When investigators try to track down cybercriminals, one snippet of info can make all the difference.
According to researchers from Talos, a division of cybersecurity company Cisco, some of the largest cybercrime operations in recent history are linked by an email address.
The start of the trail was Lurk, a banking trojan that has targeted Russian users. In June, Russia announced it had arrested a gang of around 50 hackers who had stolen over $25 million from the accounts of the country's financial institutions. Those arrests are widely believed to be related to Lurk.
Shortly after those arrests, other large scale hacking campaigns went to ground. Necurs, which some consider to be the world's largest botnet, vanished (it came back around three weeks later). The Angler exploit kit, which Talos estimated was earning cyber criminals around $30 million a year, disappeared too. So did the Dridex and Locky campaigns, the latter being one of the most pernicious ransomware waves.
It seems some of those events might have been related.
Nick Biasini, threat researcher at Talos, found that approximately 85 percent of the Lurk malware's command and control servers uncovered by Talos—used by hackers for delivering messages to their bots—were registered to john[.]bruggink@yahoo[.]co[.]uk.
Talos also found the email address linked to Lurk was associated with the back-end communication of Angler; it was registered to domains that redirected users to Angler as well as one that delivered the exploit kit's payloads.
"This is one of the reasons why we do actor/threat tracking. Although it doesn't represent 100% certainty it definitely has strong indications that they are all connected since they all went down after the Lurk arrests," Biasini told Motherboard. "Again, it's not focused on finding the individuals behind the keyboard but in the breadcrumbs they leave behind to help connect threats as they emerge."
Maybe next time, the people behind Lurk should make a few more email accounts.