Dark Basin is a hack-for-hire group, discovered in 2017 by

Citizen Lab The Citizen Lab is an interdisciplinary laboratory based at the Munk School of Global Affairs at the University of Toronto, Canada. It was founded by Ronald Deibert in 2001. The laboratory studies information controls that impact the openness ...

. They are suspected to have acted on the behalf of companies such as

Wirecard Wirecard AG is an insolvent German payment processor and financial services provider whose former CEO, COO, two board members, and other executives have been arrested or otherwise implicated in criminal proceedings. In June 2020, the company a ...

and ExxonMobil.

Background

In 2015, Matthew Earl, a managing partner at ShadowFall Capital & Research, began to study Wirecard AG hoping to short sell them. Wirecard had just announced the purchase of Great Indian Retail Group for $254 million, which seemed overpriced to Earl. In February 2016, he started to write publicly about his discoveries under the alias Zatarra Research & Investigations, accusing Wirecard of corruption, corporate fraud, and money laundering. Soon after, the identity of Zatarra Research & Investigations was revealed online, along with surveillance pictures of Earl in front of his house. Earl quickly realized that he was being followed. Employees from Jones Day, a law firm representing Wirecard, came to visit Earl and gave him a letter, accusing him of collusion, conspiracy, defamation, libel, and market manipulation. Earl also started to receive targeted

phishing Phishing is a type of social engineering where an attacker sends a fraudulent (e.g., spoofed, fake, or otherwise deceptive) message designed to trick a person into revealing sensitive information to the attacker or to deploy malicious softwa ...

emails, appearing to be from his friends and family members. In the spring of 2017, Earl shared those emails with

, a research laboratory specializing in information control.

Citizen Lab's investigation

Initial findings

Citizen Lab discovered that the attackers were using a custom

URL shortener URL shortening is a technique on the World Wide Web in which a Uniform Resource Locator (URL) may be made substantially shorter and still direct to the required page. This is achieved by using a redirect which links to the web page that has a ...

that allowed

enumeration An enumeration is a complete, ordered listing of all the items in a collection. The term is commonly used in mathematics and computer science to refer to a listing of all of the elements of a set. The precise requirements for an enumeration (fo ...

, giving them access to a list of 28,000

URLs A Uniform Resource Locator (URL), colloquially termed as a web address, is a reference to a web resource that specifies its location on a computer network and a mechanism for retrieving it. A URL is a specific type of Uniform Resource Identifi ...

. Some of those URLs redirected to websites looking like

Gmail Gmail is a free email service provided by Google. As of 2019, it had 1.5 billion active users worldwide. A user typically accesses Gmail in a web browser or the official mobile app. Google also supports the use of email clients via the POP and ...

Facebook Facebook is an online social media and social networking service owned by American company Meta Platforms. Founded in 2004 by Mark Zuckerberg with fellow Harvard College students and roommates Eduardo Saverin, Andrew McCollum, Dustin Mosk ...

LinkedIn LinkedIn () is an American business and employment-oriented online service that operates via websites and mobile apps. Launched on May 5, 2003, the platform is primarily used for professional networking and career development, and allows job se ...

Dropbox Dropbox is a file hosting service operated by the American company Dropbox, Inc., headquartered in San Francisco, California, U.S. that offers cloud storage, file synchronization, personal cloud, and client software. Dropbox was founded in 2007 ...

or various webmails – each page customized with the name of the victim, asking the user to re-enter their password. Citizen Lab baptized this hacker group 'Dark Basin' and identified several clusters among the victims: * American environmental organizations linked to the #ExxonKnew campaign:

Rockefeller Brothers Fund The Rockefeller Brothers Fund (RBF) is a philanthropic foundation created and run by members of the Rockefeller family. It was founded in New York City in 1940 as the primary philanthropic vehicle for the five third-generation Rockefeller brothe ...

, Climate Investigations Center, Greenpeace,

Center for International Environmental Law The Center for International Environmental Law (CIEL) is a public nonprofit environmental law firm based in Geneva, Switzerland with an office in Washington, DC, United States. It was founded in 1989. CIEL's team aims to "strength and use inter ...

, Oil Change International,

Public Citizen Public Citizen is a non-profit, Progressivism in the United States, progressive consumer rights advocacy group and think tank based in Washington, D.C., United States, with a branch in Austin, Texas, Austin, Texas. Lobbying efforts Public Citizen ...

Conservation Law Foundation Conservation Law Foundation (CLF) is an environmental advocacy organization based in New England. Since 1966, CLF's mission has been to advocate for New England's environment and its communities. CLF's advocacy work takes place across five integr ...

Union of Concerned Scientists The Union of Concerned Scientists (UCS) is a nonprofit science advocacy organization based in the United States. The UCS membership includes many private citizens in addition to professional scientists. Anne Kapuscinski, Professor of Environmenta ...

, M+R Strategic Services or

350.org 350.org is an international environmental organization addressing the climate crisis. Its stated goal is to end the use of fossil fuels and transition to renewable energy by building a global, grassroots movement. The 350 in the name stands fo ...

* US media outlets * Hedge funds, short sellers and financial journalists * International banks and investment firms * Legal firms in the US, UK,

Israel Israel (; he, יִשְׂרָאֵל, ; ar, إِسْرَائِيل, ), officially the State of Israel ( he, מְדִינַת יִשְׂרָאֵל, label=none, translit=Medīnat Yīsrāʾēl; ), is a country in Western Asia. It is situated ...

France France (), officially the French Republic ( ), is a country primarily located in Western Europe. It also comprises of overseas regions and territories in the Americas and the Atlantic, Pacific and Indian Oceans. Its metropolitan area ...

