The keys to catching a cyber crook

The recent capture of the REvil ransomware gang ended one of the longest cyber crime manhunts in history. This also sent a message to the criminal underworld; if a group like REvil can be caught, then nobody is beyond the reach of the law. Given the ’s ingenuity – demonstrated through a series of infamous attacks over the years – how were they ever caught?

The fear among legislators is that cyber criminals tend to get away with it. "Governments have been caught on the backfoot by the adoption of technology by organised crime gangs," Colum Smith, chief vision officer at Taylor Rose MW Solicitors, tells IT Pro. Indeed, leading UK judge Sir Geoffrey Vos is so concerned about the dangers of "applying analogue rules to the digital environment" that he's pushing through new powers to track digital assets and bring cyber criminals to court.

Hackers, however, aren’t necessarily criminal masterminds. Often, all it takes is for them to make one slip up while investigators are watching. REvil may have been brought down by the combined might of the FBI, Interpol, Europol, the US Department of Justice (DOJ), ethical hackers and security firms, but it was a mundane click by a REvil insider that let the FBI infiltrate its system. After accidentally activating investigators' monitoring technology, 'O—neday' was last seen writing on a forum: "The server was compromised, and they were looking for me. Good luck, everyone; I'm off."

Lapses in concentration

Rookie hackers, such as so-called 'script kiddies' who've been lucky to find a security hole, are relatively easy to catch. The TalkTalk hackers, for example, were arrested after failing to realise their IP address was visible through their provider. The police promptly turned up on their doorsteps. "The guys weren't very good at it," says Kevin Curran, senior IEEE member and professor of cyber security at Ulster University. "They were like naive teenagers, so they were easily caught. It only took a few weeks."

The availability of exploits and hacking services through the dark web has made cyber crime an easy option for inexperienced chancers, says Elise Constante, VP of research and threat intelligence at Vedere Labs. "That lowers down the entry level for a hacker. You don't need to be an expert anymore to create damage, and they may not be very good at covering themselves."

Even seasoned hackers make mistakes, though. Diligent cyber criminals use devices such as Tor and encrypted virtual private networks (VPNs) to mask their IP addresses, and may also launder connections by routing them through a daisy-chained series of hacked proxy servers. Itonly takes a momentary lapse of these operational security (OpSec) procedures, though, to expose the hacker, leaking IP information that can't be put back in the box.

One brilliant hacker brought down by an OpSec oversight is Ross Ulbright, creator of drugs marketplace Silk Road. "This guy was really, really clever, but he was caught because he used his 'altoid' handle while his VPN was turned off," says Curran. "The trouble for him was that he was too successful. There are guys making a few thousand or even a few million that'll never get caught, because law enforcement can't justify the resources. But the FBI commitment to catching Ulbright was huge."

Ransomware risks

Ransomware may seem like a high-reward, low-risk crime strategy because it delivers an untraceable payday, thanks to Bitcoin and other cryptocurrencies. It has a couple of ingrained flaws, however, that make its perpetrators vulnerable. "If I do a ransomware attack on you, I've now got to deal with you as a customer," says Simon Edwards, founder of SE Labs. "I've got to walk you through getting the money off you. That makes the risk higher for me, because what if you track me?"

Then there's the need to cash the ransom. You still can't buy much using Bitcoin, so you have to convert it, and those transactions will turn up in the blockchain ledger. DarkSide, the gang behind the Colonial Pipeline attack, had its assets seized in May 2021 when blockchain analytics firm Elliptic revealed $90 million in ransom payments to DarkSide and its affiliates. The February 2022 arrest of a New York couple involved in the 2016 Bitfinex hack, too, reminds us that crypto crime is far from untraceable.

"The human is the weak link, always," says Constante. "As long as they stay in cryptocurrency they are sort of safe, but they want to cash in. They use techniques similar to money laundering; for example, lots of small transactions. The moment they go and get out $50,000 or $100,000 or $1 million, however, that's where they get caught."

Criminals are all-too-human

As well as leading them to cash stupidly large sums of money, greed also turns criminals into sitting ducks for social engineering. When Kevin Curran was tasked with unmasking a Twitter troll, the only detail he could find was an email address. So he sent a message saying "is this iPad yours?", plus a photo of an expensive device. The bait worked, and the troll got in touch.

Arrogance, however, may be hackers' biggest human flaw, with many unable to resist ‘signing’ their coding work like artists. This makes them easy to track by steganographers who look for unique identifiers in code. "Hackers want to show off their skills," says Harman Singh, director of Cyphere. "They leave comments in the codebase in spyware and rootkits, often in a distinctive writing style."

Organisations like Anonymous trade on their infamy, so capture is part of the plan. Others, though, seem to forget that showing off can land them in prison. LulzSec hacker Sabu, whose real name is Hector Monsegur, was arrested after bragging on internet relay chat (IRC) without hiding his IP address. Even Ross Ulbright couldn't resist hinting at his Silk Road work on LinkedIn, of all places.

Criminals do now tend to limit their self promotion to the dark web, but investigators know this. There are entire security platforms, such as Cybersixgill and Recorded Future, devoted to monitoring closed forums, and investigators are even using techniques such as neuro-linguistic programming (NLP) to identify individuals.

Security firms say they've noticed a shift in discipline, with hackers growing less likely to claim responsibility for attacks, especially those exposed by embarrassing opsec failures. "In 2021 we had four record-breaking DDoS attacks, but no-one claimed them," says Daniel Smith, head of security research at Radware. "This is a major turnaround from the decade before, when groups like Lizard Squad and Anonymous used DDoS attacks to market themselves."

Hackers may be learning to keep quiet, but investigators are mastering new hacker hunting manoeuvres at pace. Soon, the criminals are going to need a whole new dark web to keep themselves hidden.