KrebsOnSecurity recently reviewed a copy of the private chat messages between members of the LAPSUS$ cybercrime group in the week leading up to the arrest of its most active members last month. The logs show LAPSUS$ breached T-Mobile multiple times in March, stealing source code for a range of company projects. T-Mobile says no customer or government information was stolen in the intrusion.

LAPSUS$ is known for stealing data and then demanding a ransom not to publish or sell it. But the leaked chats indicate this mercenary activity was of little interest to the tyrannical teenage leader of LAPSUS$, whose obsession with stealing and leaking proprietary computer source code from the world’s largest tech companies ultimately led to the group’s undoing.

From its inception in December 2021 until its implosion late last month, LAPSUS$ operated openly on its Telegram chat channel, which quickly grew to more than 40,000 followers after the group started using it to leak huge volumes of sensitive data stolen from victim corporations.

But LAPSUS$ also used private Telegram channels that were restricted to the core seven members of the group. KrebsOnSecurity recently received a week’s worth of these private conversations between LAPSUS$ members as they plotted their final attacks late last month.

The candid conversations show LAPSUS$ frequently obtained the initial access to targeted organizations by purchasing it from sites like Russian Market, which sell access to remotely compromised systems, as well as any credentials stored on those systems.

The logs indicate LAPSUS$ had exactly zero problems buying, stealing or sweet-talking their way into employee accounts at companies they wanted to hack. The bigger challenge for LAPSUS$ was the subject mentioned by “Lapsus Jobs” in the screenshot above: Device enrollment. In most cases, this involved social engineering employees at the targeted firm into adding one of their computers or mobiles to the list of devices allowed to authenticate with the company’s virtual private network (VPN).

The messages show LAPSUS$ members continuously targeted T-Mobile employees, whose access to internal company tools could give them everything they needed to conduct hassle-free “SIM swaps” — reassigning a target’s mobile phone number to a device they controlled. These unauthorized sim swaps allow an attacker to intercept a target’s text messages and phone calls, including any links sent via SMS for password resets, or one-time codes sent for multi-factor authentication.

In one chat, the LAPSUS$ leader — 17-year-old from the U.K. who goes by the nicknames “White,” “WhiteDoxbin” and “Oklaqq” — is sharing his screen with another LAPSUS$ member who used the handles “Amtrak” and “Asyntax.”

The two were exploring T-Mobile’s internal systems, and Amtrak asked White to obscure the T-Mobile logo on his screen. In these chats, the user “Lapsus Jobs” is White. Amtrak explains this odd request by saying his parents are aware he was previously involved in SIM swapping, and he doesn’t want to give them any cause for alarm if they happen to look over his shoulder while he’s hacking away at home.

“Parents know I simswap,” Amtrak said. “So, if they see [that] they think I’m hacking.”

The messages reveal that each time LAPSUS$ was cut off from a T-Mobile employee’s account — either because the employee tried to log in or change their password — they would just find or buy another set of T-Mobile VPN credentials. T-Mobile currently has approximately 75,000 employees worldwide.

On March 19, 2022, the logs and accompanying screenshots show LAPSUS$ had gained access to Atlas, a powerful internal T-Mobile tool for managing customer accounts.

After gaining access to Atlas, White proceeded to look up T-Mobile accounts associated with the FBI and Department of Defense (see image above). Fortunately, those accounts were listed as requiring additional verification procedures before any changes could be processed.

Faced with increasingly vocal pleadings from other LAPSUS$ members not to burn their access to Atlas and other tools by trying to SIM swap government accounts, White unilaterally decided to terminate the VPN connection permitting access to T-Mobile’s network.

The other LAPSUS$ members desperately wanted to SIM swap some wealthy targets for money. Amtrak throws a fit, saying “I worked really hard for this!” White calls the Atlas access trash and then kills the VPN connection anyway, saying he wanted to focus on using their illicit T-Mobile access to steal source code.

Perhaps to mollify his furious teammates, White changed the subject and told them he’d gained access to T-Mobile’s Slack and Bitbucket accounts. He said he’d figured out how to upload files to the virtual machine he had access to at T-Mobile.

Roughly 12 hours later, White posts a screenshot in their private chat showing his automated script had downloaded more than 30,000 source code repositories from T-Mobile over a 12-hour period:

In response to questions from KrebsOnSecurity, T-Mobile issued the following statement:

“Several weeks ago, our monitoring tools detected a bad actor using stolen credentials to access internal systems that house operational tools software. The systems accessed contained no customer or government information or other similarly sensitive information, and we have no evidence that the intruder was able to obtain anything of value. Our systems and processes worked as designed, the intrusion was rapidly shut down and closed off, and the compromised credentials used were rendered obsolete.”

