Dark Basin

In 2015, Matthew Earl, a managing partner at ShadowFall Capital & Research, began to study Wirecard AG hoping to short sell them. Wirecard had just announced the purchase of Great Indian Retail Group for $254 million,{{Cite news |date=2015-10-27 |title=Wirecard buys Great Indian Retail Group payments business |work=Reuters |url=https://www.reuters.com/article/us-wirecard-acquisition-india/wirecard-buys-great-indian-retail-group-payments-business-idUSKCN0SL1L520151027 |url-status=live |access-date=2021-02-28 |archive-url=https://web.archive.org/web/20210301025220/https://www.reuters.com/article/us-wirecard-acquisition-india/wirecard-buys-great-indian-retail-group-payments-business-idUSKCN0SL1L520151027 |archive-date=2021-03-01}} which seemed overpriced to Earl. In February 2016, he started to write publicly about his discoveries under the alias Zatarra Research & Investigations,{{Cite news |last=O'Donnell |first=John |date=2020-07-16 |title=Germany's long, lonely campaign: Battling Wirecard's short sellers |work=Reuters |url=https://www.reuters.com/article/us-wirecard-accounts-germany-insight/germanys-long-lonely-campaign-battling-wirecards-short-sellers-idUSKCN24H0KM |url-status=live |access-date=2021-02-28 |archive-url=https://web.archive.org/web/20201119071324/https://www.reuters.com/article/us-wirecard-accounts-germany-insight/germanys-long-lonely-campaign-battling-wirecards-short-sellers-idUSKCN24H0KM |archive-date=2020-11-19}} accusing Wirecard of corruption, corporate fraud, and money laundering.{{Cite news |last=Davies |first=Paul J. |date=2020-06-22 |title=Short sellers made $2.6 bln off Wirecard plunge |publisher=MarketWatch |url=https://www.marketwatch.com/story/short-sellers-made-26-bln-off-wirecard-plunge-2020-06-22 |url-status=live |access-date=2021-02-28 |archive-url=https://web.archive.org/web/20210205050934/https://www.marketwatch.com/story/short-sellers-made-26-bln-off-wirecard-plunge-2020-06-22 |archive-date=2021-02-05}}

Soon after, the identity of Zatarra Research & Investigations was revealed online, along with surveillance pictures of Earl in front of his house. Earl quickly realized that he was being followed. Employees from Jones Day, a law firm representing Wirecard,{{Cite news |last=Davies |first=Paul J. |last2=Chung |first2=Juliet |date=2020-06-20 |title=Short Sellers Made $2.6 Billion Off Wirecard's Plunge, but Not Without Scars |work=The Wall Street Journal |url=https://www.wsj.com/articles/short-sellers-made-2-6-billion-off-wirecards-plunge-but-not-without-scars-11592654586 |url-status=live |url-access=subscription |access-date=2021-02-28 |archive-url=https://archive.today/20200620170207/https://www.wsj.com/articles/short-sellers-made-2-6-billion-off-wirecards-plunge-but-not-without-scars-11592654586 |archive-date=2020-06-20}} came to visit Earl and gave him a letter, accusing him of collusion, conspiracy, defamation, libel, and market manipulation.{{Cite web |date=2020-10-24 |title=Dark Basin – Darknet Diaries |url=https://darknetdiaries.com/transcript/79/ |publisher=Darknet Diaries}} Earl also started to receive targeted phishing emails, appearing to be from his friends and family members. In the spring of 2017, Earl shared those emails with Citizen Lab, a research laboratory specializing in information control.

Citizen Lab discovered that the attackers were using a custom URL shortener that allowed enumeration, giving them access to a list of 28,000 URLs. Some of those URLs redirected to websites looking like Gmail, Facebook, LinkedIn, Dropbox or various webmails – each page customized with the name of the victim, asking the user to re-enter their password.{{Cite web |last=Galperin |first=Eva |last2=Quintin |first2=Cooper |date=2017-09-27 |title=Phish For the Future |url=https://www.eff.org/deeplinks/2017/09/phish-future |url-status=live |archive-url=https://web.archive.org/web/20210116110032/https://www.eff.org/deeplinks/2017/09/phish-future |archive-date=2021-01-16 |access-date=2021-02-28 |publisher=Electronic Frontier Foundation}}

