Image: LagartoFilm via Getty Images
Hacking. Disinformation. Surveillance. CYBER is Motherboard’s podcast and reporting on the dark underbelly of the internet.
A scammer used a fake court order to convince a domain registrar to transfer ownership of a domain that lists dark web drug markets, and then used that to point the sites to their own copies of the markets designed to steal peoples’ bitcoin.
Hackers often make lookalike sites of dark web markets, but the use of a fake court order is unusual. It bears some similarity to how scammers use fake trademarks to convince Instagram to transfer ownership of valuable usernames.
“I had 2FA and PGP enabled on that account. I am not an idiot when it comes to security,” Dark Fail, the pseudonymous admin of the site dark.fail which was a victim of the hijacking, told Motherboard during the account takeover late last week.
Do you know anything else about this phishing campaign? We’d love to hear from you. Using a non-work phone or computer, you can contact Joseph Cox securely on Signal on +44 20 8133 5190, Wickr on josephcox, OTR chat on firstname.lastname@example.org, or email email@example.com.
Dark.fail is a site that aims to provide trusted links to dark web marketplaces.
“This resource is intended for researchers only. I do not vouch for any sites,” a message on the Tor hidden service version of the site currently reads.
After the domain hijack, the attacker replaced each link with a phishing site, according to a message on dark.fail posted after Dark Fail regained control of the domain.
“Each site looked real but instead shared all user activity with the attacker, including passwords and messages. Cryptocurrency addresses displayed on these sites were rewritten to addresses controlled by the phisher, intercepting many people’s money,” the message reads.
Dark.fail was registered with the privacy-focused domain registrar Njalla, which in turn uses the registrar Tucows for .fail domains, according to a tweet from Njalla and The Pirate Bay co-creator Peter Sunde Kolmisoppi.
Sunde added that Tucows received a court order on April 28 listing domain names that a German court allegedly wanted handed over.
“The PDF looks like a real court order, I’ve seen a lot of these,” Sunde wrote. “But this one is fake.” It used language previously used in a real court order to seize a different domain, he added. He wrote that the fake document also included a gag order, meaning neither Njalla nor Hover, another impacted registrar, was told about the transfer.
Sunde told Motherboard in an online chat that Tucows shared a copy of the fake order with him.
“We’ve looked at it quite in detail and quite certain it’s possible to narrow down the suspects quite a bit with access to more evidence,” Sundes added. He told Motherboard he agreed not to share a copy of the fake order itself since it’s a piece of evidence in a potential criminal investigation.
Sundes said in another tweet that the dark.fail domain was transferred to the registrar Namecheap, which did not suspend the domain despite it being used for an active phishing campaign because it believed the court order was legitimate.
Tucows and Namecheap did not respond to a request for comment. Days later, Njalla was able to retrieve the dark.fail domain.
“Once someone controls your domain you’re toast,” Dark Fail told Motherboard.
Subscribe to our cybersecurity podcast CYBER, here.