Darknet DDoSer Does Damage to Dread

July 15, 2019 • Zane Pokorny

Criminal markets on dark web forums are the online version of a bad neighborhood, complete with sellers, buyers, and people who make their living connecting those groups. They tend to be self-policing, and so when an individual discovers a fundamental flaw in the technical foundation of the community and then decides to take advantage of that flaw to hold entire markets for ransom, that tends to get people’s attention. It’s a high-stakes game.

Daniel Byrnes is a senior threat intelligence analyst with Recorded Future’s Insikt Group, and he found himself on a journey down a dark web rabbit hole to try to make sense of the situation.

This podcast was produced in partnership with the CyberWire.

For those of you who’d prefer to read, here’s the transcript:

This is Recorded Future, inside threat intelligence for cybersecurity.

Dave Bittner:

Hello everyone, and welcome to episode 116 of the Recorded Future podcast. I’m Dave Bittner from the CyberWire.

Criminal markets on dark web forums are the online version of a bad neighborhood, complete with sellers, buyers, and people who make their living connecting those groups. They tend to be self-policing, and so when an individual discovers a fundamental flaw in the technical foundation of the community and then decides to take advantage of that flaw to hold entire markets for ransom, well that tends to get people’s attention. And it’s a high stakes game.

Daniel Byrnes is a senior threat intelligence analyst with Recorded Future’s Insikt Group and he found himself on a journey down a dark web rabbit hole to try to make sense of the situation. Stay with us.

Daniel Byrnes:

There are a few things I hate in this industry and that’s hate with a capital H, and first in line on that list is the Tor dark net marketplaces. They’re the worst. It’s just a bunch of drug dealers and low-level fraudsters. It’s nothing like the high level Russian places where you have complicated pieces of banking Trojans and ransomware affiliate programs and international organized crime. So every Tor dark net market is the same. It’s just a bunch of guys selling a bunch of drugs to a bunch of people who want drugs.

The unfortunate part about what I do is we need to keep a presence on as many criminal forums as possible. I mean, the goal is all of them so we have complete visibility into everything that goes on, because just because it’s a low level forum, if something big happens, you want to be on it. You can’t go to a client or your boss and say, “Yeah, it was a big giant impactful cyber event. But it wasn’t on a very prestigious forum, so we ignored it.” That doesn’t fly. So you have got to be everywhere.

Dave Bittner:

And so this is sort of the online equivalent of a bad neighborhood?

Daniel Byrnes:

Yeah. I mean Tor is just … Anyone can use Tor, all it requires is a browser. All the criminal marketplaces on Tor are pretty much cookie cutter. So it just … It attracts the non-technical crowd. And the non-technical crowd is not interesting for the most part. The DEA is all about it. I’m sure they find it very interesting. But from an analyst perspective, it’s kind of an eye roll.

Dave Bittner:

And just a quick description for folks who may not be familiar with it. What’s going on with Tor?

Daniel Byrnes:

So Tor really hasn’t changed much. Silk Road, Alpha Bay, the real deal. And they used the name dark net, which I’m kind of adopting. So all of the Tor miscreants refer to the Tor criminal marketplaces hosted on hidden services sites, onion sites, as the dark net. So when I say dark net, that’s specifically what I’m referring to. So the state of the Tor dark net marketplace is pretty much where it was way back.

So you have Dream market, which went down, Wall Street market, which went down, you still have … What’s popular now? You still have Nightmare market and things like that. They’re all pretty much the same format, and they attract the same buyers, they have automated escrow, you can get any drug known to man, and there’s some also low level technical stuff like people reselling source code that they bought for some ransomware, banking Trojan, or bot. You can get your low valid credit cards or CVVs and some of the basic more popular hacker stuff, and your fraud guides for bypassing two factor authentication.

It’s pretty much the same thing everywhere you go. Whereas the Russian forums you’ll go to your … I have a few favorite forums. And every time you log in, you never know what you’re going to find. It’s like, “Oh, that’s new and that’s interesting. And this guy’s new and let’s look into …” But it’s, yeah, like you said, it’s cookie cutter with the Tor criminal dark net sites, unfortunately.

Dave Bittner:

And it’s really a case of supply and demand that there’s a market for these illicit items. And so as soon as one goes down, another pops up?

Daniel Byrnes:

Yeah, I forget where I … This might’ve been on Reddit, but there’s one guy he said, and I quote, “I just want my drugs mate.” And that sums up the dark net in a nutshell.

Dave Bittner:

Okay, got it. All right, well, so let’s dig into some of the details of what we’re talking about here specifically.

