cybercrime – Page 3 – Product Management Confabulation

May 16, 2023

US sanctions Russian accused of being a ‘central figure’ in major ransomware attacks

The U.S. government has indicted a Russian national for his alleged role in ransomware attacks against U.S. law enforcement and critical infrastructure.

U.S. authorities accuse Mikhail Matveev, also known online as “Wazawaka” and “Boriselcin,” of being a “central figure” in developing and deploying the Hive, LockBit, and Babuk ransomware variants.

In 2021, Matveev claimed responsibility for a ransomware attack against the Metropolitan Police Department in Washington, D.C, according to the U.S. Justice Department. The cyberattack saw the Babuk ransomware gang, which Matveev was allegedly a member of since early 2020, infiltrate the police department’s systems to steal the personal details of police officers, along with sensitive information about gangs, suspects of crimes and witnesses.

Matveev and his co-conspirators also deployed LockBit ransomware against a law enforcement agency in New Jersey’s Passaic County in June 2020, according to prosecutors, and deployed Hive ransomware against a nonprofit behavioral healthcare organization headquartered in nearby Mercer County in May 2020.

These three ransomware gangs are believed to have targeted thousands of victims in the United States. According to the Justice Department, the LockBit ransomware gang has carried out over 1,400 attacks, issuing over $100 million in ransom demands and receiving over $75 million in ransom payments. Babuk has executed over 65 attacks and has received $13 million in ransom payments, while Hive has targeted more than 1,500 victims around the world and received as much as $120 million in ransom payments.

Matveev is also believed to have links to the Russia-backed Conti ransomware gang. The Russian national is believed to have claimed responsibility for the ransomware attack on the government of Costa Rica, which saw Conti hackers demand $20 million in a ransom payment — along with the overthrow of the Costa Rican government.

According to the U.S. Treasury, which announced sanctions against the Russian national on Tuesday, Matveev has also been linked to other ransomware intrusions against numerous U.S. businesses, including a U.S. airline. The Treasury added that Matveev has been vocal about his illegal activities, providing insight into his cybercrimes in media interviews and disclosing exploit code to online criminals. The sanctions make it illegal for U.S. businesses or individuals to transact with Matveev, a tactic often used to discourage Americans from paying ransom demands.

“The United States will not tolerate ransomware attacks against our people and our institutions,” said Brian E. Nelson, the Treasury under secretary for terrorism and financial Intelligence. “Ransomware actors like Matveev will be held accountable for their crimes, and we will continue to use all available authorities and tools to defend against cyber threats.”

Matveev is charged with conspiring to transmit ransom demands, conspiring to damage protected computers, and intentionally damaging protected computers. If convicted, he faces over 20 years in prison. The Department has announced an award of up to $10 million for information that leads to his arrest or conviction.

Ransomware is a global problem that needs a global solution

US sanctions Russian accused of being a ‘central figure’ in major ransomware attacks by Carly Page originally published on TechCrunch

May 8, 2023

NextGen Healthcare says hackers accessed personal data of more than 1 million patients

NextGen Healthcare, a U.S.-based provider of electronic health record software, admitted that hackers breached its systems and stole the personal data of more than 1 million patients.

In a data breach notification filed with the Maine attorney general’s office, NextGen Healthcare confirmed that hackers accessed the personal data of 1.05 million patients, including approximately 4,000 Maine residents. In a letter sent to those affected, NextGen Healthcare said that hackers stole patients’ names, dates of birth, addresses and Social Security numbers.

“Importantly, our investigation has revealed no evidence of any access or impact to any of your health or medical records or any health or medical data,” the company added. It’s not yet known whether NextGen Healthcare has the means, such as logs, to determine what data was exfiltrated and company spokesperson Tami Andrade did not immediately respond to TechCrunch’s questions.

In its filing with Maine’s AG, NextGen Healthcare said it was alerted to suspicious activity on March 30, and later determined that hackers had access to its systems between March 29 and April 14, 2023. The notification says that the attackers gained access to its NextGen Office system — a cloud-based EHR and practice management solution — using client credentials that “appear to have been stolen from other sources or incidents unrelated to NextGen”.