Belgium Belgium, ; french: Belgique ; german: Belgien officially the Kingdom of Belgium, is a country in Northwestern Europe. The country is bordered by the Netherlands to the north, Germany to the east, Luxembourg to the southeast, France to th ...

Norway Norway, officially the Kingdom of Norway, is a Nordic country in Northern Europe, the mainland territory of which comprises the western and northernmost portion of the Scandinavian Peninsula. The remote Arctic island of Jan Mayen and the ...

, Switzerland,

Iceland Iceland ( is, Ísland; ) is a Nordic island country in the North Atlantic Ocean and in the Arctic Ocean. Iceland is the most sparsely populated country in Europe. Iceland's capital and largest city is Reykjavík, which (along with its s ...

Kenya ) , national_anthem = " Ee Mungu Nguvu Yetu"() , image_map = , map_caption = , image_map2 = , capital = Nairobi , coordinates = , largest_city = Nairobi ...

, and

Nigeria Nigeria ( ), , ig, Naìjíríyà, yo, Nàìjíríà, pcm, Naijá , ff, Naajeeriya, kcg, Naijeriya officially the Federal Republic of Nigeria, is a country in West Africa. It is situated between the Sahel to the north and the Gulf o ...

* Petroleum and energy companies * Eastern European, Central European and Russian oligarchs * Well-resourced people involved in divorces or other legal matters The variety of targets made Citizen Lab think of a mercenary activity. The research laboratory confirmed that some of these attacks were successful.

Links to India

Several clues allowed Citizen Lab to assert ''with high confidence'' that Dark Basin was based in

India India, officially the Republic of India (Hindi: ), is a country in South Asia. It is the seventh-largest country by area, the second-most populous country, and the most populous democracy in the world. Bounded by the Indian Ocean on the so ...

Working hours

Timestamps in Dark Basin phishing emails were consistent with working hours in India, which has only one timezone: UTC+5:30.

Cultural references

The instances of the URL shortening service used by Dark Basin had names related to

Indian culture Indian culture is the heritage of social norms, ethical values, traditional customs, belief systems, political systems, artifacts and technologies that originated in or are associated with the ethno-linguistically diverse India. The term al ...

Holi Holi (), also known as the Festival of Colours, the Festival of Spring, and the Festival of Love,The New Oxford Dictionary of English (1998) p. 874 "Holi /'həʊli:/ noun a Hindu spring festival ...". is an ancient Hindu religious festival ...

, Rongali and Pochanchi.

Phishing kit

Dark Basin let their phishing kit source code, including some log files, available online. The source code was configured to print timestamps in India's timezone. The log file, that showed some testing activity, included an

IP address An Internet Protocol address (IP address) is a numerical label such as that is connected to a computer network that uses the Internet Protocol for communication.. Updated by . An IP address serves two main functions: network interface ident ...

based in India.

Links to BellTroX

Citizen Lab believes with high confidence, that BellTroX, also known as BellTroX InfoTech Services and BellTroX D, G, TAL Security, is the company behind Dark Basin. BellTroX, a

Delhi Delhi, officially the National Capital Territory (NCT) of Delhi, is a city and a union territory of India containing New Delhi, the capital of India. Straddling the Yamuna river, primarily its western or right bank, Delhi shares borders ...

-based company, advertises on its website doing activities such as

penetration testing A penetration test, colloquially known as a pen test or ethical hacking, is an authorized simulated cyberattack on a computer system, performed to evaluate the security of the system; this is not to be confused with a vulnerability assessment ...

, certified

ethical hacking A white hat (or a white-hat hacker, a whitehat) is an ethical security hacker. Ethical hacking is a term meant to imply a broader category than just penetration testing. Under the owner's consent, white-hat hackers aim to identify any vulnerabili ...

, and medical transcription. BellTroX employees are described as noisy and were often posting publicly about their illegal activities. BellTroX's founder Sumit Guptra has been previously indicted and charged in the

United States The United States of America (U.S.A. or USA), commonly known as the United States (U.S. or US) or America, is a country primarily located in North America. It consists of 50 states, a federal district, five major unincorporated territori ...

for a hack-for-hire scheme on the behalf of

ViSalus Vi (formerly ViSalus Sciences) is an American multilevel marketing (MLM) company based in Los Angeles, California, with offices in downtown Detroit, Michigan. The company is mostly known for the Body by Vi 90-Day Challenge platform. The company ...

. BellTroX used the CV of one of their employees to test Dark Basin's URL shortener. They also publicly posted screenshots of links to Dark Basin's infrastructure. Hundreds of people, working in corporate intelligence and private investigation, endorsed BellTroX on LinkedIn. Some of them are suspected to be possible clients. Those endorsements included a Canadian government official, an investigator at the

US Federal Trade Commission The Federal Trade Commission (FTC) is an independent agency of the United States government whose principal mission is the enforcement of civil (non-criminal) antitrust law and the promotion of consumer protection. The FTC shares jurisdiction ov ...

, law enforcement officers and private investigators with prior roles in the

FBI The Federal Bureau of Investigation (FBI) is the domestic intelligence and security service of the United States and its principal federal law enforcement agency. Operating under the jurisdiction of the United States Department of Justice, t ...

, police, military and other branches of government. On June 7, 2020, BellTroX took down their website. In December 2021, Meta (

) banned BellTroX as a "cyber-mercenary" group.

Reactions

Both Wirecard and ExxonMobil have denied any involvement with Dark Basin.

References

{{Hacking in the 2010s Cyberattacks Hacker groups Hacking in the 2010s Cybercrime in India