Interview On Wednesday the FBI and international cops celebrated yet another cybercrime takedown – of ransomware brokerage site BreachForums – just a week after doxing and imposing sanctions on the LockBit ransomware crew’s kingpin, and two months after compromising the gang’s website.
While the BreachForums shutdown didn’t have quite the swagger of the LockBit seizure in February, it did brag the stolen data marketplace “is under control of the FBI” and include profile pics of website admins Baphomet and ShinyHunters.
This “more aggressive” method of takedown illustrates what has become the norm among law enforcement’s approach to trolling cyber criminals over the last year or so, according to Michael McPherson, senior VP of security operations at ReliaQuest and a former FBI special agent.
“They’re flouting it,” he tells The Register. “It’s we-hacked-the-hackers brash talk. Whereas a couple years ago, they’d be pretty happy if they put a banner up on a website, that website went down for a little bit, and they’d call that a victory.”
Still, it’s the second time in a year that cops have reportedly seized control of the criminal souk. A prior version of BreachForums was shut down in June 2023 after a similar law enforcement effort.
And it’s worth noting that BreachForums took over from the previously taken down RaidForums, which shuttered in 2022 following another joint police raid.
It’s really difficult to dismantle an organization fully. If you can’t identify the person at the keyboard and then take them offline, you just can’t do it.
Plus, while law enforcement has named and shamed the suspect they believe is LockBitSupp – Dmitry Yuryevich Khoroshev – he’s not going to get cuffed anytime soon unless he’s dumb enough to leave Russia. So it’s plausible that if he is who they say he is, he’ll spin up another ransomware-as-a-service operation soon enough.
Despite the seeming whac-a-mole nature of these takedowns, they “absolutely work,” McPherson says.
McPherson was the agent in charge of the FBI Tampa field office when it became the first to come across the Hive ransomware variant – and eventually led the seizure of the criminal crew’s network.
That operation – which shuttered the crew’s websites and took control of its servers – was the culmination of a seven-month covert operation during which the FBI hacked Hive’s network and used that access to provide decryption keys to more than 300 victims.
When it comes to police takedowns of these criminal networks, “the level of effectiveness varies,” McPherson concedes.
“It didn’t take long for BreachForums last time to get back up after the last arrest,” he adds – referring to the site’s former admin Conor Brian Fitzpatrick, aka “Pompourin,” who was sentenced to 20 years of supervised release in January after his arrest earlier that month. BreachForums resurfaced shortly after.
“It’s still a disruptive event,” McPherson says. “There’s always a difference between a disruption and a dismantlement.”
Disruption vs dismantlement
“Disruption is a temporary state: you’re going to cause confusion, you’re going to sow distrust, you’re going to slow an organization down, you’re going to cost them more money, you’re going to put pain on the adversary,” he says.
Meanwhile, dismantlement involves arrests and confiscating infrastructure.
“Any time you’re going after an organization – whether you’re talking about organized crime, terrorism, cyber crime nation-states — dismantlements are very hard, and they usually come at the end of multiple, multiple disruptions, a sustained effort of disruptions over time,” McPherson explains. “It’s a sustained pressure campaign.”
Austin Berglas, also a former FBI agent who now works as global head of professional services at BlueVoyant, puts the BreachForum operation more in the potential dismantlement category.
“It remains to be seen, but it sounds like a dismantlement because it sounds like they’ve arrested the administrators,” he tells The Register.
Berglas cites the website’s seizure banner showing the admins locked up along with Telegram chatter. “If that’s the case, it’s closer to a dismantlement,” Berglas observes. “It sounds like they’re deep in, they have full access to the back end. And when you’ve got that administrator access on the back end, then you start getting into some of the non-anonymized communications – the personal private communications that administrators and site owners are sending to each other. That’s really where the meat and potatoes are.”
Part of the reason why dismantlement is so hard has to do with Russia and other countries providing safe harbor for cyber criminals – essentially making it impossible to arrest them, Berglas adds.
“That’s the key: the more pressure, sanctions, government political pressure that you can put on these nations to stop being safe harbors and start giving people up – that’s what it’s going to take,” he says.
And he admits this is probably unrealistic.
“I’m not a politician. All I know is the difficulty from experiencing it firsthand,” Berglas explains. “It’s really difficult to dismantle an organization fully. If you can’t get the individuals, can’t identify the person at the keyboard and then take them offline, you just can’t do it.”
From LulzSec to Silk Road
Berglas is a former assistant special agent in charge of the FBI’s New York Office Cyber Branch – a post he held for more than a decade. During that time, “we did numerous disruptions, and a few dismantlements,” he recalls.
One of these dismantlements was LulzSec – the group linked to Anonymous, and its leader Sabu, who was arrested in June 2011.
“We turned [Sabu]. He became an informant, we put him back online and we were able to arrest the rest of that crew,” Berglas says. Sabu was also important in the government’s case against Julian Assange.
Silk Road, the notorious online drug market shut down by the FBI in 2013, is another one Berlgas was involved with during his time at the bureau.
“That was a full dismantlement. We took that site down and arrested the site’s administrator and owner and creator,” he recalls. “Disruptions are more common because they’re easier. And I’m doing air quotes around ‘easier,’ because it’s not easy to identify the infrastructure, get access to that infrastructure, be able to take it down, and make everybody who’s on that site scamper like mice to another site.”
Is Scattered Spider next?
After LockBit, and the earlier ALPHV disruption in December 2023 – before an affiliate from that crew came back to extort Change Healthcare for $22 million – the big target remains on Scattered Spider. That’s the crew that famously broke into two Las Vegas casinos’ networks over the summer and remains at large – except for one arrest, a 19-year-old suspect from Florida.
Private security researchers have tracked this crew of teens and 20-somethings, believed to be in the US and the UK, since at least 2022 – but so far they have mostly managed to evade the cops.
“These investigations can be years in the making, unfortunately,” Jon Clay, Trend Micro’s VP of threat intel, tells The Register. “It’s not like you do it in a week.”
However, there are indications that the FBI is getting closer to nabbing key members of this group – including comments made by Brett Leatherman, the FBI’s cyber deputy assistant director, to reporters during last week’s RSA Conference.
“Brett Leatherman is out there talking publicly about [how] we’re going to do something – the FBI never talks like that,” McPherson observes, adding that he has no insider knowledge of plans regarding Scattered Spider.
“But they’re under tremendous pressure to do something,” he says. “I think that was a signal to say, ‘we got it, just give us a little bit of time.’ Or sometimes it’s because they’re doing something else. Maybe they penetrated the group, maybe they’re talking to people, maybe they found people already.”
In other words: wait and see. And hope that these criminals are doing a little more looking over their shoulders and second-guessing their communications in light of the last couple weeks. ®