NextGen was also the victim of a ransomware attack in January this year, according to reports, which was claimed by the ALPHV ransomware gang, also known as BlackCat. A listing on ALPHV’s dark web leak site, seen by TechCrunch, shows samples of the stolen data, including employee names, addresses, phone numbers, and passport scans.

News of NextGen’s latest breach comes as the number of patients’ impacted by the mass ransomware attack targeting customers who used Fortra’s GoAnywhere file-transfer software continues to grow. Flordia-based technology company NationBenefits confirmed last week that more than 3 million members had data stolen in the cyberattack, while Brightline, a virtual therapy provider for children, said that more than 960,000 of the company’s pediatric mental health patients had data stolen.

NextGen Healthcare says hackers accessed personal data of more than 1 million patients by Carly Page originally published on TechCrunch

April 26, 2023

Hackers are breaking into AT&T email accounts to steal cryptocurrency

Unknown hackers are breaking into the accounts of people who have AT&T email addresses, and using that access to then hack into the victim’s cryptocurrency exchange’s accounts and steal their crypto, TechCrunch has learned.

At the beginning of the month, an anonymous source told TechCrunch that a gang of cybercriminals have found a way to hack into the email addresses of anyone who has an att.net, sbcglobal.net, bellsouth.net, and other AT&T email addresses.

According to the tipster, the hackers are able to do that because they have access to a part of AT&T’s internal network, which allows them to create mail keys for any user. Mail keys are unique credentials that AT&T email users can use to log into their accounts using email apps such as Thunderbird or Outlook, but without having to use their passwords.

With a target’s mail key, the hackers can use an email app to log into the target’s account and start resetting passwords for more lucrative services, such as cryptocurrency exchanges. At that point it’s game over for the victim, as the hackers can then reset the victim’s Coinbase or Gemini account password via email.

The tipster provided a list of alleged victims. Two of the victims replied, confirming that they have been hacked.

AT&T spokesperson Jim Kimberly said that the company “identified the unauthorized creation of secure mail keys, which can be used in some cases to access an email account without needing a password.”

“We have updated our security controls to prevent this activity. As a precaution, we also proactively required a password reset on some email accounts,” the spokesperson said.

AT&T declined to say how many people have been hit in this wave of hacks. But the company, “as a precaution,” has locked some email accounts, forcing their owners to reset their passwords.

“This process wiped out any secure mail keys that had been created,” the spokesperson added.

One victim told TechCrunch that hackers stole $134,000 dollars from his Coinbase account. The second victim said that “it has been happening repeatedly since November 2022 — probably 10 times at this point. I notice it has been done when my Outlook client fails to ‘connect’ and I quickly login to my [AT&T] site and delete their key and create a new one.”

“Very frustrating because it is obvious that the ‘hackers’ have direct access to the database or files containing these customer Outlook keys, and the hackers don’t need to know the user’s AT&T website login to access and change these outlook login keys,” the victim added.

Also, several people with AT&T and other related email addresses said on Reddit that they have been hacked.

“Hello, my email was compromised back in March of this year and I have done everything I can to reset password, security questions, etc but occasionally I’m still getting emails that a secure mail key has been created on my account without my knowledge,” one user wrote. “They would even delete the email notification so I don’t see it but I recently changed to another email for profile updates so they don’t have access. This sounds like someone still has access to my account but how?”

Another person wrote: “I’ve had the same issue for months and just started again, password wasn’t changed but account locked out and a Mail Key keeps being created somehow.”

The tipster claims that the hackers can”’reset any” AT&T email account, and that they have made between $15 and $20 million in stolen crypto. (TechCrunch could not independently verify the tipster’s claim.)

TechCrunch has seen a screenshot apparently coming from a Telegram group chat, where one of the hackers claims that the gand “have the entire AT&T employee database,” which allows them to access an internal AT&T portal for employees called OPUS.

“Only thing we are missing is a certificate, which is the last key to accessing the [AT&T] VPN servers,” the hacker wrote in the Telegram channel, according to the screenshot

The tipster said that the gang now has access to AT&T’s internal VPN.

Kimberly, the AT&T’s spokesperson, denied that the hackers had any access to internal company systems. “There was no intrusion into any system for this exploit. The bad actors used an API access.”