CONSIDER THE SOURCE

It is not clear why LAPSUS$ was so fixated on stealing source code. Perhaps LAPSUS$ thought they could find in the source clues about security weaknesses that could be used to further hack these companies and their customers. Maybe the group already had buyers lined up for specific source code that they were then hired to procure. Or maybe it was all one big Capture the Flag competition, with source code being the flag. The leaked chats don’t exactly explain this fixation.

But it seems likely that the group routinely tried to steal and then delete any source code it could find on victim systems. That way, it could turn around and demand a payment to restore the deleted data.

In one conversation in late March, a LAPSUS$ member posts screenshots and other data indicating they’d gained remote administrative access to a multi-billion dollar company. But White is seemingly unimpressed, dismissing the illicit access as not worth the group’s time because there was no source code to be had.

LAPSUS$ first surfaced in December 2021, when it hacked into Brazil’s Ministry of Health and deleted more than 50 terabytes of data stored on the ministry’s hacked servers. The deleted data included information related to the ministry’s efforts to track and fight the COVID-19 pandemic in Brazil, which has suffered a disproportionate 13 percent of the world’s COVID-19 fatalities. LAPSUS$’s next 15 victims were based either in Latin America or Portugal, according to cyber threat intelligence firm Flashpoint.

By February 2022, LAPSUS$ had pivoted to targeting high-tech firms based in the United States. On Feb. 26, LAPSUS$ broke into graphics and computing chip maker NVIDIA. The group said it stole more than a terabyte of NVIDIA data, including source code and employee credentials.

Dan Goodin at Ars Technica wrote about LAPSUS$’s unusual extortion demand against NVIDIA: The group pledged to publish the stolen code unless NVIDIA agreed to make the drivers for its video cards open-source. According to these chats, NVIDIA responded by connecting to the computer the attackers were using in their attack, and then encrypting the stolen data.

Like many high-tech firms whose value is closely tied to their intellectual property, NVIDIA relies on a number of technologies designed to prevent data leaks or theft. According to LAPSUS$, among those is a requirement that only devices which have been approved or issued by the company can be used to access its virtual private network (VPN).

These so-called Mobile Device Management (MDM) systems retrieve information about the underlying hardware and software powering the system requesting access, and then relay that information along with any login credentials.

In a typical MDM setup, a company will issue employees a laptop or smartphone that has been pre-programmed with a data profile, VPN and other software that allows the employer to track, monitor, troubleshoot or even wipe device data in the event of theft, loss, or a detected breach.

MDM tools also can be used to encrypt or retrieve data from connected systems, and this was purportedly the functionality NVIDIA used to claw back the information stolen by LAPSUS$.

“Access to NVIDIA employee VPN requires the PC to be enrolled in MDM,” LAPSUS$ wrote in a post on their public Telegram channel. “With this they were able to connect to a [virtual machine] that we use. Yes, they successfully encrypted the data. However, we have a backup and it’s safe from scum!!!”

NVIDIA declined to comment for this story.

On March 7, consumer electronics giant Samsung confirmed what LAPSUS$ had bragged on its Telegram channel: That the group had stolen and leaked nearly 200 GB of source code and other internal company data.

The chats reveal that LAPSUS$ stole a great deal more source code than they bragged about online. One of White’s curious fascinations was SASCAR, Brazil’s leading fleet management and freight security company. White had bought and talked his way into SASCAR’s systems, and had stolen many gigabytes worth of source code for the company’s fleet tracking software.

It was bad enough that LAPSUS$ had just relieved this company of valuable intellectual property: The chats show that for several days White taunted SASCAR employees who were responding to the then-unfolding breach, at first by defacing the company’s website with porn.

The messages show White maintained access to the company’s internal systems for at least 24 hours after that, even sitting in on the company’s incident response communications where the security team discussed how to evict their tormentors.

SASCAR is owned by tire industry giant Michelin, which did not respond to requests for comment.

ENROLLMENT

The leaked LAPSUS$ internal chats show the group spent a great deal of time trying to bypass multi-factor authentication for the credentials they’d stolen. By the time these leaked chat logs were recorded, LAPSUS$ had spent days relentlessly picking on another target that relied on MDM to restrict employee logins: Iqor, a customer support outsourcing company based in St. Petersburg, Fla.

LAPSUS$ apparently had no trouble using Russian Market to purchase access to Iqor employee systems. “I will buy login when on sale, Russians stock it every 3-4 days,” Amtrak wrote regarding Iqor credentials for sale in the bot shops.