Daniel Byrnes:

Back to the very beginning. So we get a request from some person in the company and they want to know about … There’s a newish, newish dark net market. It’s called Nightmare market. And some people wanted to know what’s Nightmare and what’s it going to be like and who’s migrated over there, because this is around the time Dream market went down. So there was a mass exodus and a large collection of people who needed to sell their narcotics and where’s elsewhere? So I’m like, okay, I go to deep.web and I grabbed the onion domain and I tried to log in to Nightmare and the site won’t load. I’m like, “Okay, that’s unfortunate.” And then I try the other mirrors, none of it works. I tried to go to the forum, the forum’s down. Like okay, I’m going to hop onto some other Tor dark net marketplaces and maybe there’s some chatter around this.

So I think I tried to access Empire and then I tried to access Wall Street. Everything was down and I’m like, “What is going on?” So then I just jumped and I just start Googling it. I’m like, “Why is Nightmare down? Why is Empire down? Why is Wall Street down?” And I end up on Reddit of all places and I didn’t realize Reddit was still a popular medium for discussion around the dark net. I know there used to be popular and then it shut down the subreddit, what was it called? It was like dark net markets or something like that. I forget what it was. But Reddit shut it down. So they opened a new one and on that new one there was all this discussion and conspiracy theories, the government’s DDoSing these sites, they’re exit scams.

But then one gentleman stood out, and this guy is one of my favorite hackers of all time. He is a gentleman and a scholar. He’s well spoken. He uses commas in the right place. His name is Hugbunter and Hugbunter is the official host of the dark net underworld. He knows everybody, he knows all the admins. He has firsthand access to all the gossip and he operates a Tor message board called Dread. And Dread was also new to me. So I hopped onto Dread after discovering Hugbunter and there I found my answer.

And my answer was this little miscreant now called Ruskin, who also goes by the moniker Here You Go, also Here You Go Again, when Here You Go was banned. And this gentleman, he, back in I think March, he posted on Dread that, “Hey, I’m the guy who took down Dream. I’m the guy who’s still attacking Dream,” and everyone’s like, “Yeah, sure, whatever.” But then he proved it and he’s like, “I’m going to turn off my DDoS attack at this time and I’m going to resume it at this time.” And then he did it and then members started to go, “Oh, this is legitimate.” And I thought Dream was down because … Do you remember Gnostic Player who was releasing all those databases on Dream?

Dave Bittner:

Yep.

Daniel Byrnes:

Yeah, I thought whenever a big newsworthy thing happens on a dark net forum, everybody rushes to it. You have all the reporters, you have all the researchers, you have all the curious cybercriminals and everyone in between and their mother. So I thought Dream was down just because it was getting too much press. Little do I know it was being extorted by our friend Ruskin or Here You Go, or Here You Go Again.

He had found a bug or a vulnerability or just a misuse of the circuit building mechanism for Tor and how Tor handles … How it connects a Tor user to a Tor hidden service or an onion domain. And with this vulnerability, our friend Ruskin was able to, with minimal resources, take down any dark net market site he wanted to. And when I say minimal resources, I mean according to him it was a few lines of code and a VPS server. And when I say a few lines of code, I mean like hundreds of lines of code, but you know what I mean?

That was a colloquialism I guess. So he was extorting dream. Apparently he wanted a substantial amount of money. The admin of Dream, Speed Stepper, wanted nothing to do with it, refused to pay, and decided to close the market instead of dealing with any of this. So our friend then pivoted to other markets and he was talking about this on Dread. The Dread admins or the moderators tried to ban him. And when they banned him, they banned his first username, which was, Here You Go. So they banned Here You Go. And what do you think he did?

Dave Bittner:

Well, I suspect he popped up as someone else, or did he DDoS them?

Daniel Byrnes:

Yep, he DDoSed Dread.

Dave Bittner:

I was thinking too small.

Daniel Byrnes:

He was like, “You want to play that game, we can play that game.” And then so Dread goes bye bye. So then he stops the DDoS and says, “Hey, I’m going to come back to Dread. I recommend you don’t ban me again.” And Hugbunter, the creator and admin of Dread, were like, “Okay, we’re not banning him. In fact, let’s not irritate him at all. Let’s just let him do his thing. Let the drama unfold.”

So then he turns his canon on some other markets. And this is the month that Wall Street market really had a bad few events. So Wall Street market, one of the most popular markets, they’re sitting pretty, they’re selling their drugs, they’re making their commission on every sale. And so our friend Ruskin decides to do the same extortion attempt on them. This time he succeeds though. Wall Street market coughs up $40,000 allegedly. This is the gossip, but this is the gossip coming from my favorite friend Hugbunter, so I believe it.

Dave Bittner:

And Hugbunter has the reputation. I mean, this is a guy who knows things and knows people, and if you need something, he’s a gentleman that can make connections.

