vrijdag 16 mei 2014

International -ongoing- BlackShades customers raid -Summary

Rumours within the cybercrime underground started to appear early May about people getting arrested and their equipment getting seized. Nothing uncommon so far, apart from that this time more and more people started to arise, with all the same stories, everywhere from Europe. At one point people even started posting 'proof'. Convincing proof.
If all turns out to be true we are being witness of one of the biggest international raids -ever- related to cybercrime.

Below is a summary of what the uproar is about. It contains user posts on different unrelated forums. 'Proof' users posted, some news articles that could be related, and probably most convincing, a domain seized by the FBI.

The domain bshades.eu went offline on Wednesday. According to its whois information the domain is seized by the FBI:

Most uproar is on hackforums.net where a dozen topics have been started some with even more than 70 pages of comments and more and more people showing up saying they have been a victim of the raid.
The image below show a Dutch hackforums user saying he was victim of the raid.

On this Belgium forum a user tells his story in Dutch.

He even posts some proof, most important sentence is: "Uw betrokkenheid inzake de aankooop, het bezit, de verspreiding en het gebruik van hackerools (Software om computers van derden te misbruiken)"
Translated: "Your involvement in buying, possesing, spreading and the use of hackertools."

The officer that signed the document is indeed, according to his linkedin profile, a ICT investigator.

This user from Finland posts another piece of 'proof'.
According to Mikko Hypponen this translates to: "It's a warrant for search and seizure, related to 'importing Blackshades XXXX' into Finland."

Below is a picture of someone claiming the Police is in front of his house because of a search warrant regarding BlackShades, as proof he posts this picture.

Here's a German user posting evidence of his arrest:

Another German person posting his comments:

And last one, here's a Dutch user talking about his arrest on a sole Dutch forum.

Then the newspapers. Most remarkable is that only French newspaper RTL seems to have inside information. They reported about a raid going on in France with in France alone 70 search warrants(!!) related to the use of BlackShades malware.

Dutch police declines to comment.

But most fascinating is this article from Reuters: "REUTERS SUMMIT-FBI plans cyber crime crackdown, arrests coming in weeks".
It says: "expects to announce searches, indictments and multiple arrests over the next several weeks, the agency's official in charge of combating cyber crime said on Wednesday."

What connects all these arrests is that they are all connected to the BlackShades RAT. Most users complain they once bought the BlackShades RAT and that is why are being arrested right now.

If all the above is true we are just seeing the tip of the iceberg. And are probably being witness of one of the biggest international raids ever related to cybercrime.


The Dutch person provided me with some evidence.
According to the paper the investigation in the Netherlands has the name: "Rouwmantel".