The real trouble for LAPSUS$ came when the group tried to evade Iqor’s MDM systems by social engineering Iqor employees into removing multi-factor authentication on Iqor accounts they’d purchased previously. The chats show that time and again Iqor’s employees simply refused requests to modify multi-factor authentication settings on the targeted accounts, or make any changes unless the requests were coming from authorized devices.

After many days of trying, LAPSUS$ ultimately gave up on Iqor. On Mar. 22, LAPSUS$ announced it hacked Microsoft, and began leaking 37 gigabytes worth of Microsoft source code.

Like NVIDIA, Microsoft was able to stanch some of the bleeding, cutting off LAPSUS$’s illicit access while the group was in the process of downloading all of the available source code repositories alphabetically (the group publicized their access to Microsoft at the same time they were downloading the software giant’s source code). As a result, LAPSUS$ was only able to leak the source for Microsoft products at the beginning of the code repository, including Azure, Bing and Cortana.

BETRAYAL

LAPSUS$ leader White drew attention to himself prior to the creation of LAPSUS$ last year when he purchased a website called Doxbin, a long-running and highly toxic online community that is used to “dox” or post deeply personal information on people.

Based on the feedback posted by Doxbin members, White was not a particularly attentive administrator. Longtime members soon took to harassing him about various components of the site falling into disrepair. That pestering eventually prompted White to sell Doxbin back to its previous owner at a considerable loss. But before doing so, White leaked the Doxbin user database.

White’s leak triggered a swift counterpunch from Doxbin’s staff, which naturally responded by posting on White perhaps the most thorough dox the forum had ever produced — including videos filmed just outside his home where he lives with his parents in the United Kingdom.

The past and current owner of the Doxbin — an established cybercriminal who goes by the handle “KT” — is the same person who leaked these private LAPSUS$ Telegram chat logs to KrebsOnSecurity.

In early April, multiple news outlets reported that U.K. police had arrested seven people aged 15-21 in connection with the LAPSUS$ investigation. But it seems clear from reading these leaked Telegram chats that individual members of LAPSUS$ were detained and questioned at different times over the course of several months.

In his chats with other LAPSUS$ members during the last week in March, White maintained that he was arrested 1-2 months prior in connection with an intrusion against a victim referred to only by the initials “BT.” White also appeared unconcerned when Amtrak admits that the City of London police found LAPSUS$ Telegram chat conversations on his mobile phone.

Perhaps to demonstrate his indifference (or maybe just to screw with Amtrak), White responds by leaking Amtrak’s real name and phone number to the group’s public Telegram channel. In an ALL CAPS invective of disbelief at the sudden betrayal, Amtrak relates how various people started calling his home and threatening his parents as a result, and how White effectively outed him to law enforcement and the rest of the world as a LAPSUS$ member.

The vast majority of noteworthy activity documented in these private chats takes place between White and Amtrak, but it doesn’t seem that White counted Amtrak or any of his fellow LAPSUS$ members as friends or confidants. On the contrary, White generally behaved horribly toward everyone in the group, and he particularly seemed to enjoy abusing Amtrak (who somehow always came back for more).

“Mox,” one of the LAPSUS$ members who shows up throughout these leaked chats, helped the group in their unsuccessful attempts to enroll their mobile devices with an airline in the Middle East to which they had purchased access. Audio recordings leaked from the group’s private Telegram channel include a call wherein Mox can be heard speaking fluently in Arabic and impersonating an airline employee.

At one point, Mox’s first name briefly shows up in a video he made and shared with the group, and Mox mentions that he lives in the United States. White then begins trying to find and leak Mox’s real-life identity.

When Mox declares he’s so scared he wants to delete his iCloud account, White suggests he can get Mox’s real name, precise location and other information by making a fraudulent “emergency data request” (EDR) to Apple, in which they use a hacked police department email account to request emergency access to subscriber information under the claim that the request can’t wait for a warrant because someone’s life is on the line.

White was no stranger to fake EDRs. White was a founding member of a cybercriminal group called “Recursion Team,” which existed between 2020 and 2021. This group mostly specialized in SIM swapping targets of interest and participating in “swatting” attacks, wherein fake bomb threats, hostage situations and other violent scenarios are phoned in to police as part of a scheme to trick them into visiting potentially deadly force on a target’s address.

The Recursion Team was founded by a then 14-year-old from the United Kingdom who used the handle “Everlynn.” On April 5, 2021, Everlynn posted a new sales thread to the cybercrime forum cracked[.]to titled, “Warrant/subpoena service (get law enforcement data from any service).” The price: $100 to $250 per request.

