We discuss the recent Facebook outage and explores possible causes, including technical issues and DDoS attacks. The conversation then delves into the importance of reputation for cybercrime gangs and the impact of law enforcement on disrupting their operations.
The focus shifts to the exit scam of Black Hat and AlphaV, two prominent cybercrime gangs, and the risks associated with paying ransomware gangs. The episode concludes by highlighting the prevalence of exit scams in the cybercrime community and the connection between reputation damage and the Facebook outage.
Takeaways
Chapters
Try KiteWorks today at www.KiteWorks.com
Don't Miss our Video on this Exciting KiteWorks Offer!
Try KiteWorks today at www.KiteWorks.com
Don't miss this Video on it!
The Most Secure Managed File Transfer System.
We discuss the recent Facebook outage and explores possible causes, including technical issues and DDoS attacks. The conversation then delves into the importance of reputation for cybercrime gangs and the impact of law enforcement on disrupting their operations.
The focus shifts to the exit scam of Black Hat and AlphaV, two prominent cybercrime gangs, and the risks associated with paying ransomware gangs. The episode concludes by highlighting the prevalence of exit scams in the cybercrime community and the connection between reputation damage and the Facebook outage.
Takeaways
Chapters
Try KiteWorks today at www.KiteWorks.com
Don't Miss our Video on this Exciting KiteWorks Offer!
Try KiteWorks today at www.KiteWorks.com
Don't miss this Video on it!
The Most Secure Managed File Transfer System.
David Mauro (00:01.773)
We discuss the recent Facebook outage and explores possible causes, including technical issues and DDoS attacks. The conversation then delves into the importance of reputation for cybercrime gangs and the impact of law enforcement on disrupting their operations. The focus shifts to the exit scam of Black Hat and AlphaV, two prominent cybercrime gangs, and the risks associated with paying ransomware gangs. The episode concludes by highlighting the prevalence of exit scams in the cybercrime community and the connection between reputation damage and the Facebook outage.
Takeaways
The Facebook outage could have been caused by a technical issue or a DDoS attack, and the involvement of a cybercrime gang would be significant if they claim responsibility.
Reputation is crucial for cybercrime gangs as it establishes their credibility and influences their ability to extort money from victims.
Law enforcement efforts can disrupt cybercrime gangs and damage their reputation, as seen in the takedown of Black Hat and AlphaV.
Paying ransomware gangs poses risks, including funding their criminal activities and attracting more attacks in the targeted industry.
Chapters
00:00 Introduction and Facebook Outage
02:10 Possible Causes of Facebook Outage
04:20 Importance of Reputation for Cybercrime Gangs
05:19 Disruption of Cybercrime Gangs
07:16 Black Hat and AlphaV Exit Scam
09:12 Risks of Paying Ransomware Gangs
13:18 Exit Scams in the Cybercrime Community
14:15 Black Hat and AlphaV's Exit Scam
22:09 Reputation Damage and Connection to Facebook Outage
24:02 Impact of Law Enforcement on Cybercrime Gangs
24:30 Importance of Reputation and Confidence in Cybercrime
Topics: why facebook was down, why meta was down, why instagram was down, what is a ddos attack and how does it work, why reputation matters to cyber criminals, why reputation is critical to cyber criminals, why exit scams happen in cyber crime, black cat taken down, fbi take down of black cat, when law enforcement wins, how the fbi fights cyber crime, fbi vs black cat, how fbi fights cyber crime, new black cat threats made against the us, breaking cyber crime news,FBI takewn of BLACK CAT,when law enforcement wins,how the FBI fights cyber crime,FBI vs black cat,how FBI fights cyber crime,new black cat threats made against the U.S.,black cat alpha v,blackcat ransomware,blackcat ransomware analysis,cyber news today live,fbi take down,how police catch cyber criminals,business news usa,blackcat ransomware attack,business news live,business news today
Everyone, there's been some recent key developments in cybercrime landscape in the past few weeks. Many have been asking why Facebook was down, why Instagram was down, what caused it. And there are things you should know. So we wanted to provide a quick update on what our researchers, dark web feeds, friends and colleagues have been chattering about. And also talk about exit scams. I mean, as we've explained ransomware gangs, you know,
have topped the charts in the last year. There's a record volume of the number of ransomware attacks, mostly because they run it as a big business, as we've explained. They have the ransomware as a service model, right? Which is organized crime. Think of it like organized crime. There's the head people that have developed the code. They have the names of the groups. The top names in the industry globally have been LockBit.
and black hat, we've talked about them oftentimes on this episode. And they've been evolving into extortion as a service, meaning rather than launch the actual ransomware encryption, they've actually just been stealing the data and blackmailing people and making vast amounts of money, hundreds of millions of dollars doing so. You know, the head.
