A scammer used a fake court order to convince a domain registrar to transfer ownership of a domain that lists dark web drug markets, and then used that to point the sites to their own copies of the markets designed to steal peoples' bitcoin.
Hackers often make lookalike sites of dark web markets, but the use of a fake court order is unusual. It bears some similarity to how scammers use fake trademarks to convince Instagram to transfer ownership of valuable usernames.
"I had 2FA and PGP enabled on that account. I am not an idiot when it comes to security," Dark Fail, the pseudonymous admin of the site dark.fail which was a victim of the hijacking, told Motherboard during the account takeover late last week.
Do you know anything else about this phishing campaign? We’d love to hear from you. Using a non-work phone or computer, you can contact Joseph Cox securely on Signal on +44 20 8133 5190, Wickr on josephcox, OTR chat on email@example.com, or email firstname.lastname@example.org.
Dark.fail is a site that aims to provide trusted links to dark web marketplaces.
"This resource is intended for researchers only. I do not vouch for any sites," a message on the Tor hidden service version of the site currently reads.
After the domain hijack, the attacker replaced each link with a phishing site, according to a message on dark.fail posted after Dark Fail regained control of the domain.
"Each site looked real but instead shared all user activity with the attacker, including passwords and messages. Cryptocurrency addresses displayed on these sites were rewritten to addresses controlled by the phisher, intercepting many people's money," the message reads.
Dark.fail was registered with the privacy-focused domain registrar Njalla, which in turn uses the registrar Tucows for .fail domains, according to a tweet from Njalla and The Pirate Bay co-creator Peter Sunde Kolmisoppi.
Sunde added that Tucows received a court order on April 28 listing domain names that a German court allegedly wanted handed over.
"The PDF looks like a real court order, I've seen a lot of these," Sunde wrote. "But this one is fake." It used language previously used in a real court order to seize a different domain, he added. He wrote that the fake document also included a gag order, meaning neither Njalla nor Hover, another impacted registrar, was told about the transfer.
Sunde told Motherboard in an online chat that Tucows shared a copy of the fake order with him.
"We've looked at it quite in detail and quite certain it's possible to narrow down the suspects quite a bit with access to more evidence," Sundes added. He told Motherboard he agreed not to share a copy of the fake order itself since it's a piece of evidence in a potential criminal investigation.
Sundes said in another tweet that the dark.fail domain was transferred to the registrar Namecheap, which did not suspend the domain despite it being used for an active phishing campaign because it believed the court order was legitimate. Days later, Njalla was able to retrieve the dark.fail domain.
Namecheap said in a statement that "Namecheap responsibly and thoroughly investigates every allegation of reported abuse. We are also proactive in identifying individual abuse, broad scale abuse patterns, and working with federal agencies to collectively get in front of new forms of abuse.We are in regular contact with law enforcement agencies and voluntarily provide analysis of what we are seeing, how we are trying to combat the abuse, and how we can best work together to find ways to stop any uncovered fraud."
The statement also disputed that Namecheap believed the fake court order to be legitimate. "In this case, we were not provided any actionable evidence of phishing or abuse from Tucows or Njalla (a Tucows reseller) and immediately began an internal investigation upon receipt of a transfer dispute request. For clarity sake, Namecheap never stated that the court order was legitimate, nor have we received a copy of a court order from Tucows or Njalla. Upon investigating the case, and without knowledge of what had led Tucows to initially allow the transfer of the domains to Namecheap, we quickly determined a court order provided to us by the new registrant to be a falsified document. We then commenced the process to transfer the domains back to Tucows. Namecheap suspended the domains for phishing prior to their transfer back to Tucows, along with two other associated domains that we identified were used in this incident of abuse," the statement added.
"Our findings show that Tucows was the victim of an intricate phishing scheme presented under the guise of a secret court order. This was a hyper-targeted phish designed with the direct intent of hijacking select domains," Madeleine Stoesser, PR and corporate communications lead at Tucows, said in a statement. "We immediately began steps to successfully retrieve the domains and have implemented new processes to mitigate future issues. As the second-largest domain name registrar in the world by volume, Tucows is committed to the continued privacy and security of domains and our customers."
"Once someone controls your domain you're toast," Dark Fail told Motherboard.
Updated: This piece has been updated to include statements from Tucows and Namecheap.
Subscribe to our cybersecurity podcast CYBER, here.