As part of the Recursion Team, White used the alias “Peter.” Several LAPSUS$ members quizzed White and Amtrak about whether authorities asked about Recursion Team during questioning. In several discussion threads, White’s “Lapsus Jobs” alias on Telegram answers “yes?” or “I’m here” when another member addresses him by Peter.

White dismissed his public doxing of both Amtrak and Mox as their fault for being sloppy with operational security, or by claiming that everyone already knew their real identities. Incredibly, just a few minutes after doxing Amtrak, White nonchalantly asks him for help in stealing source code from yet another victim firm — as if nothing had just happened between them. Amtrak seems soothed by this invitation, and agrees to help.

On Mar. 30, software consultancy giant Globant was forced to acknowledge a hack after LAPSUS$ published 70 gigabytes of data stolen from the company, including customers’ source code. While the Globant hack has been widely reported for weeks, the cause of the breach remained hidden in these stolen logs: A stolen five-year-old access token for Globant’s network that still worked.

Globant lists a number of high-profile customers on its website, including the U.K. Metropolitan Police, software house Autodesk and gaming giant Electronic Arts. In March, KrebsOnSecurity showed how White was connected to the theft of 780 GB worth of source code from Electronic Arts last summer.

In that attack, the intruders reportedly gained access to EA’s data after purchasing authentication cookies for an EA Slack channel from the dark web marketplace “Genesis,” which offers more or less the same wares as the Russian Market.

One remarkable aspect of LAPSUS$ was that its members apparently decided not to personally download or store any data they stole from companies they hacked. They were all so paranoid of police raiding their homes that they assiduously kept everything “in the cloud.” That way, when investigators searched their devices, they would find no traces of the stolen information.

But this strategy ultimately backfired: Shortly before the private LAPSUS$ chat was terminated, the group learned it had just lost access to the Amazon AWS server it was using to store months of source code booty and other stolen data.

“RIP FBI seized my server,” Amtrak wrote. “So much illegal shit. It’s filled with illegal shit.”

White shrugs it off with the dismissive comment, “U can’t do anything about ur server seized.” Then Amtrak replies that he never made a backup of the server.

“FFS, THAT AWS HAD TMO SRC [T-Mobile source] code!” White yelled back.

The two then make a mad scramble to hack back into T-Mobile and re-download the stolen source code. But that effort ultimately failed after T-Mobile’s systems revoked the access token they were using to raid the company’s source code stash.

“How they noticed?” Amtrak asked White.

“Gitlab auto-revoked, likely,” White replied. “Cloning 30k repos four times in 24 hours isn’t very normal.”

Ah, the irony of a criminal hacking group that specializes in stealing and deleting data having their stolen data deleted.

It’s remarkable how often LAPSUS$ was able to pay a few dollars to buy access to some hacked machine at a company they wanted to break into, and then successfully parlay that into the theft of source code and other sensitive information.

What’s even more remarkable is that anyone can access dark web bot shops like Russian Market and Genesis, which means larger companies probably should be paying someone to regularly scrape these criminal bot services, even buying back their own employee credentials to take those vulnerable systems off the market. Because that’s probably the simplest and cheapest incident response money can buy.

Conti — one of the most ruthless and successful Russian ransomware groups — publicly declared during the height of the COVID-19 pandemic that it would refrain from targeting healthcare providers. But new information confirms this pledge was always a lie, and that Conti has launched more than 200 attacks against hospitals and other healthcare facilities since first surfacing in 2018 under its earlier name, “Ryuk.”

On April 13, Microsoft said it executed a legal sneak attack against Zloader, a remote access trojan and malware platform that multiple ransomware groups have used to deploy their malware inside victim networks. More specifically, Microsoft obtained a court order that allowed it to seize 65 domain names that were used to maintain the Zloader botnet.

Microsoft’s civil lawsuit against Zloader names seven “John Does,” essentially seeking information to identify cybercriminals who used Zloader to conduct ransomware attacks. As the company’s complaint notes, some of these John Does were associated with lesser ransomware collectives such as Egregor and Netfilim.

But according to Microsoft and an advisory from the U.S. Cybersecurity & Infrastructure Security Agency (CISA), Zloader had a special relationship with Ryuk/Conti, acting as a preferred distribution platform for deploying Ryuk/Conti ransomware.

Several parties backed Microsoft in its legal efforts against Zloader by filing supporting declarations, including Errol Weiss, a former penetration tester for the U.S. National Security Agency (NSA). Weiss now serves as the chief security officer of the Health Information Sharing & Analysis Center (H-ISAC), an industry group that shares information about cyberattacks against healthcare providers.