Organized crime units the names of those groups. They leverage all these digital mercenaries all of these Affiliates right and they pay them a percentage of it. Some of them have Expanded the amount that they pay them to handsome amounts But the head guys own the code at the end of the day and today we want you to think about it differently when we think about why Facebook was down and
why Instagram was down globally. You know, there's also an element that is tied to the reputation of cybercrime gangs. And what we're going to learn from the outage of Facebook and Metta is going to show you and demonstrate which cybercrime gang was involved, whether a cybercrime gang was involved, whether it was...
David Mauro (02:24.844)
politically motivated from a nation state or not and we'll tell you and update you on the findings that we had. This is the story of why Facebook was down, exit scams, and cyber.
David Mauro (00:14.83)
So meta that.
David Mauro (00:20.462)
Welcome everybody to Cybercrime Chunkies. I'm your host David Marr. We want to provide you with some updates of why Facebook was down and talk about recent breakthroughs that have happened and why it's significant. We want you to think about things differently here and talk and touch on exit scams and cybercrime because we're seeing it happen right now. Let's get to why Facebook was down, why Instagram was down. Meta's platform, the owner of Facebook and Meta.
went down for hundreds of thousands of users on Tuesday. It was Super Tuesday, the big political voting day here in the United States. It went down from what Metta is calling a technical issue. That was it. The outage was resolved.
David Mauro (01:24.737)
a little bit before 10 a .m. or so Eastern and ended mostly by 1 to 2 p .m. Eastern. And what's significant there is the chatter that has been happening on the dark web forums and...
by security experts around the globe, and that is why did it actually go down? We see this all the time when a platform system goes down, but really everybody initially always says it's just a technical issue, we were updating something, but in reality you see a cybercrime gang demonstrate evidence on the dark web that they were the cause of it. Well here,
What many believe is that it either was a technical issue as Facebook is claiming, or it was a DDoS attack, a distributed denial of service attack. It's designed to force a website, computer or online service offline. They do this by flooding the sites, flooding Facebook and Instagram sites, excuse me, with so many requests.
David Mauro (02:45.615)
legitimate requests. Basically, they flooded with so many inquiries that it crashes.
If it is a DDoS attack, as some people are claiming on the dark web right now, it's only significant if a cyber crime gang takes credit for it. They declare that they did it, right? If nobody does, it's one of two options. It actually was simple, not simple, but it simply was a technical issue concerning the infrastructure of Facebook, or it was a state act.
right, who wanted to disrupt social media. And that gets into national security espionage and other matters. We've seen this in other breaches, right? We've talked about it on the show and that is the, think about the Anthem breach, right? The largest breach in healthcare, the OPM breach, the Office of Personnel Management, the Starwood Hotel's Marriott breach and the Equifax breach. All that ultimately,
came from the Chinese government and there've been indictments by the Department of Justice as they found the root cause. So that's one aspect to think about this. But what gets into it is why would a cybercrime gang take credit for it? Why is it important that they do it? Well, think about why it's so important for cybercrime gangs to have...
a strong reputation, to have street cred, to actually understand and have a reputation within the dark web channels that they are powerful, that they can get things done that other ones can't get done, that they are legitimate within their context of what they operate in. It gets into the very heart of the existence of a cybercrime gang. They're there.
David Mauro (04:50.275)
Because of confidence they're there because affiliates trust them organizations trust when they pay those ransoms that they're in if a Albeit criminal, but they have a reputation they have a real Actual You know strong entity behind them. Otherwise, they would never pay right they believe that they actually do have their data
what we saw this week with the take down of the change healthcare system by Alpha B and Black Hat, which those that listen to this podcast know we've gone in depth into Black Hat. There's other episodes where we've talked about the rise and fall of Black Hat, which occurred this past December. But
Think about it. What is happening now is that law enforcement has been able to disrupt LockBit and Black Cat, and we're going to cover LockBit in a separate episode, but they've been able to disrupt the top two cybercrime gangs on the planet by destroying and making their own criminal community.
question their authenticity, question their credibility, and damaging their reputation. The irony here is, isn't that where they get their leverage from in the first place? Don't cybercrime gangs leverage the power they have to damage an organization's brand and reputation, but yet we're seeing the fall or the implosion of
cybercrime gangs because of that very fact, because they've lost that reputation or they've destroyed it within their own community. We've seen that with Lockbit, and we're going to get into that on a different episode, but we just saw how Black Hat and Alpha V has destroyed their own reputation and caused the players there, at the heads there.