Do you have more information about these hacks against AT&T email users? Or other similar hacks? We’d love to hear from you. You can contact Lorenzo Franceschi-Bicchierai securely on Signal at +1 917 257 1382, or via Wickr, Telegram and Wire @lorenzofb, or email lorenzo@techcrunch.com. You can also contact TechCrunch via SecureDrop.

Hackers are breaking into AT&T email accounts to steal cryptocurrency by Lorenzo Franceschi-Bicchierai originally published on TechCrunch

April 21, 2023

The IRS is sending four investigators across the world to fight cybercrime

The Internal Revenue Service (IRS) plans to send four agents who specialize in investigating cybercrime to Australia, Singapore, Colombia, and Germany starting this summer. These four new positions represent a significant increase in the IRS’s global efforts to fight cybercrimes, such as those involving cryptocurrency, decentralized finance, and crypto laundering services.

In the last several years, agents working for the IRS’s Criminal Investigation (IRS-CI) branch have had a key role in investigating crimes on the dark web as part of landmark international operations: the shutdown of the drug and hacking services marketplace AlphaBay along with the arrest of its administrator; the bust of the internet’s biggest child abuse website; and the takedown of a marketplace for stolen Social Security Numbers, among several others.

Until now, the IRS only had one cyber investigator abroad, in The Hague, Netherlands, mostly working along Europol since 2021. The expansion was first revealed by Guy Ficco, the IRS’s executive director for global operations policy and support for IRS-CI, during a panel at the Chainalysis Links conference on April 4.

“Starting really now we’re going to be piloting for additional post putting dedicated cyber attaches in Bogota, Colombia, in Frankfurt, Germany, in Singapore, and in Sydney, Australia,” Ficco said. “I think the benefits have been — at least with the Hague and with Europol posts — have been very tangible.”

IRS spokesperson Carissa Cutrell told TechCrunch in an email that the four new positions are part of a pilot program that will last 120 days, from June to September 2023, and are created “to help combat the use of cryptocurrency, decentralized finance and mixing services in international financial and tax crimes.”

After the 120 days pilot program, the IRS will evaluate whether to continue having the agents in the new countries.

“Success will hinge on the attachés’ ability to work cooperatively and train our foreign law enforcement counterparts, and build leads for criminal investigations,” Cutrell said.

Chris Janczewski, who worked as a special agent in the IRS-CI Cyber Crimes Unit, said that growing the IRS’s presence abroad is an important step toward streamlining international investigations.

“The U.S. based case agent can’t always travel to coordinate with foreign partners on investigative needs and the cyber attache has to act as the proxy for the case agent,” Janczewski told TechCrunch in an email. “Their expertise on knowing what questions to ask, what evidence can reasonably be obtained, and the impact of any cultural or legal implications.”

Janczewski led the investigation into the largest dark web child abuse site, which was called Welcome to Video. He is now the head of global investigations at TRM Labs, a blockchain intelligence company. He explained that depending on what country the IRS is working with, there may be different legal procedures to obtain evidence, “but often informal information in real-time is needed in fast moving investigations.”

“In these situations, it comes down to professional relationships, knowing who to call and what to say,” he said.

Apart from the five cyber investigators, the IRS has 11 attaché posts around the world including Mexico, Canada, Colombia, Panama, Barbados, China, Germany, the Netherlands, the U.K., Australia, and the United Arab Emirates.

“These partnerships give CI the ability to develop leads for domestic and international investigations with an international nexus. In addition, attachés provide support and direction for investigations with international issues, foreign witnesses, foreign evidence, or execution of sensitive investigative activities in collaboration with our international partners,” the IRS-CI wrote in its 2022 annual report.

“Attachés also help uncover emerging schemes perpetrated by promoters, professional enablers, and financial institutions. These entities facilitate tax evasion of federal tax obligations by U.S. taxpayers, as well as other financial crimes.”

Do you have more information about any cryptocurrency hacks? We’d love to hear from you. You can contact Lorenzo Franceschi-Bicchierai securely on Signal at +1 917 257 1382, or via Wickr, Telegram and Wire @lorenzofb, or email lorenzo@techcrunch.com. You can also contact TechCrunch via SecureDrop.

