Threat Management, Malware

Court unseals indictment against alleged Darkode hacking forum members

An American and three Europeans have been charged with racketeering conspiracy and conspiracy to commit wire fraud and bank fraud for allegedly distributing malware on the now-defunct Darkode computer hacking forum.

A District of Columbia federal court this week unsealed an indictment against the four individuals, who are identified as Thomas McCormick (aka fubar), 26, of Washington state; Matjaz Skorjanc (aka iserdo and serdo), 32, of Maribor, Slovenia; Florencio Carro Ruiz (aka NeTK and Netkairo) 40, of Vizcaya, Spain; and Mentor Leniqi (aka Iceman), 35, of Gurisnica, Slovenia. The indictment was originally filed under seal on Dec. 4, 2018.

McCormick, who is also charged with five counts of aggravated identity theft, was arrested last Dec. 10, but the three remaining suspects remain fugitives. McCormick was allegedly was among the last administrators of Darkode, while Skorjanc is accused of being the underground marketplace's founder and first administrator.

According to the indictment, the first charge of racketeering conspiracy stems from a series of alleged acts involving bank fraud, wire fraud, access device fraud, identity theft, hacking and extortion. Justice officials say the invitation-only group was responsible for $4.5 million in victim losses between September 2008 and December 5, 2013, at which time the FBI first contacted McCormick about his alleged role in the operation.

Ultimately, Darkcode was taken down by international law enforcement officials in a July 2015 crackdown called Operation Shrouded Horizon.

"Darkode was a criminal organization built around an online password-protected criminal forum where high-level international hackers and cybercriminals convened to develop, buy, sell, trade and share hacking tools, information and ideas," the indictment says.

"The schemes included selling and using tools – malware – to hack into victim computers and steal personally identifying information ('PII'), bank account and other login credentials, and credit cards," the indictment continues. "The schemes also included developing and selling tools – malware – for taking over victims' computers and using them to attack victims' web sites; hold victims' websites for ransom; and hide the criminals' identities on the internet."

For instance, Skorjanc is accused of creating a bot software called Butterfly Bot or BFBOT and selling it on Darkode. The indictment describes a forum posting that said the bot runs on Windows NT-based systems and can steal usernames and passwords for online financial services from Firefox and Internet Explorer users. The bot was also said to launch DDoS attacks and alter text entered into MSN Messenger.

Other malware programs allegedly put up for sale by one or more of the defendants included the Mariposa botnet (a modified version of BFBOT), and the Zeus trojan known for stealing banking credentials. The Darkode members also allegedly sold access to compromised computers.

Bradley Barth

As director of multimedia content strategy at CyberRisk Alliance, Bradley Barth develops content for online conferences, webcasts, podcasts video/multimedia projects — often serving as moderator or host. For nearly six years, he wrote and reported for SC Media as deputy editor and, before that, senior reporter. He was previously a program executive with the tech-focused PR firm Voxus. Past journalistic experience includes stints as business editor at Executive Technology, a staff writer at New York Sportscene and a freelance journalist covering travel and entertainment. In his spare time, Bradley also writes screenplays.

Get daily email updates

SC Media's daily must-read of the most current and pressing daily news

By clicking the Subscribe button below, you agree to SC Media Terms and Conditions and Privacy Policy.