Weiss said ransomware attacks from Ryuk/Conti have impacted hundreds of healthcare facilities across the United States, including facilities located in 192 cities and 41 states and the District of Columbia.

“The attacks resulted in the temporary or permanent loss of IT systems that support many of the provider delivery functions in modern hospitals resulting in cancelled surgeries and delayed medical care,” Weiss said in a declaration (PDF) with the U.S. District Court for the Northern District of Georgia.

“Hospitals reported revenue losses due to Ryuk infections of nearly $100 million from data I obtained through interviews with hospital staff, public statements, and media articles,” Weiss wrote. “The Ryuk attacks also caused an estimated $500 million in costs to respond to the attacks – costs that include ransomware payments, digital forensic services, security improvements and upgrading impacted systems plus other expenses.”

The figures cited by Weiss appear highly conservative. A single attack by Ryuk/Conti in May 2021 against Ireland’s Health Service Executive, which operates the country’s public health system, resulted in massive disruptions to healthcare in Ireland. In June 2021, the HSE’s director general said the recovery costs for that attack were likely to exceed USD $600 million.

Conti ravaged the healthcare sector throughout 2020, and leaked internal chats from the Conti ransomware group show the gang had access to more than 400 healthcare facilities in the U.S. alone by October 2020.

On Oct. 28, 2020, KrebsOnSecurity broke the news that FBI and DHS officials had seen reliable intelligence indicating the group planned to ransom many of these care facilities simultaneously. Hours after that October 2020 piece ran, I heard from a respected H-ISAC security professional who questioned whether it was worth getting the public so riled up. The story had been updated multiple times throughout the day, and there were at least five healthcare organizations hit with ransomware within the span of 24 hours.

“I guess it would help if I understood what the baseline is, like how many healthcare organizations get hit with ransomware on average in one week?” I asked the source.

“It’s more like one a day,” the source confided.

A report in February 2022 from Sophos found Conti orchestrated a cyberattack against a Canadian healthcare provider in late 2021. Security software firm Emsisoft found that at least 68 healthcare providers suffered ransomware attacks last year.

While Conti is just one of many ransomware groups threatening the healthcare industry, it seems likely that ransomware attacks on the healthcare sector are underreported. Perhaps this is because a large percentage of victims are paying a ransom demand to keep their data (and news of their breach) confidential. A survey published in February by email security provider Proofpoint found almost 60 percent of victims hit by ransomware paid their extortionists.

Or perhaps it’s because many crime groups have shifted focus away from deploying ransomware and toward stealing data and demanding payment not to publish the information. Conti shames victims who refuse to pay a ransom by posting their internal data on their darkweb blog.

Since the beginning of 2022, Conti has claimed responsibility for hacking a cancer testing lab, a medical prescription service online, a biomedical testing facility, a pharmaceutical company, and a spinal surgery center.

The Healthcare Information and Management Systems Society recently released its 2021 HIMSS Healthcare Cybersecurity Survey (PDF), which interviewed 167 healthcare cybersecurity professionals and found 67 percent had experienced a “significant security incident” in the past year.

The survey also found that just six percent or less of respondent’s information technology budgets were devoted to cybersecurity, although roughly 60 percent of respondents said their cybersecurity budgets would increase in 2022. Last year, just 79 percent of respondents said they’d fully implemented antivirus or other anti-malware systems; only 43 percent reported they’d fully implemented intrusion detection and prevention technologies.

The FBI says Conti typically gains access to victim networks through weaponized malicious email links, attachments, or stolen Remote Desktop Protocol (RDP) credentials, and that it weaponizes Microsoft Office documents with embedded Powershell scripts — initially staging Cobalt Strike via the Office documents and then dropping Emotet onto the network — giving them the ability to deploy ransomware. The FBI said Conti has been observed inside victim networks between four days and three weeks on average before deploying Conti ransomware.

Microsoft on Tuesday released updates to fix roughly 120 security vulnerabilities in its Windows operating systems and other software. Two of the flaws have been publicly detailed prior to this week, and one is already seeing active exploitation, according to a report from the U.S. National Security Agency (NSA).

Of particular concern this month is CVE-2022-24521, which is a “privilege escalation” vulnerability in the Windows common log file system driver. In its advisory, Microsoft said it received a report from the NSA that the flaw is under active attack.

“It’s not stated how widely the exploit is being used in the wild, but it’s likely still targeted at this point and not broadly available,” assessed Dustin Childs with Trend Micro’s Zero Day Initiative. “Go patch your systems before that situation changes.”