The IRS is sending four investigators across the world to fight cybercrime by Lorenzo Franceschi-Bicchierai originally published on TechCrunch

April 13, 2023

Hackers claim vast access to Western Digital systems

The hackers who breached data storage giant Western Digital claim to have stolen around 10 terabytes of data from the company, including reams of customer information. The extortionists are pushing the company to negotiate a ransom — of “minimum 8 figures” — in exchange for not publishing the stolen data.

On April 3, Western Digital disclosed “a network security incident” saying hackers had exfiltrated data after hacking into “a number of the Company’s systems.” At the time, Western Digital provided few details about exactly what data the hackers stole, saying in a statement that the hackers “obtained certain data from its systems and [Western Digital] is working to understand the nature and scope of that data.”

One of the hackers spoke with TechCrunch and provided more details, with the goal of verifying their claims. The hacker shared a file that was digitally signed with Western Digital’s code-signing certificate, showing they could now digitally sign files to impersonate Western Digital. Two security researchers also looked at the file and agreed it is signed with the company’s certificate.

The hackers also shared phone numbers allegedly belonging to several company executives. TechCrunch called the numbers. Most of the calls rang but went to automated voicemail messages. Two of the phone numbers had voicemail greetings that mentioned the names of the executives that the hackers claimed were associated with the numbers. The two phone numbers are not public.

Screenshots shared by the hacker show a folder from a Box account apparently belonging to Western Digital, an internal email, files stored in a PrivateArk instance (a cybersecurity product), and a screenshot of a group call where one of the participants is identified as Western Digital’s chief information security officer.

They also said they were able to steal data from the company’s SAP Backoffice, a backend interface that helps companies manage e-commerce data.

The hacker said that their goal when they hacked Western Digital was to make money, though they decided against using ransomware to encrypt the company’s files.

“I want to give them a chance to pay but our callers […] they have called them many times. They don’t answer and if they do they listen and hang up,” the hacker said.

The hacker said they have also emailed several executives — using their personal email addresses because the corporate email system is currently down — demanding a “one-time payment.”

“We are the vermin who breached your company. Perhaps your attention is needed!” the hackers wrote, according to a copy of the email the hackers shared with TechCrunch. “Continue down this path and we will retaliate.”

“We only need a one-time payment, and then we will leave your network and let you know about your weaknesses. No lasting harm has been done. But if there are any efforts to interfere with us, our systems, or anything else. We will strike back,” the hackers continued. “We are still buried in your network and we will keep digging there until we find a payment from you. We can completely conceal this and make it all disappear. Before it is too late, let us do that. Until now, you have been gracious; Let’s hope that you do not keep going the wrong way.”

“Cut the crap, get the money, and let’s both go our separate ways. Simply put, let us put our egos aside and work to find a resolution to this chaotic scenario,” the hackers wrote.

Western Digital spokesperson Charlie Smalling said the company declined to comment or answer questions about the hacker’s claims, such as whether the company could confirm the amount of data stolen, if it included customer data, and whether the company had made contact with the hackers.

The hacker who spoke to TechCrunch declined to specify what kind of customer data they have, how they originally broke into Western Digital’s network, and how they maintained access to the company’s network.

“I can say that we exploited vulnerabilities within their infrastructure and spidered our way to global administrator of their [Microsoft] Azure tenant,” the hacker said.

As for why they hacked Western Digital, the hacker said they just come up with targets “randomly.” They also declined to say anything about themselves or the group, saying they don’t go by any name.

If Western Digital doesn’t get back to them, the hacker said, they are ready to start publishing the stolen data on the website of the ransomware gang Alphv. The hacker said they are not directly affiliated with Alphv but “I know them to be professional.”

Do you have more information about the Western Digital hack? We’d love to hear from you. You can contact Lorenzo Franceschi-Bicchierai securely on Signal at +1 917 257 1382, or via Wickr, Telegram and Wire @lorenzofb, or email lorenzo@techcrunch.com. You can also contact TechCrunch via SecureDrop.

Hackers claim vast access to Western Digital systems by Lorenzo Franceschi-Bicchierai originally published on TechCrunch

April 5, 2023

FBI seizes Genesis Market, a notorious hacker marketplace for stolen logins

U.S. law enforcement agencies have seized Genesis Market, a notorious hacker marketplace used to acquire compromised credentials and digital browser fingerprints.

