Operation Shrouded Horizon: Darkode and its Ties to Bulletproof Hosting Services

One of the challenges in fighting cybercrime is that it is borderless; cybercriminals can conduct their malicious activities in countries that do not have strict implementation of cybercrime laws.   However, no matter how difficult and perilous the task of arresting attackers and taking down cybercriminal operations is, it can be achieved through collaboration between security researchers and various law enforcements (LE) across the globe.

Darkode, an underground forum that sells and buys stolen data and malicious tools of the trade among others was taken down last July 15, 2015, following the indictment of 12 people, including the forum’s administrator.  Dubbed as Operation Shrouded Horizon, the investigation and arrests were led by Federal Bureau of Investigation (FBI) and Department of Justice in collaboration with law enforcement agencies in 20 countries.

Ties to bulletproof hosting service providers

Our researchers have been monitoring bulletproof hosting service providers (BPHS), which play a crucial role in the proliferation of cybercriminal activities.  BPHS serves as ‘hideouts’ to store tools, stolen goods, and malicious content such as pornography, phishing, and command-and-control (C&C) infrastructure among others.  In essence, BPHS function as hosting facilities for hardware, software, and applications.

Figure 1. Business models for BPHS (click the image to enlarge)

Darkode was reportedly using bulletproof hosting services to go under the radar and avoid being detected by security researchers. Based on our investigation, the website, darkcode[.]com which became available as early as 2004, has hosting providers that were used  host it (Darkode).  Please take note that some of these may have been abused for hosting.

Figure 2. IPs used to host darkode[.]com

However, the following hosting providers are confirmed BPHS employed by Darkode:

  • 94[.]102[.]48[.]107
  • 93[.]174[.]93[.]246

The importance of collaboration

In our research paper on bulletproof hosting services, we highlighted the various security challenges preventing security vendors and LE from doing takedowns and arrests. One of which is how BPHS leverages countries with minimal cybercrime laws to continue or transfer their operations.  Because of the complex nature of BPHS and how it attempts to legitimize some of its activities particularly those following the third business model (abuse cloud hosting services), it may be arduous to shut down.

Figure 3. Role that law enforcement agencies and security vendors play in BPHS takedowns (click the image to enlarge)

However, as seen in the case of Darkode takedown, such task is possible, especially if law enforcement agencies in different countries will work together with the security researchers that provide intelligence and findings.

Post from: Trendlabs Security Intelligence Blog – by Trend Micro

Operation Shrouded Horizon: Darkode and its Ties to Bulletproof Hosting Services

Read more: Operation Shrouded Horizon: Darkode and its Ties to Bulletproof Hosting Services

Story added 20. July 2015, content source with full text you can find at link above.