Nine of the updates pushed this week address problems Microsoft considers “critical,” meaning the flaws they fix could be abused by malware or malcontents to seize total, remote access to a Windows system without any help from the user.

Among the scariest critical bugs is CVE-2022-26809, a potentially “wormable” weakness in a core Windows component (RPC) that earned a CVSS score of 9.8 (10 being the worst). Microsoft said it believes exploitation of this flaw is more likely than not.

Other potentially wormable threats this month include CVE-2022-24491 and CVE-2022-24497, Windows Network File System (NFS) vulnerabilities that also clock in at 9.8 CVSS scores and are listed as “exploitation more likely by Microsoft.”

“These could be the kind of vulnerabilities which appeal to ransomware operators as they provide the potential to expose critical data,” said Kevin Breen, director of cyber threat research at Immersive Labs. “It is also important for security teams to note that NFS Role is not a default configuration for Windows devices.”

Speaking of wormable flaws, CVE-2022-24500 is a critical bug in the Windows Server Message Block (SMB).

“This is especially poignant as we approach the anniversary of WannaCry, which famously used the EternalBlue SMB vulnerability to propagate at great pace,” Breen added. “Microsoft advises blocking TCP port 445 at the perimeter firewall, which is strong advice regardless of this specific vulnerability. While this won’t stop exploitation from attackers inside the local network, it will prevent new attacks originating from the Internet.”

In addition, this month’s patch batch from Redmond brings updates for Exchange Server, Office, SharePoint Server, Windows Hyper-V, DNS Server, Skype for Business, .NET and Visual Studio, Windows App Store, and Windows Print Spooler components.

As it generally does on the second Tuesday of each month, Adobe released four patches addressing 70 vulnerabilities in Acrobat and Reader, Photoshop, After Effects, and Adobe Commerce. More information on those updates is available here.

For a complete rundown of all patches released by Microsoft today and indexed by severity and other metrics, check out the always-useful Patch Tuesday roundup from the SANS Internet Storm Center. And it’s not a bad idea to hold off updating for a few days until Microsoft works out any kinks in the updates: AskWoody.com usually has the lowdown on any patches that may be causing problems for Windows users.

As always, please consider backing up your system or at least your important documents and data before applying system updates. And if you run into any problems with these patches, please drop a note about it here in the comments.

The U.S. Department of Justice (DOJ) said today it seized the website and user database for RaidForums, an extremely popular English-language cybercrime forum that sold access to more than 10 billion consumer records stolen in some of the world’s largest data breaches since 2015. The DOJ also charged the alleged administrator of RaidForums — 21-year-old Diogo Santos Coelho, of Portugal — with six criminal counts, including conspiracy, access device fraud and aggravated identity theft.

The “raid” in RaidForums is a nod to the community’s humble beginnings in 2015, when it was primarily an online venue for organizing and supporting various forms of electronic harassment. According to the DOJ, that early activity included ‘raiding‘ — posting or sending an overwhelming volume of contact to a victim’s online communications medium — and ‘swatting,’ the practice of making false reports to public safety agencies of situations that would necessitate a significant, and immediate armed law enforcement response.”

But over the years as trading in hacked databases became big business, RaidForums emerged as the go-to place for English-speaking hackers to peddle their wares. Perhaps the most bustling marketplace within RaidForums was its “Leaks Market,” which described itself as a place to buy, sell, and trade hacked databases and leaks.

The government alleges Coelho and his forum administrator identity “Omnipotent” profited from the illicit activity on the platform by charging “escalating prices for membership tiers that offered greater access and features, including a top-tier ‘God’ membership status.”

“RaidForums also sold ‘credits’ that provided members access to privileged areas of the website and enabled members to ‘unlock’ and download stolen financial information, means of identification, and data from compromised databases, among other items,” the DOJ said in a written statement. “Members could also earn credits through other means, such as by posting instructions on how to commit certain illegal acts.”

Prosecutors say Coelho also personally sold stolen data on the platform, and that Omnipotent directly facilitated illicit transactions by operating a fee-based “Official Middleman” service, a kind of escrow or insurance service that denizens of RaidForums were encouraged to use when transacting with other criminals.

Investigators described multiple instances wherein undercover federal agents or confidential informants used Omnipotent’s escrow service to purchase huge tranches of data from one of Coelho’s alternate user  identities — meaning Coelho not only sold data he’d personally hacked but also further profited by insisting the transactions were handled through his own middleman service.

