For Pakistani Hackers, July 7, 2010 will be remembered as the beginning of a fearful period in their lives. On that day, Mr. Shahid Nadeem Baloch, the Director of Cyber Crime Investigations for the Federal Information Agency announced the arrest of five ring leaders of the popular hacker forum "PAKBugs" in this release from the Press Information Department. Among those praised by FIA's Director General, Mr. Zafar Ullah Khan, for their roles in the investigation are Mr. Muhammad Idress Mian, who directs the National Response Center for Cyber Crimes (NR3C), Mr. Muhammad Raza, Cyber Crime Circle sub-inspector for the Rawalpindi Police, and NR3C Technical Officers Mr. Aun Abbas, and Mr. Amjad Abbasi.
The hackers arrested or wanted include:
Jawad Ehsan, alias Humza, still at large in Riyadh, Saudi Arabia.
Jawad uses the hacker handle ZombiE_Ksa, and is the founder of PakBugs and probably the most famous of all the PakBugs hackers. He is charged with 169 website defacements.
Ahmad Hafeez, arrested in Lahore.
Ahmad uses the hacker handle vergil, and is a moderator on the boards Pakbugs and Pakhaxorz. He is charged with 480 website defacements.
Hassan Khan, arrested in Peshawar.
Hassan uses the hacker handle x00mx00m, and is a co-founder of Pakbugs. He is charged with 8,697 website defacements.
Farman Ullah Khan, arrested in Bannu.
Farman uses the hacker handle Farman, and was a VIP-member of Pakbugs. Charges against Farman are unknown.
Malik Hammad Khalid, arrested in Rawalpindi.
Malik uses the hacker handle inject0r, and was a "super moderator" at Pakbugs. He is charged with 134 website defacements.
Taimoor Zafar Bhatti, arrested in Rawalpindi.
Taimoor uses the hacker handle h4v0c-, and was a "super moderator" at Pakbugs. He is charged with 105 website defacements.
Also wanted by the FIA Cyber Crimes Department are:
According to the press release:
These individuals have expertise in following techniques:
2) SQL Injection
3) Trojan horses
6) Access to various servers
8) PHP Scripts
10) ASP scripts (self writing)
11) JSP scripts (self writing)
12) Key loggers
13) Credit Cards Jacking and usage of stolen Credit Cards
What the press release doesn't mention is that the NR3C's own website was hacked by these website defacers in January of this year. (image from MastiKorner.com - click image to see original defacement courtesy of Zone-H archive)
In that defacement the Pakbugs hackers suggest that if Pakistani citizens want help with security issues they should turn to Pakbugs rather than the NR3C.
The NR3C defacement was signed:
We are L33t Pakistani H4x0rZ,
We are PAKbugs, We keep it real:
Special Greetz: BiG^Smoke
Greetz: Agd_Scorp :aB0 M0h4mM3d : The Moorish
That is actually the last website defacement credited to ZombiE_Ksa in the Zone-H archives, although his activities in 2009 included hacking numerous ".gov.pk" websites, temporarily taking over nameservers on the ".ug" registrar to allow defacements of the Ugandan websites for Microsoft, Toshiba, CNN, Citibank, and Google, and hacking the websites of the Saudi "Bank Al Bilad".
Zombie_KSA (KSA = Kingdom of Saudi Arabia) uses the hotmail addresses "Zombie_KsA@hotmail.com" and "email@example.com".
TrendMicro posted screenshots obtained from Zombie_KSA proving that he not only had defaced the website, but actually had control of the email systems of the NR3C.
Despite the ZombiE_KsA hack, the Pakistani government is to be highly praised for taking on Cybercrime in such a proactive way. Pakistanis are encouraged to report cybercrime by emailing firstname.lastname@example.org. The 2007 "Prevention of Electronic Crimes Bill (english language PDF) offers penalties from six months imprisonment all the way up to Capital punishment for 17 types of cyber crimes, with the most significant being "Cyber terrorism".
Other articles show that Zombie_KsA and Cyber-Criminal hacked the Pakistani Air Force website.
