year in an apparent espionage operation

Jan. 29, 2020

Citizen Lab said: “Dark Basin’s targeting was widespread and implicated multiple industries.” It added that a prominent example was the targeting of “hedge funds, short sellers, journalists and investigators working on topics related to accounting irregularities at German payment processor Wirecard.”

Wirecard is one of Germany’s most prominent technology companies, which has faced critical scrutiny of its accounting for years. Its management board is under investigation on suspicion of market manipulation in relation to a recent special audit that failed to resolve questions of accounting fraud. The company and its executives have denied any wrongdoing.

Citizen Lab said that in the case of Wirecard critics, “some individuals were targeted almost daily for months, and continued to receive messages for years.” The report also said private emails from some of those targeted were made public through online posts.


The report said the hackers-for-hire group used to conduct the attacks was linked “with high confidence to an Indian company, BellTroX InfoTech,” a technology consultancy which advertised services such as “cyber intelligence” with the slogan “you desire, we do!”

The group’s website was taken down in recent days, and its phone number is disconnected. BellTroX did not respond to a request for comment by email.

Google says hackers backed by foreign countries targeted the Trump and Biden campaigns, but it saw no evidence that the attempts were successful.

June 4, 2020

The Citizen Lab report said previous hacking cases indicated that such hacking was arranged “through a murky set of contractual, payment, and information-sharing layers that may include law firms and private investigators, and which allow clients a degree of deniability and distance.”

The Citizen Lab investigation was launched after it was contacted in 2017 by a Reuters journalist who had investigated Wirecard and was targeted by a phishing campaign, according to people familiar with the situation. A number of Financial Times journalists were also targeted with emails purporting to be from friends and colleagues, in some cases using photographs lifted from social media accounts.

The Financial Times has previously reported that a former Libyan intelligence chief last year funded a surveillance operation in London targeting a string of investors thought to be critical of Wirecard. The payments group has previously said it commissioned an external forensics consultancy in 2016 to identify the background of short-sellers who had published a critical dossier about Wirecard, but has denied commissioning any surveillance to investigate or shadow individuals.


“Wirecard AG has at no time been in direct or indirect contact with a hacker group from India,” the payments group told the Financial Times on Tuesday.

Phishing attacks by Dark Basin took the form of emails made to look like those from popular services such as YouTube, Dropbox and LinkedIn. They contained shortened website addresses, known as URLs, which took targets to pages designed to look like login forms.

Citizen Lab said the “sophistication of the bait content, specificity to the target, message volume and persistence across time varied widely.”

The report said “we were able to identify several BellTroX employees whose activities overlapped with Dark Basin because they used personal documents, including a CV, as bait content when testing their URL shorteners. They also made social media posts describing and taking credit for attack techniques containing screenshots of links to Dark Basin infrastructure.”

In 2015, the Department of Justice indicted several private investigators and an Indian national in relation to another hack-for-hire scheme. Four of those individuals subsequently pleaded guilty to hacking charges in an agreement with prosecutors, with one receiving a custodial sentence. The Indian national, who prosecutors said was believed to be in the New Delhi area and remained at large, is a director of BellTroX.


“The actions described in that indictment, including the extensive relationships with private investigators, are similar to those we ascribe to BellTroX,” the report said.

According to an archive of its website, BellTroX also provided medical transcription services to healthcare providers in the U.S., U.K., Australia and Canada.

Additional reporting by Derek Brower in London

© The Financial Times Ltd. 2020. All rights reserved. FT and Financial Times are trademarks of the Financial Times Ltd. Not to be redistributed, copied or modified in any way.