Not all of those undercover buys went as planned. One incident described in an affidavit by prosecutors (PDF) appears related to the sale of tens of millions of consumer records stolen last year from T-Mobile, although the government refers to the victim only as a major telecommunications company and wireless network operator in the United States.

On Aug. 11, 2021, an individual using the moniker “SubVirt” posted on RaidForums an offer to sell Social Security numbers, dates of birth and other records on more than 120 million people in the United States (SubVirt would later edit the sales thread to say 30 million records). Just days later, T-Mobile would acknowledge a data breach affecting 40 million current, former or prospective customers who applied for credit with the company.

The government says the victim firm hired a third-party to purchase the database and prevent it from being sold to cybercriminals. That third-party ultimately paid approximately $200,000 worth of bitcoin to the seller, with the agreement that the data would be destroyed after sale. “However, it appears the co-conspirators continued to attempt to sell the databases after the third-party’s purchase,” the affidavit alleges.

The FBI’s seizure of RaidForums was first reported by KrebsOnSecurity on Mar. 23, after a federal investigator confirmed rumors that the FBI had been secretly operating the RaidForums website for weeks.

Coelho landed on the radar of U.S. authorities in June 2018, when he tried to enter the United States at the Hartsfield-Jackson International Airport in Atlanta. The government obtained a warrant to search the electronic devices Coelho had in his luggage and found text messages, files and emails showing he was the RaidForums administrator Omnipotent.

“In an attempt to retrieve his items, Coelho called the lead FBI case agent on or around August 2, 2018, and used the email address unrivalled@pm.me to email the agent,” the government’s affidavit states. Investigators found this same address was used to register rf.ws and raid.lol, which Omnipotent announced on the forum would serve as alternative domain names for RaidForums in case the site’s primary domain was seized.

The DOJ said Coelho was arrested in the United Kingdom on January 31, at the United States’ request, and remains in custody pending the resolution of his extradition hearing. A statement from the U.K.’s National Crime Agency (NCA) said the RaidForum’s takedown was the result of “Operation Tourniquet,” which was carried out by the NCA in cooperation with the United Staes, Europol and four other countries, and resulted in “a number of linked arrests.”

A copy of the indictment against Coelho is available here (PDF).

Online scams that try to separate the unwary from their cryptocurrency are a dime a dozen, but a great many seemingly disparate crypto scam websites tend to rely on the same dodgy infrastructure providers to remain online in the face of massive fraud and abuse complaints from their erstwhile customers. Here’s a closer look at hundreds of phony crypto investment schemes that are all connected through a hosting provider which caters to people running crypto scams.

A security researcher recently shared with KrebsOnSecurity an email he received from someone who said they foolishly invested an entire bitcoin (currently worth ~USD $43,000) at a website called ark-x2[.]org, which promised to double any cryptocurrency investment made with the site.

The ark-x2[.]org site pretended to be a crypto giveaway website run by Cathie Wood, the founder and CEO of ARKinvest, an established Florida company that manages several exchange-traded investment funds. This is hardly the first time scammers have impersonated Wood or ARKinvest; a tweet from Wood in 2020 warned that the company would never use YouTube, Twitter, Instagram or any social media to solicit money.

At the crux of these scams are well-orchestrated video productions published on YouTube and Facebook that claim to be a “live event” featuring famous billionaires. In reality, these videos just rehash older footage while peppering viewers with prompts to sign up at a scam investment site — one they claim has been endorsed by the celebrities.

“I was watching a live video at YouTube where Elon Musk, Cathy Wood, and Jack Dorsey were talking about Crypto,” the victim told my security researcher friend. “An overlay on the video pointed to subscribing to the event at their website. I’ve been following Cathy Wood in her analysis on financial markets, so I was in a comfortable and trusted environment. The three of them are bitcoin maximalists in a sense, so it made perfect sense they were organizing a giveaway.”

“Without any doubt (other than whether the transfer would go through), I sent them 1 BTC (~$42,800), and they were supposed to return 2 BTC back,” the victim continued. “In hindsight, this was an obvious scam. But the live video and the ARK Invest website is what produced the trusted environment to me. I realized a few minutes later, when the live video looped. It wasn’t actually live, but a replay of a video from 6 months ago.”

Ark-x2[.]org is no longer online. But a look at the Internet address historically tied to this domain (186.2.171.79) shows the same address is used to host or park hundreds of other newly-minted crypto scam domains, including coinbase-x2[.]net (pictured below).

Typical of crypto scam sites, Coinbase-x2 promises a chance to win 50,000 ETH (Ethereum virtual currency), plus a “welcome bonus” wherein they promise to double any crypto investment made with the platform. But everyone who falls for this greed trap soon discovers they won’t be getting anything in return, and that their “investment” is gone forever.