Citizen Lab baptized this hacker group 'Dark Basin' and identified several clusters among the victims:

• American environmental organizations linked to the #ExxonKnew campaign:{{Cite news |last=Hong |first=Nicole |last2=Meier |first2=Barry |last3=Bergman |first3=Ronen |date=2020-06-10 |title=Environmentalists Targeted Exxon Mobil. Then Hackers Targeted Them. |work=The New York Times |url=https://www.nytimes.com/2020/06/09/nyregion/exxon-mobil-hackers-greenpeace.html |url-status=live |url-access=limited |access-date=2021-02-28 |archive-url=https://web.archive.org/web/20210201145437/https://www.nytimes.com/2020/06/09/nyregion/exxon-mobil-hackers-greenpeace.html |archive-date=2021-02-01}} Rockefeller Brothers Fund, Climate Investigations Center, Greenpeace, Center for International Environmental Law, Oil Change International, Public Citizen, Conservation Law Foundation, Union of Concerned Scientists, M+R Strategic Services or 350.org
• US media outlets
• Hedge funds, short sellers and financial journalists
• International banks and investment firms
• Legal firms in the US, UK, Israel, France, Belgium, Norway, Switzerland, Iceland, Kenya, and Nigeria
• Petroleum and energy companies
• Eastern European, Central European and Russian oligarchs
• Well-resourced people involved in divorces or other legal matters

The variety of targets made Citizen Lab think of a mercenary activity. The research laboratory confirmed that some of these attacks were successful.

Several clues allowed Citizen Lab to assert with high confidence that Dark Basin was based in India.

Timestamps in Dark Basin phishing emails were consistent with working hours in India, which has only one timezone: UTC+5:30.

The instances of the URL shortening service used by Dark Basin had names related to Indian culture: Holi, Rongali and Pochanchi.

Dark Basin let their phishing kit source code, including some log files, available online. The source code was configured to print timestamps in India's timezone. The log file, that showed some testing activity, included an IP address based in India.

Citizen Lab believes with high confidence, that BellTroX, also known as BellTroX InfoTech Services and BellTroX D|G|TAL Security, is the company behind Dark Basin. BellTroX, a Delhi-based company,{{Cite news |last=Stubbs |first=Jack |last2=Satter |first2=Raphael |last3=Bing |first3=Christopher |date=9 June 2020 |title=Obscure Indian cyber firm spied on politicians, investors worldwide |work=Reuters |url=https://www.reuters.com/article/us-india-cyber-mercenaries-exclusive/exclusive-obscure-indian-cyber-firm-spied-on-politicians-investors-worldwide-idUSKBN23G1GQ |url-status=live |archive-url=https://web.archive.org/web/20210126014516/https://www.reuters.com/article/us-india-cyber-mercenaries-exclusive/exclusive-obscure-indian-cyber-firm-spied-on-politicians-investors-worldwide-idUSKBN23G1GQ |archive-date=26 January 2021}} advertises on its website doing activities such as penetration testing, certified ethical hacking, and medical transcription. BellTroX employees are described as noisy and were often posting publicly about their illegal activities. BellTroX's founder Sumit Gupta{{Cite news |last=Kumar |first=Ankit |date=2020-06-09 |title=Dark Basin: Delhi-based "Hack-for-Hire" firm exposed for hacking politicians, non-profits globally |work=India Today |url=https://www.indiatoday.in/india/story/dark-basin-delhi-based-hack-for-hire-firm-exposed-for-hacking-politicians-non-profits-globally-1687292-2020-06-09 |url-status=live |access-date=2021-02-28 |archive-url=https://web.archive.org/web/20200627075331/https://www.indiatoday.in/india/story/dark-basin-delhi-based-hack-for-hire-firm-exposed-for-hacking-politicians-non-profits-globally-1687292-2020-06-09 |archive-date=2020-06-27}} is an Appin alumnus{{Cite news |last1=Satter |first1=Raphael |last2=Siddiqui |first2=Zeba |last3=Bing |first3=Chris |date=2023-11-16 |title=How an Indian startup hacked the world |url=https://www.reuters.com/investigates/special-report/usa-hackers-appin/ |access-date=2024-12-31 |website=Reuters |language=en}}{{Cite news |last1=Satter |first1=Raphael |last2=Bing |first2=Christopher |date=2022-06-30 |title=How mercenary hackers sway litigation battles |url=https://www.reuters.com/investigates/special-report/usa-hackers-litigation/ |access-date=2024-12-31 |website=Reuters |language=en}} and he has been previously indicted and charged in the United States for a hack-for-hire scheme on the behalf of ViSalus.{{Cite press release |title=Private Investigators Indicted In E-Mail Hacking Scheme |date=2015-02-11 |publisher=United States Attorney for the Northern District of California |url=https://www.justice.gov/usao-ndca/pr/private-investigators-indicted-e-mail-hacking-scheme |access-date=2021-02-28 |url-status=live |archive-url=https://web.archive.org/web/20210107082006/https://www.justice.gov/usao-ndca/pr/private-investigators-indicted-e-mail-hacking-scheme |archive-date=2021-01-07}}

