Syrian pound. Photo: Adnan Ghosheh/Flickr
On Tuesday, the Department of Justice unsealed charges against three suspected members of the infamous hacking group the Syrian Electronic Army (SEA).
SEA is typically seen as a politically-motivated group, defacing websites to spread pro-Assad propaganda, for example. But one of the suspected SEA members seemingly ditched that ideology, and started hacking and extorting several companies for tens of thousands of euros, and another hacker in Germany helped launder the proceeds back into Syria.
In late 2013, Firas Dardar, 27, who the FBI believes is behind the handle “The Shadow,” started hacking companies around the world for profit. Somtimes, Dardar “used his notoriety and affiliation with the SEA to instill fear in victim companies,” the FBI complaint reads.
At least 14 companies in the US and abroad fell victim to the extensive extortion campaign, which stretched until December 2014, the complaint continues. In all, Dardar allegedly demanded over half a million dollars from those companies, but, often the hackers often accepted much lower payments.
Typically, the attacks were carried out with phishing emails, tricking victims into entering their login credentials for computer systems. From here, Dardar would log in, and redirect internet traffic to or from their system, deface their website, send messages using the victims’ accounts, or try to pinch data.
Dardar would then contact the victim. claim responsibility for the hack and demand substantial sums of cash. Otherwise, he would further disrupt their businesses, the complaint claims.
One case was that of an unnamed Chinese online gaming company, which has servers in the US. In July 2013, according to the complain, Dardar informed the company that he had hacked one of its games.
“[t]his is the last warning / communicate with me or/ I will did [sic] something you do not like,” Dardar allegedly said in an email to the company. The first payment of $500 was received shortly after via Perfect Money, an online payment system. Dardar regularly sent other emails, and briefly changing his tone to that of something closer to a whitehat hacker, and informed the company of other vulnerabilities in exchange for cash.
When the company said that these discoveries were of little value, Dardar claimed that he had access to its entire database, and demanded 50,000 euros. Eventually, a deal of 15,000 euros was struck.
In October 2013, Dardar gained access to the system of another victim, a UK-based web hosting company. Using his SEA alias, he told the company he was an “ethical hacker,” and, yet, demanded 50,000 euros for helping them avoid future hacks. He even threatened to use the victim's systems to conduct further illegal activities if they didn't cough up the money. Eventually, Dardar squeezed 16,000 euros out of this company and other targets included an online entertainment service, and a US-based online media company, and a Swiss web host.
But sometimes companies had trouble sending funds to Dardar, because his bank was in Syria, which faces sanctions.
This is where Peter Romar, the money launderer, came in. When a company couldn't send funds directly to Dardar, Romar would act as a middleman from Germany. And, according to the complaint, Romar was aware of where this money from coming from: Dardar allegedly forwarded him a full email chain from one of the targets.
“The Syrian Electronic Army publicly claims that its hacking activities are conducted in support of the embattled regime of Syrian President Bashar al-Assad,” said Assistant Attorney General Carlin in a statement. “While some of the activity sought to harm the economic and national security of the United States in the name of Syria, these detailed allegations reveal that the members also used extortion to try to line their own pockets at the expense of law-abiding people all over the world. The allegations in the complaint demonstrate that the line between ordinary criminal hackers and potential national security threats is increasingly blurry.”