One of the more successful English-speaking cybercrime forums, Darkode, was shut down today and 28 arrests of individuals linked to the site made across the world, the FBI and Europol confirmed this morning. Charges were filed in the US against 12 individuals. They included the apparent Darkode creator, 27-year-old Wisconsin resident Daniel Placek, an alleged admin, Swedish 27-year-old Johan Anders Gudmunds, and the accused creator of Facebook Spreader, malware designed to ensnare users of the social network into a massive botnet - a network of infected machines.
In one of the more surprising twists in the case, FORBES understands that one of those charged spent two summers interning as a mobile malware researcher at FireEye, a top US cybersecurity firm that's received investment from the CIA’s In-Q-Tel, Goldman Sachs and Sequoia Capital, and has helped numerous companies recover from major breaches, including that of Sony Pictures last year. That same individual, 20-year-old Morgan Culbertson, has been accused of creating and selling the Dendroid malware, targeted at
FireEye said in an emailed statement that it had suspended Culbertson from future work at the company. It's believed he was interning in summer 2014 as well as 2013. One major concern for the company might be that Culbertson could have used confidential FireEye research to hone his malware. The firm has strong expertise in mobile security and has repeatedly highlighted weaknesses in Android, as well as
“He is accused of designing Dendroid, a coded malware intended to remotely access, control, and steal data from Google Android cellphones. The malware was allegedly offered for sale on Darkode,” the Department of Justice said today.
Dendroid was a particularly virulent strain of Android malware. When it was uncovered in March 2014, researchers were alarmed by its sophistication, as it was able to take pictures using the phone’s camera, record audio and video, listen in on calls and texts, and nab the victim’s photos or other data. The toolkit was being sold for $300 in Bitcoin, or other cryptocurrency, on cybercrime forums, whilst the source code was going for as much as $65,000. Its creator also offered a warranty promising the malware would go undetected by security software, according to an analysis by Lookout Mobile Security, whilst the malware itself was delivered over the Google Play store, masquerading as legitimate apps. It was a professional-looking service.
If Culbertson was Dendroid’s father, then he most likely enhanced his malware with some of the skills he learned at FireEye during his internships, the first of which lasted from May 2013 to August 2013, according to his LinkedIn page. “I improved Android malware detection by discovering new malicious malware families and using a multitude of different tools, automation techniques and decompiling analysis heuristics,” his description of his time at the firm reads. According to the United States Attorney filing related to Culbertson, he was disseminating Dendroid from January 2013 until August 2014.
He is currently a student at Carnegie Mellon University College of Engineering, according to his public online profiles, where he was awarded a slice of $2,500 in McGinnis Venture Competition winnings for an app he co-created. It sounded like a pretty neat app too: software for eye glasses that projected translations for any foreign language being spoken on to a screen in front of the user’s eye.
As for Darkode, it’s gone thanks to Operation Shrouded Horizon, which involved law enforcement action across 20 countries on at least 70 individuals involved in the site. The forum consisted of a small, but successful community of hackers, who traded malware and in some cases stolen data. Members of hacker crew Lizard Squad, which infamously took out the Playstation Network and Xbox Live last Christmas, were said to be users. It was an invite-only website and limited to those who had worth to other members, of which there were between 250 and 300. Those heading to the site will now see the seizure notice below.
What’s apparent is that there were a number of talented coders on Darkode. If only they’d been convinced by those around them to do more constructive work than stealing other people’s data.