David Mauro (07:16.37)
to draw into question their own credibility and their own reputation. Here's what happened, right? We know that Black Hat had been taken down by the FBI last fall. We reported on it. It was all over the news. And then Black Hat came back and then they went under. And then the law enforcement, the FBI put back the banner over their...
website that said that they had seized it, but then Black Hat came back. They did come back because Change Healthcare, the largest pharmaceutical healthcare provider, right, was breached by Black Hat and by AlphaV. How do we know that they took responsibility for it immediately, right? And that was last week. And it disrupted the pharmaceutical distribution of drugs.
that were needed by people throughout North America, throughout the US, throughout Canada. And it was a big deal. Well, just a couple days ago, it came out that they had allegedly paid Change Healthcare, paid Black Hat Alpha V $22 million in the ransom.
There's an issue with doing that, right? Number one, the FBI says never do that because you're paying the criminals, you're funding the enterprise to continue to grow. Number two is it also opens the floodgates for other cybercrime gangs and other ransomware gangs to start targeting organizations in that sector. Threat actors and criminal cybercrime gangs are nothing but predictable, right?
If they see blood in the water and they see somebody paying in a specific industry, they all flood there. And you're starting to see spikes already as soon as this came out. So here's what happened. So Black Hat Ransomware gang is now what they believe pulling an exit scam. They're trying to shut down and run off with their affiliates money by pretending that the FBI has now seized
David Mauro (09:41.17)
their site and infrastructure again. But what's interesting is that the FBI and the NCA, the United Kingdom's law enforcement group that coordinated with the FBI, they're all saying they didn't do that this time. This is done.
The gang announced just yesterday, and it is Wednesday, March 6th, that they are now selling the source code for the Black Hat malware. Remember Black Hat came from, they believe, either Black Matter or Black Basta and these other cybercrime gangs, or have ties to some of the other ones like Conti and some of those. But what made Black Hat so unique is they wrote their code source in this Rust language.
which is very new and trendy and easy to use plug -and -play. It's the language that the code is written to, but that's part of the reason why it got so popular. As you will recall, as we reported before, after Black...
taken down by the FBI and the FBI put their banners like this site has been seized. Black Hat came back, they restored their infrastructure and they were angry. They were pissed. They wound up saying all restrictions of our code of ethics, meaning don't target nuclear plants, don't target children's hospitals, don't target certain more
sensitive types of targets in the United States. All the gloves were off. They came back and they said go for it and affiliates in the marketplace. You have so much respect for us and our reputation. We're even going to pay you more of the cut that you collect in your criminal enterprises. So what happened was is they went and changed, healthcare gets breached.
David Mauro (11:52.772)
massive massive win alpha V black hat clearly executed on their threat right. But now it looks like they've turned on their own affiliates. Here's kind of the story so law enforcement as we said. You know even though there's a banner now that black hat has on their infrastructure on the dark web.
the law enforcement agency listed that banner, right? And Bleeping Computer has a great write -up on this. We'll have links in the show notes. They actually confirmed with Bleeping Computer, law enforcement did, that they were not involved in any recent disruption of Alpha V infrastructure. Alpha V came out online, Blackhead came out online and said, the feds screwed us over, I can't believe this happened. But what they believe,
unequivocally and what is all over the dark web now is that the ransomware gang actually is doing an exit scam, meaning they blame somebody else and they shut down and they steal all the money. We also just see, we saw this earlier. We've reported on exit scams in the past. Jerry Cotton potentially was an exit scam, the largest crypto exchange. There is,
the other crypto exchange person on the FBI most wanted, Ruja Navitova. And then there's a recent one of a criminal market that just, it was called Incognito, that was on the dark web. It was a criminal market where you can buy all this information and then buy all this illegal drugs, illegal malware, fake IDs, all this on the dark web. And they just all...
take everybody's money and then they go out of business. The difference is in crime. There's no like bankruptcy laws. It's not like you can make a claim and put a lien in on the remaining assets. It's not like there's a restructuring process. It's an exit scam. That's why reputation is so important. And that's why it's tied to why Facebook is down, was down because...
David Mauro (14:15.093)
If it was a gang, we will hear about it. If it's not, it has meaning. So what we're going to learn about, about why Instagram was down or why Facebook was down in the last couple of days, we'll be very telling and we'll report on that in just a second. So circling back to Black Hat and Alpha B. So the gang status on their TOX channel. So TOX is the encrypted messaging service.
Right? It's one of the things you have to do if you get involved in a, if you get attacked by ransomware, you have to go and download the Tor browser, get on the dark web, communicate with a, you know, a foreign entity ransomware gang who's very good at their job. And you'll do this usually on a talks channel, TOX, right? And what Black Hat's talks channel said yesterday was GG.
for good game. And that was all that the affiliates and the cyber crime community needed to see. What they were doing is they were hinting at the end of their operation. And later they typed out and said, we're selling our source code for $5 million.
indicating that they wanted $5 million to purchase the malware. And then it could be rebranded and repackaged under some other name. So in a message that one hacker forum had and that was shared by Recorded Futures, Dimitri Simelianets,
that administrators of the operation, Black Hat, said they, quote, decided to completely close the project, unquote, and they can officially declare that the feds screwed us over. So that's what they're claiming, right? But it's an exit scam. You know, Alpha V leak site right now still shows a fake banner announcing that the FBI seized the server.
