Europol, the FBI and the US Justice Department have closed the notorious Darkode, in what they describe as the largest takedown to date of an English-language cyber-crime forum.
Europol announced the raid along with the FBI, the culmination of the work of investigators from all over the world who targeted cyber-criminals using the Darkode forum to trade and barter their hacking expertise, malware and botnets – and to find partners for their next spam runs or malware attacks.
Run by the FBI, it was supported by Europol's European Cybercrime Centre (EC3), with the involvement of law enforcement officers from 20 countries* in and outside the European Union.
From the command post in EC3, representatives of the Republic of Srpska (Bosnia and Herzegovina), Cyprus, Denmark, Finland, Germany, Latvia, former Yugoslav Republic of Macedonia, Romania, Serbia, Sweden, United Kingdom and the FBI coordinated the technical take down of the forum, alongside further law enforcement actions, which resulted in 28 arrests, 37 house searches, and numerous seizures of computers and other equipment.
According to the FBI, 12 individuals have been indicted in the US as part of Operation “Shrouded Horizon”, including the alleged administrator of Darkode, Johan Gudmunds, a native of Sweden who faces charges in Pennsylvania, USA.
Federal investigators said that the underground forum was password-protected, and that “a potential candidate for forum membership had to be sponsored by an existing member and sent a formal invitation to join.”
The FBI said: “In response, the candidate had to post an online introduction – basically, a resume – highlighting the individual's past criminal activity, particular cyber-skills, and potential contributions to the forum. The forum's active members decided whether to approve applications.” It's estimated the site had 300 members.
The Department of Justice has accused Daniel Placek, from the US state of Wisconsin, of being the creator of the site and selling malware on the site.
Europol's director Rob Wainwright said: “Today's global action caused significant disruption to the underground economy, and is a stark reminder that private forums are no sanctuary for criminals and are not beyond the reach of law enforcement. We will continue to work with our law enforcement partners to make cyber-space as crime-free as possible for the world's citizens.”
Members of the cyber-security community were more sceptical. Troy Gill, manager of security research at AppRiver, predicted it would have limited impact on cyber-crime. “I believe a takedown like this will be enough to scare away some fringe criminals but for the most part cyber-crime will continue as if nothing happened,” he told SCMagazineUK.com.
“While these ‘wins' for the good guys is always a cause for celebration, it must be considered that the cyber-criminals will ultimately move over to some other forum to market their wares. For example, look how difficult it has been to take down Silkroad with new iterations popping up. I don't think Darkode will come back necessarily but other forums will likely pick up the slack,” he said.
Fraser Kyne, principal systems engineer at Bromium, said, “While this kind of closedown is great news and will bring some immediate relief, we have to recognise the market forces at play. There is demand for malware and the market will adapt to find ways of supplying that demand.
“It is encouraging to see the necessary level of international cooperation in this effort, though. It's important that law enforcement initiatives like this happen in parallel with genuine innovations in the IT security market.”
Gavin Reid, VP of threat intelligence at Lancope, said it won't make a big difference in day-to-day operations for these sites. “However, up to now the criminals have operated with impunity. This bust sends a huge symbolic message that this era of breaking the law with no consequence is coming to an end,” he said.
Reid added: “Where it will have a marked impact is that criminal users of sites like these will now feel that participation could lead to incarnation. The most likely direct impact will be a tightening of OPSEC for the other sites.”