Quantcast
Image: Netflix

Meet the Hackers Holding Netflix to Ransom

Joseph Cox

Joseph Cox

The Dark Overlord attempted to extort plenty of companies before targeting Netflix.

Image: Netflix

Last week, a hacker or group of hackers dumped apparent full episodes of Orange Is the New Black after Netflix allegedly declined to pay a ransom, and has threatened to release a number of other shows too, including Celebrity Apprentice, New Girl, and The Catch. But this was only the latest move from the group. Known as The Dark Overlord, the hackers have established themselves with a dizzying number of data breaches, often stealing mountains of sensitive corporate and personal data.

For nearly a year, Motherboard and a handful of other journalists have followed The Dark Overlord, and watched it evolve from a group learning how to manipulate the media to aid in extortion attempts, to a ruthless and apparently organized criminal enterprise, albeit one whose ultimate financial success is unclear.

*

The Dark Overlord first appeared in June of last year, when they advertised hundreds of thousands of alleged records from several US healthcare organizations on a dark web marketplace. The hackers weren't really trying to sell the data though—instead, the group had demanded a ransom from each of the (at the time unnamed) victims.

"A modest amount compared to the damage that will be caused to the organizations when I decide to publicly leak the victims," someone from the group told Motherboard at the time.

The Dark Overlord seemed to be focused on the medical sector: it shortly followed up with another 9 million supposed health care insurance records, and a few months later targeted Peachtree Orthopaedic Clinic, based in Atlanta, Georgia. The group also hacked a technology firm that provides software for healthcare services, and even a cancer service in Indiana. The plan, typically, was to entice journalists to cover the data breaches, so those articles could then be used to pressure extortion victims further.

"You'll be publishing something?" The Dark Overlord incessantly asked Motherboard in a message relating to one of the group's more recent breaches.

With this in mind, the group also dug through the databases for high profile individuals. The Peachtree records allegedly included players for the Atlanta Braves and Atlanta Hawks, and The Dark Overlord claimed it had publicly dumped a number of medical files, including those related to Mark F. Giuliano, deputy director of the FBI.

According to a report from the Atlanta Police Department obtained by Motherboard, several Peachtree patients fell victim to fraud after the hack, including phony credit card applications.

A report from the Atlanta Police Department related to a The Dark Overlord hack.

Although the group continued to target health care facilities , The Dark Overlord soon broadened its focus to include corporations. In November, the group said it had stolen personal and company data from Gorilla Glue, which makes consumer glue products, and went on to provide sample data allegedly stolen from a US defense contractor.

"We have been actively committing industrial espionage for some time now," someone from the group claimed that same month in a message. "Competitors are interested in the these breaches, as are state-purchasers."

According to an affidavit written by FBI Special Agent Ronnie O. Buentello, and published by Motherboard before it was retroactively sealed, The Dark Overlord had claimed around 15 major hacks by the end of March. The breach of Larson Studios, the small post-production group which led to the attempted extortion of Netflix, may not be included in that figure.

*

An alleged text message sent by The Dark Overlord to the child of a corporate victim.

Depending on who they are communicating with, The Dark Overlord pushes itself as playful jester, ruthless criminal, or calculated professional.

Through its Pastebin posts and tweets, The Dark Overlord has tried to present a whimsical image.

"I am he that liveth, and was dead; and, behold, I am alive for evermore, Amen; and have the keys of hell and of death," the group tweeted in October, referencing Revelation 1:18, before announcing more stolen data.

But when messaging the victims directly, the hackers apparently have a different approach.

"Tell your mother and father that we have all of their research and development and we plan to destroy their company unless they cooperate with us," a text message allegedly sent by the hackers to a child of one of the corporate victims reads.

And in other cases, the group has allegedly presented victims with detailed legal contracts, laying out the terms of their extortion, and the responsibilities of each party.

"Conditionally, thedarkoverlord will securely erase all copies of the Client's or other associated parties of the Client's data," reads an apparent contract between The Dark Overlord and one of its victims. Motherboard obtained the contract from someone not directly affiliated with the hacking group. The signed document defines bitcoin, PGP encryption, and gives a deadline for payment to be delivered. (No one had sent funds to the bitcoin address mentioned in the contract at time of writing.)

A section of an alleged contract between The Dark Overlord and a victim.

Naturally, it is unclear whether The Dark Overlord really is an individual or a group. Over months of conversations with Motherboard, their writing style and mannerisms have dramatically changed back and forth several times, and someone using The Dark Overlord's encrypted chat account did claim that multiple people had access.

On one dark web forum an apparent cybercriminal using the name "Crafty Cockney," allegedly associated with The Dark Overlord, claimed the group is made up of three members, aged between 20 and 40 years old, "with a mixture of intelligence, strategy, humour and bottle."

Crafty Cockney also posted audio seemingly of an extortion call to one of The Dark Overlord's victims.

The exact link between Crafty Cockney and The Dark Overlord is unclear, but Dissent Doe, the pseudonymous creator of DataBreaches.net, and who has followed both fraudsters closely, told Motherboard "There definitely was a relationship. I don't know what that relationship is these days, though." (A man who supposedly used the handle Crafty Cockney was arrested for allegedly trying to sell hacked photos belonging to a member of the British royal family last year).

The FBI's investigation into The Dark Overlord remains ongoing, even probing a security researcher who has crossed paths with the hacker group online. But The Dark Overlord shows no sign of slowing down just yet.

"It's nearly time to play another round," the group tweeted on Monday.