Operation Shrouded Horizon: Darkode and its Ties to Bulletproof Hosting Services
One of the challenges in fighting cybercrime is that it is borderless; cybercriminals can conduct their malicious activities in countries that do not have strict implementation of cybercrime laws. However, no matter how difficult and perilous the task of arresting attackers and taking down cybercriminal operations is, it can be achieved through collaboration between security researchers and various law enforcements (LE) across the globe.
Darkode, an underground forum that sells and buys stolen data and malicious tools of the trade among others was taken down last July 15, 2015, following the indictment of 12 people, including the forum’s administrator. Dubbed as Operation Shrouded Horizon, the investigation and arrests were led by Federal Bureau of Investigation (FBI) and Department of Justice in collaboration with law enforcement agencies in 20 countries.
Ties to bulletproof hosting service providers
Our researchers have been monitoring bulletproof hosting service providers (BPHS), which play a crucial role in the proliferation of cybercriminal activities. BPHS serves as ‘hideouts’ to store tools, stolen goods, and malicious content such as pornography, phishing, and command-and-control (C&C) infrastructure among others. In essence, BPHS function as hosting facilities for hardware, software, and applications.
Darkode was reportedly using bulletproof hosting services to go under the radar and avoid being detected by security researchers. Based on our investigation, the website, darkcode[.]com which became available as early as 2004, has hosting providers that were used host it (Darkode). Please take note that some of these may have been abused for hosting.
Figure 2. IPs used to host darkode[.]com
However, the following hosting providers are confirmed BPHS employed by Darkode:
The importance of collaboration
In our research paper on bulletproof hosting services, we highlighted the various security challenges preventing security vendors and LE from doing takedowns and arrests. One of which is how BPHS leverages countries with minimal cybercrime laws to continue or transfer their operations. Because of the complex nature of BPHS and how it attempts to legitimize some of its activities particularly those following the third business model (abuse cloud hosting services), it may be arduous to shut down.
However, as seen in the case of Darkode takedown, such task is possible, especially if law enforcement agencies in different countries will work together with the security researchers that provide intelligence and findings.