Monday, August 24, 2015

Darkode guilty pleas: Phastman, Loki, & Strife

So far there have been three guilty pleas related to the Darkode hacking forum.  Although the case, which used the name "Operation Shrouded Horizon" resulted in 70 arrests worldwide, only twelve individuals have been indicted so far by the Department of Justice, and several of those individuals are overseas.  When the site was taken over, it displayed this graphic, showing the many foreign law enforcement agencies that cooperated with the takedown and the arrests.

Johan Gudmunds / Mafi

Image from ArrestTracker

The main administrator of Darkode is Johan Anders Gudmunds.  Gudmunds used three hacker aliases: Mafi, Crim, and Synthet!c.  According to DOJ, he resides in Sweden.   According to the indictment "From around September 2008 until about January 23, 2015" Gudmuns "knowingly and willfully did aid and abet and conspire, combine, confederate and agree together with other persons" ... "to commit offenses against the United States" including:

  • intentionally accessing a computer without authorization and exceeding authorized access to a protected computer, committing the offense for purposes of commercial advantage and private financial gain in furtherance of a criminal and tortious act in violation of the Constituion and the laws of the United States to obtain a thing of value exceeding $5,000 -- 18 USC Sections 1030(a)(2)(C) and (c)(2)(B)(i)-(iii).
  • knowingly and with intent to defraud accessed a protected computer and by means of such conduct intended to commit fraud or obtain something of value -- 18 USC Section 1030(a)(4) and (c)(3)(A)
  • knowingly caused the transmission of a program, information, code, and commands that as a result of such conduct intentionally caused damage affecting 10 or more protected computers during a 1-year period -- 18 USC Sections 1030(a)(5)(A) and (c)(4)(B).
  • knowingly and with intent to defraud trafficked in passwords and similar information through which a computer may be accessed without authorization affecting interstate and foreign commerce -- 18 USC Sections 1030(a)(6)(A) and (c)(2)(A).
Gudmunds wrote a botnet called "Blazebot" that compromised computers that he later sold access to. His price for access was $80 per 1,000 compromised machines, or 8 cents per computer.  Yes, that is how much your PC is worth!  Gudmunds also sold root access on computers at universities in Europe for $50 per server, and to at least 200 other servers for between $10 and $50.  The Zeus malware that he controlled logged more than 200,000,000 credential thefts from 60,000 compromised computers that made up his botnet.  (This would include many repeated credentials, obviously.)  Gudmunds also wrote an Exploit Kit called "CrimePack" that he sold on his forum, as well as an MSN Messenger spreader.  He was still authoring and selling code much more recently, including his package called "Pandemiya 2014"

Some of Gudmunds online ids included the jabber account "mafioso@xmpp.jb" and the email account "".  He began using the Synthet!c alias in January 2012.

Daniel Placek / Loki

According to the Gudmunds indictment, the original forum was created by "Iserdo" and "nocen / Loki".  We know from the charges against Daniel Placek of Glendale, Wisconsin, that he was the one who used the aliases Nocen, Loki, Juggernaut, and M1rro0r.

Loki's charges say that "in or about June 2008, Daniel Placek and Martjaz Skorjanc (AKA Iserdo)  created the Internet forum with the domain with the intention of bringing together computer hackers and other criminals to facilitate the production and sharing of malicious software, and later led to forum discussion about the creation and dissemination of botnets and the sending of spam."   Placek was an administrator on the forum, and in January 5, 2010, agreed to sell malware that he designed for harvesting network traffic for email addresses and passwords to a user named Dethan.78 for $500.  Dehtan.78 was an FBI agent.  Oops!

When Placek's computer was raided, all the way back in 2010, it was found to contain 74,190 credit card numbers and 297 bank account numbers.  In his guilty plea on July 31, 2015, Placek agreed to plea to one charge in exchange for prosecutors agreeing to seek a sentence of "six to twelve months".  This agreement carefully considered the fact that Placek has provided full cooperation regarding law enforcement queries and access to Darkode FOR MORE THAN FIVE YEARS!

From all reports, Placek has left his black hat ways behind him and has not participated in crime since his 2010 activities.   He has been working as a network engineer for a company named Swick Technologies, and neither law enforcement nor his employer has had any reason to doubt that he is reformed.  (More from this article:  Placek to plead guilty for role in creating Darkode hacker marketplace  )

Eric Croker AKA Phastman

Eric L. Crocker, a 39-year old resident of New York, (some sources say 29) was the first to plea guilty from the charges that came out of the Darkode forum seizure.  His primary plea is that he violated the CAN-SPAM ACT.  Phastman's primary activity that he is charged with is the creation of a hacking tool called the Facebook Spreader.  Although he is only directly charged for breaking into "at least 77,000 computers" and his indictment indicates he sold access to computers his botnets controlled for $200 to $300 per 10,000 (2 to 3 cents per machine) some news sources are reporting that his hacking earned Crocker "upwards of $21 Million." 

Phillip Fleitz, AKA Strife

Phillip Fleitz photo from ArrestTracker
 Phillip Fleitz was the most recent person to plead guilty on the Darkode case.  Fleitz is named along with two others in an indictment from the Western District of Pennsylvania.  The three were:

  • Naveed Ahmed (AKA "Nav" AKA "Semaph0re")
  • Phillip R. Fleitz (AKA "Strife")
  • Dewayne Watts (AKA "m3t4lh34d" AKA "metal"
The conspiracy that these three are charged with involves leasing at least two "bullet-proof hosting" servers in China that were used to scan Internet-connected routers to identify places that would allow them to use those routers as Proxies to reroute commercial email messages to hide their true source.  The spam that was sent was primarily using "email-to-SMS gateways" so that the emails sent would show up as text messages on cell phones of the recipients.  The spam was primarily "gift card scams" with the indictment giving the particular example of Best Buy Gift Card spam.  A couple examples include:
  • "Congratulations, your 4th place code is H7G0 -"
  • "Congratulations! You've finished Fifth!  Your code is: WM154 -"
  • "Your entry placed 8 out of 10!  Claim the prize with this Code: U0V2 -"

Still to Come

The people who are still named by the Department of Justice, but have not yet plead guilty are:

  •     Johan Anders Gudmunds - see above
  •     Morgan C Culbertson - the "FireEye Intern" / Carnegie Mellon student
  •     Naveed Ahmed -
  •     Dewayne Watts - M3t4lh34d / metal
  •     Murtaza Saifuddin
  •     Matjaz Skorjanc - rzor from Pakistan
  •     Florencio Carro Ruiz - NetK, Netkairo from Spain
  •     Mentor Leniqi - Iceman from Slovenia
  •     Rory Stephen Guidry - selling botnets,
 Of those, the only individual who has received much US-based press was Morgan, who is the author of a Remote Administration Trojan known as Dendroid.            

If any more guilty pleas come through, we'll try to update this page!

By the way, much praise to a site I was not previously familiar with called "Arrest Tracker" from the people that run  His page "Mass Arrest #24"  here has a great summary of what's going on with Darkode, but I know many of my readers will be interested in regularly following the regular updates from his page!

1 comment:

Trying a new setting. After turning on comments, I got about 20-30 comments per day that were all link spam. Sorry to require login, but the spam was too much.