HOME

TheInfoList



Click Here for Items Related To - Dark Basin
OR:
Dark Basin on:   [Wikipedia]   [Google]   [Amazon]

Dark Basin is a hack-for-hire group, discovered in 2017 by Citizen Lab. They are suspected to have acted on the behalf of companies such as Wirecard and
ExxonMobil Exxon Mobil Corporation ( ) is an American multinational List of oil exploration and production companies, oil and gas corporation headquartered in Spring, Texas, a suburb of Houston. Founded as the Successors of Standard Oil, largest direct s ...
. Dark Basin is believed to be run by Indian company BellTroX InfoTech Services.


Background

In 2015, Matthew Earl, a managing partner at ShadowFall Capital & Research, began to study Wirecard AG hoping to short sell them. Wirecard had just announced the purchase of Great Indian Retail Group for $254 million, which seemed overpriced to Earl. In February 2016, he started to write publicly about his discoveries under the alias Zatarra Research & Investigations, accusing Wirecard of corruption, corporate fraud, and
money laundering Money laundering is the process of illegally concealing the origin of money obtained from illicit activities (often known as dirty money) such as drug trafficking, sex work, terrorism, corruption, and embezzlement, and converting the funds i ...
. Soon after, the identity of Zatarra Research & Investigations was revealed online, along with surveillance pictures of Earl in front of his house. Earl quickly realized that he was being followed. Employees from Jones Day, a law firm representing Wirecard, came to visit Earl and gave him a letter, accusing him of collusion, conspiracy, defamation, libel, and market manipulation. Earl also started to receive targeted
phishing Phishing is a form of social engineering and a scam where attackers deceive people into revealing sensitive information or installing malware such as viruses, worms, adware, or ransomware. Phishing attacks have become increasingly sophisticate ...
emails, appearing to be from his friends and family members. In the spring of 2017, Earl shared those emails with Citizen Lab, a research laboratory specializing in information control.


Citizen Lab's investigation


Initial findings

Citizen Lab discovered that the attackers were using a custom URL shortener that allowed
enumeration An enumeration is a complete, ordered listing of all the items in a collection. The term is commonly used in mathematics and computer science to refer to a listing of all of the element (mathematics), elements of a Set (mathematics), set. The pre ...
, giving them access to a list of 28,000 URLs. Some of those URLs redirected to websites looking like
Gmail Gmail is the email service provided by Google. it had 1.5 billion active user (computing), users worldwide, making it the largest email service in the world. It also provides a webmail interface, accessible through a web browser, and is also ...
,
Facebook Facebook is a social media and social networking service owned by the American technology conglomerate Meta Platforms, Meta. Created in 2004 by Mark Zuckerberg with four other Harvard College students and roommates, Eduardo Saverin, Andre ...
,
LinkedIn LinkedIn () is an American business and employment-oriented Social networking service, social network. It was launched on May 5, 2003 by Reid Hoffman and Eric Ly. Since December 2016, LinkedIn has been a wholly owned subsidiary of Microsoft. ...
,
Dropbox Dropbox is a file hosting service operated by the American company Dropbox, Inc., headquartered in San Francisco, California, that offers cloud storage, file synchronization, personal cloud, and Client (computing), client software. Dropbox w ...
or various webmails – each page customized with the name of the victim, asking the user to re-enter their password. Citizen Lab baptized this hacker group 'Dark Basin' and identified several clusters among the victims: * American environmental organizations linked to the #ExxonKnew campaign: Rockefeller Brothers Fund, Climate Investigations Center,
Greenpeace Greenpeace is an independent global campaigning network, founded in Canada in 1971 by a group of Environmental movement, environmental activists. Greenpeace states its goal is to "ensure the ability of the Earth to nurture life in all its biod ...
, Center for International Environmental Law, Oil Change International,
Public Citizen Public Citizen is an American non-profit, Progressivism in the United States, progressive consumer rights advocacy group, and think tank based in Washington, D.C. It was founded in 1971 by the American activist and lawyer Ralph Nader. Lobbying e ...
, Conservation Law Foundation, Union of Concerned Scientists, M+R Strategic Services or 350.org * US media outlets * Hedge funds, short sellers and financial journalists * International banks and investment firms * Legal firms in the US, UK,
Israel Israel, officially the State of Israel, is a country in West Asia. It Borders of Israel, shares borders with Lebanon to the north, Syria to the north-east, Jordan to the east, Egypt to the south-west, and the Mediterranean Sea to the west. Isr ...
,
France France, officially the French Republic, is a country located primarily in Western Europe. Overseas France, Its overseas regions and territories include French Guiana in South America, Saint Pierre and Miquelon in the Atlantic Ocean#North Atlan ...
,
Belgium Belgium, officially the Kingdom of Belgium, is a country in Northwestern Europe. Situated in a coastal lowland region known as the Low Countries, it is bordered by the Netherlands to the north, Germany to the east, Luxembourg to the southeas ...
,
Norway Norway, officially the Kingdom of Norway, is a Nordic countries, Nordic country located on the Scandinavian Peninsula in Northern Europe. The remote Arctic island of Jan Mayen and the archipelago of Svalbard also form part of the Kingdom of ...
,
Switzerland Switzerland, officially the Swiss Confederation, is a landlocked country located in west-central Europe. It is bordered by Italy to the south, France to the west, Germany to the north, and Austria and Liechtenstein to the east. Switzerland ...
,
Iceland Iceland is a Nordic countries, Nordic island country between the Atlantic Ocean, North Atlantic and Arctic Oceans, on the Mid-Atlantic Ridge between North America and Europe. It is culturally and politically linked with Europe and is the regi ...
,
Kenya Kenya, officially the Republic of Kenya, is a country located in East Africa. With an estimated population of more than 52.4 million as of mid-2024, Kenya is the 27th-most-populous country in the world and the 7th most populous in Africa. ...
, and
Nigeria Nigeria, officially the Federal Republic of Nigeria, is a country in West Africa. It is situated between the Sahel to the north and the Gulf of Guinea in the Atlantic Ocean to the south. It covers an area of . With Demographics of Nigeria, ...
* Petroleum and energy companies * Eastern European, Central European and Russian oligarchs * Well-resourced people involved in divorces or other legal matters The variety of targets made Citizen Lab think of a mercenary activity. The research laboratory confirmed that some of these attacks were successful.


