Opsec oversights How cybercrooks get themselves caught The Register

pThey say that success breeds complacency and complacency leads to failure For cybercriminals taking too many shortcuts when it comes to opsec delivers a little more than that ppIn these cases failure might mean the criminal doesnt get access to the server with the most valuable data to copy or fails to trick any of the victim orgs staff members to execute a malicious remote access tool Complacency however can get them caught and all too often we hear about highly skilled individuals taking one too many shortcuts the type that leads police to their doorsppAfter the recent arrest of Kai West a 25yearold Brit in connection with the IntelBroker case the FBIs indictment seems certain its an example of how not to cover ones tracksppAccording to the US authorities who allege West is notorious data thief IntelBroker between 2023 and 2025 the online attacker caused around 25 million worth of damage to the companies he and his friends breachedppThe US top cops are appealing to extradite the man following his February arrest in FranceppIn total West is accused of seeking to collect at least 2 million from sales of company data during that same period A small chunk of that sum 250 belongs to federal investigators and was used to track him down ppIn January 2023 they purchased the data belonging to one of IntelBrokers recent victims at the time and tracked the Bitcoin transaction to a wallet that police claim their suspect West controlsppThey think this because down the line the funds passed through accounts for which West had completed know your customer KYC checks with his real identity documentsppThe indictment claims a Coinbase account was found with his provisional drivers license attached to it as well as a Ramp account registered to Kai West with his date of birth and home address in the UKppAnother recent example to add to the list is the case of Nicholas Kloster who just last week pleaded guilty to charges unsealed last yearppKlosters threemonth Missouri crime spree was completely outshone by his apparent nonchalance about maintaining his digital anonymityppHis methodology is a real headscratcher Klosters offences on paper include breaking and entering and unauthorized computer access but some might say the real crime was his apparent disregard for basic opsecppFor starters within a month of being hired by a new company he used the company credit card to make various personal purchases including a thumb drive advertised as a hacking toolppHe also allegedly broke into a health club after working hours caused around 5000 worth of damage to its security camera system and used that in a bid to secure employment as a security professional ppAccording to the complaint he used his current employers email account the one tied to his real identity to email the health club details of exactly what he did to the security system and send a resume for good measureppHe presumably did this to flaunt his expertise as a means to convince the health club that he knew his stuff Posting the clubs camera feeds to social media shortly after probably did not help matters thoughppHector Monsegur aka Sabu aka leader of the LulzSec crime ring responsible for attacks on Sony Pictures Fox PBS Bethesda and more only messed up once But with a rap sheet as highprofile as this even a single slipup can be ones undoingppUsually watertight when it comes to opsec Monsegur crucially failed to use Tor to log into a chatroom used by LulzSec less than a week after one of the groups most highprofile attacks one on a website affiliated with the FBIppMonsegur warned members to be extra vigilant as regards security then fell short of his own usual standards himself mere days afterppA former member of Anonymous Monsegur received a lenient sentence in exchange for his quick agreement to become an FBI informant The information he supplied led to the arrests of four additional members of LulzSecppNames like NSO Group and Paragon have become synonymous with spyware over the last decade but the market for noncommercial packages remains alive and well ppThat market is served by the likes of Zachary Shames who is thought to have made in excess of 100000 from his awardwinning high school programming project Limitless LoggerppIt was researchers at Trend Micro who tipped off the FBI to Shames exploits in both senses of the word They had been tracking Mephobia the alias distributing Limitless Logger to over 16000 PCs for some timeppAccording to available information Shames didnt make many huge errors for a long time but the diligent cybercrime investigators scooped up small nuggets of information to weave a much larger pictureppOver time Trend pieced together small details divulged by Shames while using his Mephobia alias to tie him to PayPal Skype GitHub and other accountsppHowever the killer blow came after he included his real name in various forum posts using the Mephobia alias From there the name was then used to unearth other accounts linked to Shames which in turn were linked to Mephobia accounts He pleaded guilty to aiding and abetting computer intrusions in 2017ppLike others in this list the Canadian cofounder of AlphaBay which in its heyday was the largest dark web drug marketplace of its kind was typically sound when it came to opsec but one alleged early failing may have led to his captureppCazes was arrested at his Phuket home in 2017 after investigators got hold of a message sent to new AlphaBay users in 2014 which contained his personal email address ppThat message was displayed to new registrants and in password reset emails for a brief time likely before a formal investigation into AlphaBay began Given this was the only indicator of the cofounders identity it marked a huge breakthrough in the FBIs caseppFrom there they found other accounts linked to the same email address and ultimately Cazes real identityppHe was arrested in 2017 and an examination of an opened latop at his residence found keys to AlphaBay and its admin portal Cazes died while in custody shortly after being detainedppFinishing off the list is fellow dark web drug lord Ross Ulbricht who was kindly pardoned by President Trump earlier this year after being sentenced to life in 2015 and can now be seen on social media making the most of his newfound freedomppUlbricht ran Silk Road the first major drug marketplace of its kind and while his opsec failings were more basic than his peers they led to the arrest of arguably the US most highprofile cybercriminal We simply could not exclude himppOne of the funnier examples of terrible opsec in the court documents was the claim hed asked a question on Stack Overflow about a PHP problem he was encountering including details that led the more technical among the crowd to link the post to Ulbricht and the Silk RoadppThe question remains live on the forum now although the comments from sharpeyed users who linked it to Ulbricht were removedppUlbricht also made various other mistakes including advertising Silk Road on clearweb forums using either his real name or aliases that could easily be linked back to him and hinting at his Silk Road affiliation with clues in his LinkedIn profile ppSend us newsppThe Register Biting the hand that feeds ITpp
Copyright All rights reserved 19982025

p