The takedown, dubbed “Operation Cookie Monster,” has not yet been announced by the FBI, but Genesis Market domains now display a notice stating that the U.S. law enforcement officials have executed a seizure warrant. “Genesis Market’s domains have been seized by the FBI pursuant to a seizure warrant issued by the United States District Court for the Eastern District of Wisconsin,” the message reads.

In addition to the FBI, the notice says the takedown involved law enforcement agencies from the United Kingdom, Europe, Australia, Canada, Germany, Poland and Sweden.

The operation also saw 120 people arrested and 200 searches carried out globally, the U.K.’s National Crime Agency announced on Wednesday. The NCA said it arrested 19 suspected users of the site in the U.K., including two men aged 34 and 36, who are being held on suspicion of fraud and computer misuse.

The FBI also provided data breach notification website Have I Been Pwned with “millions” of email addresses and passwords from the Genesis Market, which internet users can check to see if they were compromised.

TechCrunch contacted Europol, the FBI, and the Department of Justice. but has not yet received a response.

Genesis Market has been active since 2017 as an invitation-only online marketplace that sells stolen credentials, cookies, and digital browser fingerprints gathered from compromised systems. These fingerprints, or “bots,” included IP addresses, session cookies, plugins and operating system details, enabling attackers to impersonate victims’ browsers to access their online banking and subscription services, such as Amazon and Netflix, without needing the victim’s password or two-factor token.

Before its shutdown, Genesis claimed that these browser fingerprints would be kept up to date for as long as it retained access to a compromised device.

“In other words, Genesis customers aren’t making a one-time buy of stolen information of unknown vintage; they’re paying for a de facto subscription to the victim’s information, even if that information changes,” Yusuf Arslan Polat, senior threat researcher at Sophos, said in an analysis of Genesis Market last year.

Even up to its seizure, the number of infected devices for sale on the marketplace was growing in size.

“In 2021, over 20,000 new bots a month were being added to the site,” said Cyril Noel-Tagoe, principal researcher at cybersecurity and bot management company Netacea. “The market was temporarily down in the middle of 2022, however despite this, by March 2023, the number of bots available for sale had grown to over 450,000.”

According to reports, the now-defunct marketplace has been linked to millions of financially motivated cyber incidents globally. In June 2021, the hackers who breached gaming giant Electronic Arts claimed to gain access to the gaming giant by purchasing a $10 bot from Genesis Market that let them log into a company Slack account.

“As a result of the Genesis Market’s seizure, we expect to see an exodus of sellers and customers to competitor marketplaces,” Noel-Tagoe tells TechCrunch. “There are multiple other illicit marketplaces selling logs and credentials, although not on the scale of the Genesis Market. Alternatively, if a significant core of the Genesis Market administrators evade law enforcement, they may splinter off and create a new version of the site.”

The takedown of Genesis Market comes just weeks after the FBI gained access to the infamous BreachForums hacking forum and arrested a 20-year-old New York man accused of running the site. It also comes after U.S. law enforcement last year announced the takedown of SSNDOB, a notorious marketplace used for trading the personal information — including Social Security numbers — of millions of Americans.

FBI seizes Genesis Market, a notorious hacker marketplace for stolen logins by Carly Page originally published on TechCrunch

March 24, 2023

How the FBI caught the BreachForums admin

On Friday, the U.S. Justice Department announced that the now-arrested alleged administrator of the infamous hacking forum BreachForums facilitated the sale and purchase of private information that belonged to “millions of U.S. citizens and hundreds of U.S. and foreign companies, organizations, and government agencies.”

In a statement, prosecutors confirmed the arrest of Conor Fitzpatrick, 20, aka pompompurin, of Peekskill, New York. Fitzpatrick is charged with one count of conspiracy to commit access device fraud, subject to a maximum of five years in prison if convicted.