There isn’t a lot of information about who bought these crypto scam domains, as most of them were registered in the past month at registrars that automatically redact the site’s WHOIS ownership records.

However, several dozen of the domains are in the .us domain space, which is technically supposed to be reserved for entities physically based in the United States. Those Dot-us domains all contain the registrant name Sergei Orlovets from Moscow, the email address ulaninkirill52@gmail.com, and the phone number +7.9914500893. Unfortunately, each of these clues lead to a dead end, meaning they were likely picked and used solely for these scam sites.

A dig into the Domain Name Server (DNS) records for Coinbase-x2[.]net shows it is hosted at a service called Cryptohost[.]to. Cryptohost also controls several other address ranges, including 194.31.98.X, which is currently home to even more crypto scam websites, many targeting lesser-known cryptocurrencies like Polkadot.

An ad posted to the Russian-language hacking forum BHF last month touted Cryptohost as a “bulletproof hosting provider for all your projects,” i.e., it can be relied upon to ignore abuse complaints about its customers.

“Why choose us? We don’t keep your logs!,” someone claiming to represent Cryptohost wrote to denizens of BHF.

Cryptohost says its service is backstopped by DDoS-Guard, a Russian company that has featured here recently for providing services to the sanctioned terrorist group Hamas and to the conspiracy theory groups QAnon/8chan.

Cryptohost did not respond to requests for comment.

Signing up as a customer at Cryptohost presents a control panel that includes the IP address 188.127.235.21, which belongs to a hosting provider in Moscow called SmartApe. SmartApe says its main advantage is unlimited disk space, “which allows you to host an unlimited number of sites for little money.”

According to FinTelegram, a blog that bills itself as a crowdsourced financial intelligence service that covers investment scams, SmartApe is a “Russian-Israeli hosting company for cybercriminals.”

SmartApe CEO Mark Tepterev declined to comment on the allegations from FinTelegram, but said the company has thousands of clients, some of whom have their own clients.

“Also we host other hostings that have their own thousands of customers,” Tepterev said. “Of course, there are clients who use our services in their dubious interests. We immediately block such clients upon receipt of justified complaints.”

Much of the text used in these scam sites has been invoked verbatim in similar schemes dating back at least two years, and it’s likely that scam website templates are re-used so long as they continue to reel in new investors. Searching online for the phrase “During this unique event we will give you a chance to win” reveals many current and former sites tied to this scam.

While it may seem incredible that people will fall for stuff like this, such scams reliably generate decent profits. When Twitter got hacked in July 2020 and some of the most-followed celebrity accounts on Twitter started tweeting double-your-crypto offers, 383 people sent more than $100,000 in a few hours.

In Sept. 2021, the Bitcoin Foundation (bitcoin.org) was hacked, with the intruders placing a pop-up message on the site asking visitors to send money. The message said any sent funds would be doubled and returned, claiming that the Bitcoin Foundation had set up the program as a way of “giving back to the community.” The brief scam netted more than $17,000.

According to the U.S. Federal Trade Commission, nearly 7,000 people lost more than $80 million in crypto scams from October 2020 through March 2021 based on consumer fraud reports. That’s a significant jump from the year prior, when the FTC tracked just 570 cryptocurrency investment scam complaints totaling $7.5 million.

A recent report from blockchain analysis firm Chainalysis found that scammers stole approximately $14 billion worth of cryptocurrency in 2021 — nearly twice the $7.8 billion stolen by scammers in 2020, the report found.

In March, Australia’s competition watchdog filed a lawsuit against Facebook owner Meta Platforms, alleging the social media giant failed to prevent scammers using its platform to promote fake ads featuring well-known people. The complaint alleges the advertisements, which endorsed investment in cryptocurrency or money-making schemes, could have misled Facebook users into believing they were promoted by famous Australians.

In many ways, the crypto giveaway scam is a natural extension of perhaps the oldest cyber fraud in the book: Advanced-fee fraud. Most commonly associated with Nigerian Letter or “419” fraud and lottery/sweepstakes schemes, advanced fee scams promise a financial windfall if only the intended recipient will step up and claim what is rightfully theirs — and oh by the way just pay this small administrative fee and we’ll send the money.

What makes these double-your-crypto sites successful is not just ignorance and avarice, but the idea held by many novice investors that cryptocurrencies are somehow magical money-minting machines, or perhaps virtual slot machines that will eventually pay off if one simply deposits enough coinage.