Unfortunately for the PakBugs hackers, in addition to having the Pakistani government after them, they had a bigger problem. Greyhat vigilante hacker "email@example.com" posted the entire user database of the PakBugs forums to the mailing list Full-Disclosure back on September 14, 2009. That report revealed the email addresses used by all 12,640 members of PakBugs, including many of the hackers on the FIA wanted list including:
ZombiE_KsA = firstname.lastname@example.org
x00mx00m = email@example.com
Farman = firstname.lastname@example.org
vergil = email@example.com
Injector = firstname.lastname@example.org
h4v0c- = email@example.com
The FIA may want to check out the history of website "loverzpoint.net", which has been "Greeted" several times by ZombiE_KsA, and where two of their "still at large" hackers have email accounts:
Cyb3r-Criminal = firstname.lastname@example.org
BiG Smoke = email@example.com
spo0fer = firstname.lastname@example.org
[a] = email@example.com
loverzpoint.net was originally registered to "firstname.lastname@example.org" with a fraudulent US-based address. In October 2008 that changed to "email@example.com" with a Riyadh address and the name "Syed Jawad Shah".
(According to the Hack, userids 1, 12, 99, 1628 and 3844 all had "Admin" privileges at PakBugs. That would be users = ZombiE_KsA, spo0fer, Maximus, Test User, and Big Smoke, the last of those being the original owner of LoverzPoint.net)
The website "Propakistani.pk" has run a message regarding these arrests which is said to be from the "Pakistan Cyber Army". The PCA was active in a clash between Pakistani and Indian hackers in November of 2008. The message reads:
“Message from Pakistan Cyber Army on arrest of Pakbugs Members
If anyone has doubt that we are not the one who defaced ONGC then get a life first. If people have forgotten, then we are the same guys who Defaced ONGC in response to the attack on OGRA. After which we did a peace deal with the groups involved on both sides of borders including “Pakbugs” and “ICW” but kids didn’t keep their promise and got arrested.
We told PakBugs many (many, many, many) times to not to deface/destroy Pakistani websites and infrastructure. We told them to take FIA and NR3C seriously – as these agencies are not bunch of NOOBS, we had warned Pakbugs that you people don’t know about the power and the resources that NR3C has got but they gave a damn to our words and ended up in their custody.
I feel sad about the kids but… it happened due to their carelessness and childish attitude, which eventually landed them in the jail.
If you people are upcoming hackers and don’t know about Prevention of Electronic Crimes Ordinance then go and read it on NR3C website. I fear that Pakbugs would have a jail of 7 years if they got trialed and if FIA bail them out with some punishment they should thank Allah and concentrate on their studies.
We always told Jawad (HUMZA) and other kids about the consequences that they may face if arrested. [Jawad correct me if I am wrong.
Request to FIA/NR3C
“It is our humble request to FIA (NR3C) authorities to consider the case realistically and don’t give the kids the capital punishment as they are kids and can improve if given a chance. If they got the capital punishment as mentioned in Prevention of Electronic Crimes Ordinance then their future will be ruined. Sir these are our kids and our force if given a direction“
Message for upcoming Hackers
Our message to upcoming hackers or people who are interested in this field is that there is nothing bad to have the knowledge of hacking or hacking techniques, what’s bad is the usage of such knowledge and skill against our own country, National and international organizations or departments – that may cause damage to our country and its repute in the world. Don’t push your efforts to get famous. The fame will come by the time.
Some of your kids out there think that organizations in the west give opportunity to the hackers, if that’s the case then you are living in a heaven of fools.
Don’t believe in such stories that hackers will have a good future. The person who has a criminal record cannot fly from the country or he can’t enter into a country legally – go and ask your elders about it.
Message for Indian Hackers
If Indian hackers think that the game is over then read our message once again “Don’t mess with Pakistan else you will lose both your Name and this Game”. If you think that “Pakbugs” got arrested and you have a chance to play then give it a second thought.
We are still awake for our country.
Haroon aka D45H & Hamza aka r4yd3n
Pakistan Cyber Army
(someone named R4yd3n was a member at PAKBugs as well, using the email firstname.lastname@example.org)