In order to prove that BreachForums facilitated the sale and purchase of stolen or hacked data, FBI undercover agents purchased five sets of data: one of data stolen from an unnamed U.S. internet hosting and security services company, which contained names, addresses, phone numbers, usernames, password hashes, and email addresses for approximately 8,000 customers, as well as payment card information for 1,900 customers; another dataset stolen from an unnamed U.S. based investment company, containing at least 5 million email addresses; one containing the private information of “large numbers of U.S. persons,” including full names, email addresses, phone numbers, home addresses, birthdates, Social Security Numbers, driver licenses’ numbers, bank names, routing numbers, and account numbers; another from the same seller, which contained private information and bank account information of around 15 million U.S. persons; and one other set of data taken from a U.S. healthcare company.

The feds collected several pieces of evidence to nab Pompompurin. First they got the IP addresses that Pompompurin used to access RaidForums, the predecessor of BreachForums, which was seized by the FBI in April 2022. Nine of those IP addresses were associated with Fitzpatrick, according to his internet service provider Verizon, as FBI Special Agent John Longmire wrote in the affidavit dated March 15, two days before Fitzpatrick’s arrest.

In a spectacular snafu on the hacker’s part, Longmire wrote that the second piece of evidence came from Pompompurin himself. In a chat with the RaidForums admin, Pompompurin said he noticed a data breach posted on the site did not include “one of my old emails,” which he looked up on the legitimate data breach notification site Have I Been Pwned.

Even though Pompompurin then said “(I don’t want to share my actual email for obvious reasons, but this email seems to have the same case as mine): conorfitzpatrick02@gmail.com,” the agent wrote in the affidavit that that email address was indeed Pompompurin because the FBI obtained records from Google showing that Fitzpatrick registered that address months before that chat. The alleged hacker also had Google Pay accounts linked to both that email address as well as a newer one, “conorfitzpatrick2002@gmail.com,” both linked to a number owned by Fitzpatrick, according to the affidavit.

Furthermore, the agent wrote that he obtained more records from Google, which showed conorfitzpatrick2002@gmail.com had a recovery email address funmc59tm@gmail.com linked to an IP address registered to someone with the last name Fitzpatrick and a different phone number, which the agent said he believed belong to Fitzpatrick’s father.

Then, according to the affidavit, Pompompurin used several VPNs to connect to his Gmail account, some of which overlap with his activity elsewhere on the internet.

The agent also said that the FBI obtained records from cryptocurrency exchange Purse.io. The company’s records revealed that four of the IP addresses used to connect to the exchange were also used to connect to the conorfitzpatrick2002@gmail.com Gmail account and Popompurin’s RaidForums account. Moreover, that Purse.io account was registered with the name Conor Fitzpatrick and the email address“conorfitzpatrick2002@gmail.com,” the affidavit said.

Those four IP addresses, according to the agent, were owned by VPN providers which Pompompurin also used to connect to the “conorfitzpatrick2002@gmail.com” account.

Another VPN IP address was also used to log into a Zoom account under the name “pompompurin” associated with a Riseup email address also used to register his RaidForums account, according to the affidavit.

Records from Purse.io also showed that Fitzpatrick’s account purchased “several items” and shipped them to his address with the phone number the feds had already established was his. Also seven of nine IP addresses used to connect to Purse.io were also used to connect to Pompompurin’s account on RaidForums. And, finally, the Purse.io account “was funded exclusively by a Bitcoin address that Pompompurin had discussed in posts on RaidForums,” per the affidavit.

The evidence does not stop there. In a database of RaidForums forum activity, the feds saw that Pompompurin accessed his account from an IP address registered to Fitzpatrick’s father at the same home address previously identified by the authorities, according to the affidavit.

That same IP address was used to access an iCloud account associated with Fitzpatrick, Longmire wrote in the affidavit.

Moreover, Longmire noted that the accounts with the handle Pompompurin on RaidForums and BreachForums were likely owned by the same person, as Pompompurin wrote in a post on BreachForums: “if you used RaidForums you most likely remember me, I was one of the more active users on there,” and the new Pompompurin account on BreachForums “alluded to past activity by the pompompurin account on RaidForums.”

Finally, Longmire wrote that the FBI obtained a warrant to get Fitzpatrick’s real-time cell phone GPS location from Verizon, allowing agents to observe that Pompompurin was logged in to BreachForums while his phone’s location showed he was at his home.”

The feds also surveilled Fitzpatrick at his home while agents noted Pompompurin’s account was active on the forum.