Daniel Byrnes:

Yeah, yeah. Hugbunter, he operates, not only does he operate Dread, but he seems to know all the admins of the other dark net marketplaces. He builds dark net marketplaces complete with bitcoin escrow service. The price tag on that starts at $5,000. He operates penetration testing services and bug hunting services. I’m guessing that’s where he got his username from. So yeah, he is the man about town. And so when Hugbunter says, “Yeah, they coughed up 40 grand,” I believe it.

Dave Bittner:

Now this ability of our adversary to take down these forums. Is this because the forums are using the same types of systems or is this a fundamental issue with Tor?

Daniel Byrnes:

No, yeah, this is a fundamental issue with Tor. And the funny thing is one of our miscreant friends popped up on the Tor track website where you can complain to all the Tor devs and submit bugs. And this guy who was called Pigeon, and I think he’s one of the moderators from Dread, don’t quote me on that, but he said, “Hey guys, I operate a dark net message board and we’re getting clobbered with this DDoS attack and we don’t know what to do about it.” And the thread went on and on and on and the Tor devs were able to reproduce the attack and identify the bug and the Tor devs dubbed it the “introduce to DDoS attack” and so that’s how I refer to it. And again, that just, it exploits the circuit building mechanism for Tor. And all an attacker needs is the domain, that onion domain, when they have that, they could take down the service. There’s nothing else they need. They don’t need a true IP or an understanding of how the market or the website works. They essentially, they just need a name and then it’s gone.

Dave Bittner:

And at this point was our adversary … Before this research had happened among the Tor folks, he was the person sitting pretty, the only person sitting on this exploit, we think?

Daniel Byrnes:

As far as I know. I can’t really speak to that, but he was the only person I’ve seen using it. And with such an effect, I mean he could be the mastermind behind it, but I can’t speak for sure. I hope he is. This is my favorite dark web drama. This one wins.

Dave Bittner:

Well it’s interesting because there’s no honor among thieves here. I mean, you’ve got bad guys, I guess, going after the bad guys and gals. And it’s interesting the swagger that he had, because it’s not like he’s not setting himself up to be a target here and motivating folks who are willing to do bad things to put a mark on his back.

Daniel Byrnes:

We’ve always been saying hackers aren’t some guy in some basement with a hoodie on and hacking throughout the night. They’re usually older, more professional. They like money and nice things type people. Well, Ruskin, in my opinion, he is one of those hackers in a basement somewhere with a hoodie on. And he reminds me more of of the Joker from the Dark Knight. He is much more interested in spreading chaos than he is actually getting paid. In fact, I have seen him say, “I don’t really care if I make money from this, I’m going to do it anyways.” And he’s a peculiar individual. His English is pretty good and he’s a native Russian speaker and I’m guessing he’s located somewhere former Soviet block. But again, I’m not sure. He’s really got that Joker mentality of just wanting to watch the world burn. And if he makes a little money on the side that’s fine. But he’s really enjoying the process. So I’ve never seen a threat actor quite like him.

Dave Bittner:

Now, so what happens next? The folks who are in charge of keeping track of Tor, they’re aware of this. They isolate what it is. Do we push out some patches?

Daniel Byrnes:

That is the plan and the ticket submitted by our friend Pigeon is 29607 for people who want to pay attention to this. The Tor devs have, from what I understand, made this a priority. It has received funding from persons unknown. So someone has given them money to help fix this problem. One of the posts on Dread was, “Hey guys, if …” I forget who posted this, but someone said, “Hey guys, we need to fix this problem. Please donate to the Tor project.” So they’re getting some money out of this, which is I guess good.

Dave Bittner:

And I mean, to be clear, there are other reasons for using Tor other than just these dark web markets.

Daniel Byrnes:

Yes.

Dave Bittner:

So are there any legitimate businesses that have found themselves victims of this as well?

Daniel Byrnes:

No. And I’m a little surprised there haven’t been, but I think this speaks to our attacker’s incentive and what he thinks is going to get him paid and what he thinks is going to, or what does entertain him. He maintains a presence on the very places he attacks. He likes to be able to watch the public reaction. He reads the threads of the people complaining about him, the response to them. I mean this is as much a social engagement forum as a cyberattack, and this is my amateur psychologist’s opinion, but there’s serious engagement here. So I think if he attacked some other company or he went after journalists or something different, I don’t think he would get the same, the gratification wouldn’t be the same. My opinion.

Dave Bittner:

Yeah. This is his 15 minutes of fame.

Daniel Byrnes:

Could be longer than that.

Dave Bittner:

Yeah. Well, but because I can’t help but wonder, what are the odds that this person would find themselves sitting on something comparable to this a second time.

