A British man was extradited to the US this week to face charges of hacking and extorting US companies while part of an infamous hacking group known as The Dark Overlord (TDO).
The alleged TDO member, named Nathan Francis Wyatt, 39, was arraigned in a Saint Louis court today, where he pleaded not guilty.
According to court documents, US authorities believe Wyatt was one of the many TDO members who, since 2016, have been hacking US companies, stealing their data, and asking for huge ransoms.
If victims didn’t pay, the group would put the data up for sale on hacking forums, leak it on the public internet, or tip journalists about the breach in order to generate negative press coverage for the hacked company.
The official indictment claims that Wyatt and the other TDO members have been behind hacks at healthcare providers and accounting firms in the state of Missouri between the start of 2016 and late 2017 when the indictment was formally filed with a local court.
Responsible for tens of hacks
However, the group’s hacking activity is way broader. Since early 2016, TDO has claimed responsibility for tens of hacks. Below is a list of breaches for which the group has publicly taken credit, and which received media coverage.
Aggressive and unorthodox extortion campaigns
Many other intrusions went unreported or unverified, based on conversations this reporter had with the hackers in the past. This reporter declined to cover the group’s breaches after it became apparent the hackers were using media outlets and negative coverage to put pressure on the hacked companies to pay extortion demands [1, 2].
The group was also known for its unorthodox and aggressive extortion campaigns. For example, in late 2018, TDO members started sending bomb threats to schools in Montana which refused to pay ransom demands. When that failed, TDO members began sending death threats to students.
In many other cases, the group also made fun of victims by forcing them to sign legal contracts. These contracts included terms of the extortion demand, and the hackers’ and the victim’s responsibilities.
In another case, TDO members left rap-like extortion demands on a victim’s voice mail.
Even the US indictment filed in 2017 includes one case where TDO took extortion demands a tad bit too far. In this case, Wyatt allegedly sent threatening SMS texts to the daughter of one of the hacked companies’ CEO.
The US indictment seems to confirm a 2017 Motherboard report that suggested that Wyatt (under the nickname of Crafty Cockney) was one of the group members who was calling companies to request the ransoms — with his voice being heard on the rap-like extortion demand linked above.
Prior to being charged in the US, Wyatt already had a history of hacking in the UK. He was previously arrested by British police in September 2016 on suspicion of hacking the iCloud account of Pippa Middleton, the sister of the Duchess of Cambridge.
A formal case was never brought forward, and Wyatt was set free, only to be arrested again in 2017, when he pleaded guilty to 20 counts of fraud, holding a fake passport and blackmail.
After being charged in the US indictment, Wyatt has spent the past few months fighting his extradition to the US.
Another TDO member arrested in Serbia
Wyatt is the second TDO member charged and arrested in this scheme. In May 2018, Serbian authorities arrested a 39-year-old man in Belgrade.
Serbian authorities only shared the man’s initials (S.S.) and birth year (1980), which made tracking his case harder. It is unclear if this TDO member has been set free or is still fighting his extradition case.
TDO members often said they were a three-man crew. According to a Digital Shadows report, after the two arrests, the remaining member appears to have created a forum, where he began recruiting new members.
The forum, named KickAss Forum, was taken down a few months later.
The last mention of TDO activity came in January 2019, when TDO leaked data law firm handling cases related to the September 11 attacks.