This trove of evidence allowed law enforcement to obtain a warrant to search Fitzpatrick’s house, where he agreed to speak to the agents and “admitted that he is the user of the pompompurin account,” and that “he owns and administers BreachForums and previously operated the pompompurin account on RaidForums.”

The FBI did not immediately respond to a request for comment. Fitzpatrick’s lawyer also did not respond to a request for comment.

Ironically, Fitzpatrick may have thought this day would come when he launched BreachForums. In an interview on the Data Knight website, when the interviewer asked him: “Don’t you think that there’s a reason that the FBI took down RaidForums? Why would you want to bring it back up knowing that you may face that same fate whatever it [may be].”

Pompompurin responded: “It doesn’t really bother me. If I get arrested one day it also wouldn’t surprise me, but as I said I have a trusted person who will have full access to everything needed to relaunch it without me.”

The Justice Department said in its Friday statement that it had also “conducted a disruption operation that caused BreachForums to go offline.” When reached for comment, DOJ spokesperson Joshua Stueve declined to elaborate. At the time of publication, BreachForums was inaccessible, displaying an error saying “bad gateway,” but the domain still appeared to be in the control of the site’s current administrator.

Following the Justice Department’s announcement of Fitzpatrick’s arrest, the person who took over from him, known as Baphomet, announced they would shut down the forum.

On Friday, after the affidavit was circulated online, Baphomet wrote a message on a Telegram channel, saying “the most important thing right now of our community is to be aware that the FBI is now confirmed to have access to the Breached database,” and, “at this point the entire document will clearly show what I’ve said for the entirety of my time on Breached, and that you shouldn’t trust anyone to handle your own OPSEC. I never made this assumption as an admin, and no one else should have either.”

That’s why, Baphomet added, “simply piling everyone back into the same community without any thought of how we properly move forward safely is basically a death trap.”

Do you have information about BreachForums? We’d love to hear from you. From a non-work device, you can contact Lorenzo Franceschi-Bicchierai securely on Signal at +1 917 257 1382, or via Wickr, Telegram and Wire @lorenzofb, or email lorenzo@techcrunch.com. You can also contact TechCrunch via SecureDrop.

How the FBI caught the BreachForums admin by Lorenzo Franceschi-Bicchierai originally published on TechCrunch

March 24, 2023

How the FBI caught the BreachForums admin

Then, according to the affidavit, Pompompurin used several VPNs to connect to his Gmail account, some of which overlap with his activity elsewhere on the internet.

Those four IP addresses, according to the agent, were owned by VPN providers which Pompompurin also used to connect to the “conorfitzpatrick2002@gmail.com” account.

That same IP address was used to access an iCloud account associated with Fitzpatrick, Longmire wrote in the affidavit.

The feds also surveilled Fitzpatrick at his home while agents noted Pompompurin’s account was active on the forum.

The FBI did not immediately respond to a request for comment. Fitzpatrick’s lawyer also did not respond to a request for comment.

Following the Justice Department’s announcement of Fitzpatrick’s arrest, the person who took over from him, known as Baphomet, announced they would shut down the forum.

That’s why, Baphomet added, “simply piling everyone back into the same community without any thought of how we properly move forward safely is basically a death trap.”

How the FBI caught the BreachForums admin by Lorenzo Franceschi-Bicchierai originally published on TechCrunch

March 21, 2023

Notorious hacking forum shuts down after administrator gets arrested

Last week, the FBI arrested a man alleged to be “Pompompurin,” the administrator of the infamous and popular Breach Forums. Days after the arrest, the cybercrime website’s new administrator announced that they are shutting down the forum for good.

“Please consider this the final update for Breached,” the new admin, known as “Baphomet,” wrote in the official Telegram channel. “I will be taking down the forum, as I believe we can assume that nothing is safe anymore. I know that everyone wants the forum up, but there is no value in short term gain for what will likely be a long term loss by propping up Breached as it is.”

The new administrator Baphomet did not respond to our request for comment.

The apparent end of Breach Forums comes roughly a year after a coalition of international law enforcement agencies led by the U.S. Department of Justice seized RaidForums, another notorious cybercrime forum where hacked databases would be advertised and sold. Breach Forums was born in the aftermath of RaidForums’ demise, and served pretty much the same purpose and audience.