BellTroX used the CV of one of their employees to test Dark Basin's URL shortener. They also publicly posted screenshots of links to Dark Basin's infrastructure.

Hundreds of people, working in corporate intelligence and private investigation, endorsed BellTroX on LinkedIn. Some of them are suspected to be possible clients. Those endorsements included a Canadian government official, an investigator at the US Federal Trade Commission, law enforcement officers and private investigators with prior roles in the FBI, police, military and other branches of government.

On June 7, 2020, BellTroX took down their website. In December 2021, Meta (Facebook) banned BellTroX as a "cyber-mercenary" group.{{Cite news |date=17 December 2021 |title=Meta releases new threat report on surveillance for hire industry |work=The Economic Times |url=https://economictimes.indiatimes.com/news/company/corporate-trends/meta-releases-new-threat-report-on-surveillance-for-hire-industry/articleshow/88330134.cms |url-status=live |archive-url=https://web.archive.org/web/20211217034644/https://economictimes.indiatimes.com/news/company/corporate-trends/meta-releases-new-threat-report-on-surveillance-for-hire-industry/articleshow/88330134.cms |archive-date=17 December 2021}}{{Cite web |last=Dvilyanski |first=Mike |last2=Agranovich |first2=David |last3=Gleicher |first3=Nathaniel |date=16 December 2021 |title=Threat Report on the Surveillance-for-Hire Industry |url=https://about.fb.com/wp-content/uploads/2021/12/Threat-Report-on-the-Surveillance-for-Hire-Industry.pdf |url-status=live |archive-url=https://web.archive.org/web/20211216201907/https://about.fb.com/wp-content/uploads/2021/12/Threat-Report-on-the-Surveillance-for-Hire-Industry.pdf |archive-date=16 December 2021 |publisher=Meta}}

Both Wirecard and ExxonMobil have denied any involvement with Dark Basin.{{Cite news |last=Porter |first=Jon |date=2020-06-10 |title=Researchers detail huge hack-for-hire campaigns against environmentalists |work=The Verge |url=https://www.theverge.com/2020/6/10/21286486/dark-basin-hackers-for-hire-phishing-emails-environmental-nonprofit-groups-exxon-mobil |url-status=live |access-date=2021-02-28 |archive-url=https://web.archive.org/web/20200610192252/https://www.theverge.com/2020/6/10/21286486/dark-basin-hackers-for-hire-phishing-emails-environmental-nonprofit-groups-exxon-mobil |archive-date=2020-06-10}}{{Cite news |last=Murphy |first=Paul |date=2021-06-09 |title=Toronto's Citizen Lab uncovers massive hackers-for-hire organization 'Dark Basin' that has targeted hundreds of institutions on six continents |work=Financial Times |url=https://financialpost.com/financial-times/torontos-citizen-lab-uncovers-massive-hackers-for-hire-organization-dark-basin-that-has-targeted-hundreds-of-institutions-on-six-continents |url-status=live |access-date=2021-02-28 |archive-url=https://web.archive.org/web/20210125160451/https://financialpost.com/financial-times/torontos-citizen-lab-uncovers-massive-hackers-for-hire-organization-dark-basin-that-has-targeted-hundreds-of-institutions-on-six-continents |archive-date=2021-01-25 |via=the Financial Post}}

• Appin

{{reflist|30em}}

{{Hacking in the 2010s}}

Category:Cyberattacks

Category:Hacker groups

Category:Hacking in the 2010s

Category:Cybercrime in India