Quantcast
Malware Exchange Busted by the Feds Relaunches, At Least in Name

Law enforcement shut down Darkode in 2015. Now, alleged former members are trying to bring it back.

The digital underground is a fragile place, with hacking forums sometimes being shuttered by police. That's what happened to malware-marketplace Darkode last year: in coordinated raids, the FBI, UK's National Crime Agency, and a slew of other law enforcement bodies arrested over 70 hackers and closed the popular site.

Now, Darkode, is back, at least in name.

"A friend and I who used to be former members missed it so we brought it back as a way to not only help people gain knowledge but for old friends to reunite and for people to build new friendships aswell [sic]," one of the site's administrators, who goes by the handle Six, told Motherboard in an online chat.

A few days ago, Six and co-administrator Naos—who claim to be ex-members of the original forum—launched a new version of Darkode that looks similar to its its predecessor, and which uses the same domain. The idea is for the site to act as a hotspot for hackers to share information, particularly around malware.

On the first Darkode hackers would trade stolen data such as credit card information and email addresses, and also hacking tools. But this version might be a bit more regulated by its administrators.

According to Six, posting information that can be used for identity theft, such as credit card details of social security numbers, will be banned, as well as the distribution of malware. Users are allowed to post "broken" source code—deliberately edited code so it is not a fully functioning piece of malware, but still can be educational—so as to avoid more heat and attention from law enforcement.

"We can control what is traded on site but we cannot control what members do off-site and that is on their terms and is their responsibility," Six said. At the moment, there isn't really much to talk about on the site, but maybe that'll change when people start to post new threads.

When investigators closed Darkode in summer 2015, the site did briefly relaunch, but appeared to fizzle out. And some are sceptical about this version of Darkode's relationship to the original.

"It's possible they're old Darkode members but this isn't Darkode," the researcher known as MalwareTech told Motherboard in a Twitter direct message, noting that the site is not using the same database or server. The domain has been moved to another registrar as well, MalwareTech pointed out.

The shuttering of the original Darkode involved undercover work on the forum. With that in mind, is anyone going to trust the Darkode brand from now on?

"Well that's a risk people are going to have to take I guess, I can't guarantee that it won't happen so all I can do is properly educate my userbase in how to remain secure and anonymized online," Six said.

Get six of our favorite Motherboard stories every day by signing up for our newsletter.