“I want to make it clear, that while this initial announcement is not positive, it’s not the end. I’m going to setup another Telegram group for those who want to see what follows. You are allowed to hate me, and disagree with my decision but I promise what is to come will be better for us all,” Baphomet wrote. “Ggive (sic) me 24 hours to get some rest and give thought to how we move on from here. I will be back online after that, and we will talk. I am going nowhere.”

In an attached message, which was signed with Baphomet’s PGP key to prove it was genuinely written by them, they wrote that they were able to confirm that the authorities have access to Pompompurin’s machine.

Baphomet explained that while he was migrating the forum’s severs, he found that someone had logged into one of the servers before they did.

“Unfortunately this likely leads to the conclusion that someone has access to Poms machine. Any servers we use are never shared with anyone else, so someone would have to know the credentials to that server to be able to login. I now feel like I’m put into a position where nothing can be assumed safe, whether its our configs, source code, or information about our users – the list is endless,” Baphomet wrote. “This means that I can’t confirm the forum is safe, which has been a major goal from the start of this shitshow.”

The feds accuse Conor Brian Fitzpatrick of being Pompompurin, who faces charges in New York as well as in the Eastern District of Virginia. Fitzpatrick is accused of conspiracy to commit access device fraud.

On Monday, three days after Fitzpatrick’s arrest and before they found that someone had accessed one of the servers, Baphomet announced they were migrating the forum’s servers to keep Breach Forums alive.

That plan is no longer in motion, but Baphomet said this is not the end.

“As for what this means now, It’s complicated. Unlike when other communities go down and everyone scatters, stupidly I will still be around,” they wrote.

“While the community of Breached will die, I’m going to continue conversations with some of the competitor forum admins and various service operators who reached out to me over the past few days. I’m hoping to work with some of those people to build a new community, that will have the best features of Breached, while reducing the attack surfaces we never properly addressed. As with things like this, I have no doubt our userbase may be absorbed by another community but if there is patience then I hope to bring something back that will rival any other community that can take our place.”

Notorious hacking forum shuts down after administrator gets arrested by Lorenzo Franceschi-Bicchierai originally published on TechCrunch

March 15, 2023

Police shut down dark web crypto laundering service linked to FTX hack

An international coalition of law enforcement agencies announced on Wednesday that it had taken down the popular dark web crypto laundering service ChipMixer, seizing more than $46 million in crypto and terabytes of server data.

The service, for example, was used last year by the attacker who stole funds from the now failed crypto exchange FTX, as well as by several ransomware groups.

“The platform and the criminal content have been seized,” ChipMixer’s website now reads.

“The ChipMixer software blocked the blockchain trail of the funds, making it attractive for cybercriminals looking to launder illegal proceeds from criminal activities such as drug trafficking, weapons trafficking, ransomware attacks, and payment card fraud,” Europol wrote in a press release. “Deposited funds would be turned into ‘chips’ (small tokens with equivalent value), which were then mixed together – thereby anonymizing all trails to where the initial funds originated.”

ChipMixer launched in mid-2017 and, according to Europol, it was allegedly used to facilitate the laundering of 152,000 Bitcoins, worth almost $25 million.

The service was popular with hackers, as it was used by ransomware groups such as LockBit, Mamba, and SunCrypt, according to Europol.

The operation was coordinated by Europol working with Belgium’s Federal Police; Germany’s Federal Criminal Police Office, and General Prosecutors Office Frankfurt-Main; Poland’s Central Cybercrime Bureau; Switzerland’s Cantonal Police of Zurich; and in the U.S. the Federal Bureau of Investigation and ICE Homeland Security Investigations.

Do you have more information about crypto hacks or crypto mixing services? We’d love to hear from you. From a non-work device, you can contact Lorenzo Franceschi-Bicchierai securely on Signal at +1 917 257 1382, or via Wickr, Telegram and Wire @lorenzofb, or email lorenzo@techcrunch.com. You can also contact TechCrunch via SecureDrop.

Police shut down dark web crypto laundering service linked to FTX hack by Lorenzo Franceschi-Bicchierai originally published on TechCrunch