Links to India

Several clues allowed Citizen Lab to assert ''with high confidence'' that Dark Basin was based in
India India, officially the Republic of India, is a country in South Asia. It is the List of countries and dependencies by area, seventh-largest country by area; the List of countries by population (United Nations), most populous country since ...
.


Working hours

Timestamps in Dark Basin phishing emails were consistent with working hours in India, which has only one timezone: UTC+5:30.


Cultural references

The instances of the URL shortening service used by Dark Basin had names related to Indian culture:
Holi Holi () is a major Hindu festival celebrated as the Festival of Colours, Love and Spring.The New Oxford Dictionary of English (1998) p. 874 "Holi /'həʊli:/ noun a Hindu spring festival ...".Yudit Greenberg, Encyclopedia of Love in World ...
, Rongali and Pochanchi.


Phishing kit

Dark Basin let their phishing kit source code, including some log files, available online. The source code was configured to print timestamps in India's timezone. The log file, that showed some testing activity, included an
IP address An Internet Protocol address (IP address) is a numerical label such as that is assigned to a device connected to a computer network that uses the Internet Protocol for communication. IP addresses serve two main functions: network interface i ...
based in India.


Links to BellTroX

Citizen Lab believes with high confidence, that BellTroX, also known as BellTroX InfoTech Services and BellTroX D, G, TAL Security, is the company behind Dark Basin. BellTroX, a
Delhi Delhi, officially the National Capital Territory (NCT) of Delhi, is a city and a union territory of India containing New Delhi, the capital of India. Straddling the Yamuna river, but spread chiefly to the west, or beyond its Bank (geography ...
-based company, advertises on its website doing activities such as penetration testing, certified ethical hacking, and medical transcription. BellTroX employees are described as noisy and were often posting publicly about their illegal activities. BellTroX's founder Sumit Gupta is an Appin alumnus and he has been previously indicted and charged in the
United States The United States of America (USA), also known as the United States (U.S.) or America, is a country primarily located in North America. It is a federal republic of 50 U.S. state, states and a federal capital district, Washington, D.C. The 48 ...
for a hack-for-hire scheme on the behalf of ViSalus. BellTroX used the CV of one of their employees to test Dark Basin's URL shortener. They also publicly posted screenshots of links to Dark Basin's infrastructure. Hundreds of people, working in corporate intelligence and private investigation, endorsed BellTroX on LinkedIn. Some of them are suspected to be possible clients. Those endorsements included a Canadian government official, an investigator at the US Federal Trade Commission, law enforcement officers and private investigators with prior roles in the
FBI The Federal Bureau of Investigation (FBI) is the domestic Intelligence agency, intelligence and Security agency, security service of the United States and Federal law enforcement in the United States, its principal federal law enforcement ag ...
, police, military and other branches of government. On June 7, 2020, BellTroX took down their website. In December 2021, Meta (
Facebook Facebook is a social media and social networking service owned by the American technology conglomerate Meta Platforms, Meta. Created in 2004 by Mark Zuckerberg with four other Harvard College students and roommates, Eduardo Saverin, Andre ...
) banned BellTroX as a "cyber-mercenary" group.


Reactions

Both Wirecard and ExxonMobil have denied any involvement with Dark Basin.


See also

* Appin


References

{{Hacking in the 2010s Cyberattacks Hacker groups Hacking in the 2010s Cybercrime in India