David Mauro (16:26.421)
in a coordinated law enforcement action taken against Alpha V Black Hat ransomware. The NCA told Sleeping Computer just this morning that they were not involved in any recent disruption, nor was the FBI to Alpha V's infrastructure. And even though they list, both of them, both of those entities are listed on the fake seizure message.
The FBI itself has declined to comment on the seizure notice, but there's no indication whatsoever that they did this. What's also interesting is that researchers have noticed that the seizure banner image is hosted under a folder named, this website has been seized files, right? Which clearly indicates that the banner was extracted from an R.
Okay, so what's fascinating here is they simply saved the takedown notice from the old leak site and spun up some Python HTTP server to serve it under their new leak site. You know, that's ridiculous and that's exactly what they did. Now, despite the NCA's...
statement and evidence that the banner on the leak site is not the result of law enforcement activity. Alpha V, the actual criminals, the heads of that organization, they communicate with security research. They spoke with a couple different researchers as well as bleeping computer itself. And they claim that their infrastructure was seized. But rumors of this exit scam, it started a while ago, right?
there is an affiliate of AlphaV called Nachi, right? These are usernames that they use online. And he claimed that the gang had closed his account and robbed them of the $22 million payment from the ransom allegedly paid by Optum for the change healthcare attack. Think about that for a second. You have an
David Mauro (18:51.337)
a hacker, right? The not a good hacker, a black hat hacker, right? You have the affiliate, the digital mercenary who collected the 22 million, turns it over to black hat. And there's several examples of the evidence of the blockchain that shows that black hat collected this money, right? So block. So.
Black Hat has the money that the affiliate did. The affiliate still has all of the data, this confidential data that Black Hat, the core group, said that they will destroy and won't release if you pay us the money. Black Hat got the money, the $22 million, and then shut down operations. That's the exit scam. The affiliate.
The one who actually did the attack still has all the data and still can release it, right? And Change Healthcare paid the money. It's in the hands of Black Hat, but they have shut down. And they did not pay their own affiliate. And in fact, there's been numerous reports of other affiliates that Black Hat is holding onto the money all when they shut down.
their operations. After getting the funds, the recipient address, allegedly belonging to Alpha V operators, distributed the bitcoins to various wallets in equal transactions, it looks like, of about 3 .3 million. So what's interesting is while the recipient address is now empty, meaning
the blockchain address, the wallet for Alpha V and Black Hat, the core cybercrime group. The amount that it received in the last week or so, according to the blockchain and what research...
David Mauro (21:05.656)
close.
David Mauro (21:10.488)
in that didn't go back out and then they shut down.
So which is just a monumental exit scam with claims from affiliates not getting paid, a sudden shutdown of the infrastructure and cutting ties in communications automatically with several different affiliates from several different breaches. Plus when you couple in the.
GG message, that good game message on the talks announcing that they were selling their malware source code for five million. And then pretending that the FBI took control of their websites. All of this leads to one thing. And it looks like the Alpha V Blackhead ransomware administrators are exit scamming. What do you think? I mean, I want to hear from you.
What's interesting is how in the world can those involved recover from the damage to their reputation within their community, within that cybercrime community, or does it even matter? Are they just taking that money and retiring? But it gets to...
you know, the adage of, you know, when you swim in that cesspool with those snakes, you're going to get bit. And this is, you know, going to be followed up with on why Facebook was down because it's tied based on who declares the...
David Mauro (23:04.281)
responsibility for it or whether it's not at all. That's what we're continuing to look for. We're going to report on that. But when you think about the different effects of the reputation that this has and when you hear about what has happened and many of our listeners are involved in the community for those you you know what's happened to the reputation of of the leading cybercrime gang on the planet and that was locked.
Now the number two, right? Black Hat was number two globally, like by far. Like number three isn't even close. So number two has done this massive exit scam that it seems like there's no other explanation. And the reputation of the number one has just completely kind of been destroyed through the efforts of law enforcement. The...
The take here by us is this, think about what these groups do to brands, right? They destroy reputations. But their own reputations are now destroyed. Law enforcement has done a lot more than just take down infrastructure. They've caused the very reputation of those. And when you think about an exit scam,
Why would the affiliate have transferred $22 million over to that group? Because he had confidence that they were going to pay him. It's about confidence. You gain confidence because of your reputation. But the confidence is the con part of cyber.
Thank you for listening and the next episode starts right now.