Meet the Hackers Targeting Netflix

The Dark Overlord extorted several other companies before targeting the streaming service

Meet the Hackers Targeting Netflix Meet the Hackers Targeting Netflix
In late April 2017, a hacker or group of hackers dumped apparent full episodes of the T.V. show Orange Is the New Black after... Meet the Hackers Targeting Netflix

In late April 2017, a hacker or group of hackers dumped apparent full episodes of the T.V. show Orange Is the New Black after Netflix allegedly declined to pay a ransom, and has threatened to release a number of other shows too, including Celebrity Apprentice, New Girl and The Catch.

But this was only the latest move from the group. Known collectively as The Dark Overlord, the hackers have established themselves with a dizzying number of data breaches, often stealing mountains of sensitive corporate and personal data.

For nearly a year, I and a handful of other journalists have followed The Dark Overlord, and watched it evolve from a group learning how to manipulate the media to aid in extortion attempts, to a ruthless and apparently organized criminal enterprise, albeit one whose ultimate financial success is uncertain.

The Dark Overlord first appeared in June 2016, when the group advertised hundreds of thousands of alleged records from several U.S. healthcare organizations on a dark-web marketplace. The hackers weren’t really trying to sell the data though—instead, the group had demanded a ransom from each of the victims.

“A modest amount compared to the damage that will be caused to the organizations when I decide to publicly leak the victims,” someone from the group said at the time.

The Dark Overlord seemed to be focused on the medical sector. It shortly followed up with another nine million supposed health care insurance records, and a few months later targeted Peachtree Orthopaedic Clinic based in Atlanta, Georgia.

The group also hacked a technology firm that provides software for healthcare services, and even a cancer service in Indiana. The plan, typically, was to entice journalists to cover the data breaches, so those articles could then be used to pressure extortion victims further.

“You’ll be publishing something?” The Dark Overlord asked me in a message related to one of the group’s more recent breaches.

With this in mind, the group also dug through the databases for high profile individuals. The Peachtree records allegedly included players for the Atlanta Braves and Atlanta Hawks, and The Dark Overlord claimed it had publicly dumped a number of medical files, including those related to Mark F. Giuliano, deputy director of the FBI.

According to a report from the Atlanta Police Department, several Peachtree patients fell victim to fraud after the hack, including phony credit card applications.

A report from the Atlanta Police Department related to a The Dark Overlord hack

Although the group continued to target health care facilities , The Dark Overlord soon broadened its focus to include corporations. In November 2016, the group said it had stolen personal and company data from Gorilla Glue, which makes consumer glue products, and went on to provide sample data allegedly stolen from a U.S. defense contractor.

“We have been actively committing industrial espionage for some time now,” someone from the group claimed in a message that same month. “Competitors are interested in the these breaches, as are state-purchasers.”

According to an affidavit from FBI special agent Ronnie O. Buentello, and published by Motherboard before it was retroactively sealed, The Dark Overlord had claimed around 15 major hacks by the end of March 2017. The breach of Larson Studios, the small post-production group which led to the attempted extortion of Netflix, may not be included in that figure.

An alleged text message sent by The Dark Overlord to the child of a corporate victim

Depending on who it’s communicating with, The Dark Overlord portrays itself as playful jester, ruthless criminal or calculated professional.

In its Pastebin posts and tweets, The Dark Overlord has tried to present a whimsical front. “I am he that liveth, and was dead; and, behold, I am alive for evermore, Amen; and have the keys of hell and of death,” the group tweeted in October 2016, referencing Revelation 1:18 before announcing more stolen data.

But when messaging the victims directly, the hackers apparently take a different approach. “Tell your mother and father that we have all of their research and development and we plan to destroy their company unless they cooperate with us,” reads a text message allegedly sent by the hackers to a child of one of the corporate victims.

And in other cases, the group has allegedly presented victims with detailed legal contracts, laying out the terms of their extortion and the responsibilities of each party.

“Conditionally, thedarkoverlord will securely erase all copies of the Client’s or other associated parties of the Client’s data,” reads an apparent contract between The Dark Overlord and one of its victims.

Motherboard obtained the contract from someone not directly affiliated with the hacking group. The signed document defines bitcoin and PGP encryption and gives a deadline for payment to be delivered. No one had sent funds to the bitcoin address mentioned in the contract at time of writing.

A section of an alleged contract between The Dark Overlord and a victim

Now, it’s unclear whether The Dark Overlord is actually an individual or a group. Over months of conversations with me, the group’s writing style and mannerisms dramatically changed several times, and someone using The Dark Overlord’s encrypted chat account did claim that multiple people had access to the account.

On one dark web forum, an apparent cybercriminal using the name “Crafty Cockney” and who is allegedly associated with The Dark Overlord, claimed the group is made up of three members between 20 and 40 years old “with a mixture of intelligence, strategy, humor and bottle.”

Crafty Cockney also posted a recording apparently of an extortion call to one of The Dark Overlord’s victims.

The exact link between Crafty Cockney and The Dark Overlord is unclear, but Dissent Doe, the pseudonymous creator of DataBreaches.net who has followed both fraudsters, told me that “there definitely was a relationship.”

“I don’t know what that relationship is these days, though,” Dissent Doe added.

It’s worth noting that a man who supposedly used the handle Crafty Cockney was arrested for allegedly trying to sell hacked photos belonging to a member of the British royal family in 2016.

The FBI’s investigation into The Dark Overlord is ongoing and has even probed a security researcher who has crossed online paths with the hacker group. But The Dark Overlord shows no sign of slowing down. “It’s nearly time to play another round,” the group tweeted on May 1, 2017.

This story originally appeared at Vice Motherboard.