Daniel Byrnes:

Yeah, this is a trump card. At one point … He was, he still is selling the source for this vulnerability and his DDoS attack method. I think it’s public knowledge now if I’m not mistaken, I think some other miscreants have picked it up and are using it. But he was selling it for $280,000, 50 bitcoin at the time. And that’s … No one’s going to pay that in the criminal underground. Well some people could, but probably not. But what it would be advantageous to would be to a nation state where that kind of money is a drop in the bucket and if they wanted to take anything Tor offline, well $280,000 isn’t that much to ask to do so. And he actually, he made a joke in another forum. Ruskin said, “I’ll offer a discount to the Russian Security Services.” I don’t think he’s kidding. I’ve seen actors say that before and they’re serious. So who knows.

Dave Bittner:

Now what is the social backlash among other members of the community who are going about their business? Are they all yelling and screaming, coming out after this individual with the torches and pitchforks?

Daniel Byrnes:

Dave, I can say with high confidence that these people are not happy. They are disconcerted. Oh yeah. Death threats. Every nasty word in the book and on the Internet is being thrown his way, but there’s nothing they can do. I mean, the reality of the situation, if this person was ever outed and his true identity was ever found, he is disrupting the business of a lot of drug dealers. Those are not the people you want to irritate, because those consequences will be kinetic and not cyber. If you know what I mean.

Dave Bittner:

Yeah. I mean, to your point that there’s a non zero chance that this is some naive person who stumbled across something, sitting in their basement, who hasn’t really thought through the potential implications of what they’ve done. That’s a real possibility.

Daniel Byrnes:

Yeah. However, Ruskin … His opsec is good. He maintains very little presence on the web. He only posts what he … He used a jabber account, but it’s the jabber account he put out because he wants people to contact him so they can negotiate the extortion ransom. Other than that, the guy is pretty much a ghost. I’ve seen him a few other places, but I know nothing else about him.

Dave Bittner:

So in terms of other folks of … Your customers, the folks that you’re out there protecting, I mean is this pretty much a contained kerfuffle? Is this something that folks should keep their eye on? I guess the fundamental reliability of Tor could be an issue.

Daniel Byrnes:

We’ve had some clients that are asking, “Well why don’t you have visibility into this? Or why don’t you have visibility into that market?” And the answer is, “Look, we can’t access them. They’re down.” So the client goes, “Okay, that makes sense.” So Ruskin’s doing us a good … I mean, it’s all about destroying, disrupting, or degrading the enemy infrastructure. The end goal of threat intelligence is to provide information to do just that and to protect the client. Ruskin is doing a pretty good job at that for us. He’s doing a lot of the disruption. We’re not even paying him.

Dave Bittner:

Now, help me understand it. As someone who’s never poked around on these sorts of forums, is there any sort of vetting process before anyone can go in and have a look around?

Daniel Byrnes:

No. It’s Tor. Tor does not have the most … No one’s picky on Tor. Dark net marketplaces are not particular. They let anybody in. A lot of the Russian speaking forums and even some of the older English speaking forums before they were shut down were private or there was a paywall, you needed to pay a certain amount of bitcoin to get on, or you had to be recommended by at least two people. Stuff like that, but Tor is just … Tor is about quantity. The dark net markets want to sell as many drugs as possible and they don’t care who they send them to. So yeah, different mindset.

Dave Bittner:

Our thanks to Daniel Byrnes for joining us.

Don’t forget to sign up for the Recorded Future Cyber Daily email, where every day you’ll receive the top results for trending technical indicators that are crossing the web, cyber news, targeted industries, threat actors, exploited vulnerabilities, malware, suspicious IP addresses, and much more. You can find that at recordedfuture.com/intel.

We hope you’ve enjoyed the show and that you’ll subscribe and help spread the word among your colleagues and online. The Recorded Future podcast team includes Coordinating Producer Zane Pokorny, Executive Producer Greg Barrette. The show is produced by the CyberWire, with Editor John Petrik, Executive Producer Peter Kilpe, and I’m Dave Bittner.

Thanks for listening.

Related Posts

Threat Hunting, Mentoring, and Having a Presence

Threat Hunting, Mentoring, and Having a Presence

December 2, 2019 • Monica Todros

Our guest today is O’Shea Bowens He’s CEO of Null Hat Security and a SOC manager for Toast, a...

From Infamous Myspace Wormer to Open Source Advocate

From Infamous Myspace Wormer to Open Source Advocate

November 25, 2019 • Monica Todros

If you are of a certain age — an age where you may have spent a good bit of your time online...

Solving the Business Challenges of Governance, Risk, and Compliance

Solving the Business Challenges of Governance, Risk, and Compliance

November 18, 2019 • Monica Todros

Our guest today is Syra Arif, a senior advisory solutions architect in the security and risk...