> “These nascent psyops include efforts to erode the limited trust the criminals have in each other, driving subtle wedges between fragile hacker egos, and sending offenders personalized messages showing they’re being watched,” Burgess wrote.
Is the "Think about your next move" messaging that intimidating to hackers, especially those living in non-US-aligned countries?
I suspect this flood of weirdly cyberpunk imagery (seriously, mugshots with a Matrix background?) is more of an artistic choice to flatter the egos of the task force's agents than a strategic move. White hat hackers probably like pretending they're in a spy movie as much as black hats do.
Yeah, I think that’s the goal - ratchet up the psychological pressure and see if anyone makes a mistake.
By way of the example about the LockBit leader: you’re that guy and the feds put up a site saying they know who you are and in 2 days they’re announcing your identity to the public - what do you do? You’re an associate of that guy - what do you do?
The feds are basically whacking the side of the box to see what happens - when the status quo isn’t working, inject some chaos and see what you get.
> Is the "Think about your next move" messaging that intimidating to hackers, especially those living in non-US-aligned countries?
Don't know in practice for everyone, but people still like to travel. And the US doesn't forget. Do you remember Marcus Hutchins coming for the conference?
Once the details are out, they can potentially grab you through other friendly countries too.
An NSA or DOD guy doing digital forensics and cybercrime type stuff came to one of my college classes to teach a lesson or two. He mentioned that he would love if we came to work with him, but also people he talks to at colleges almost never do because even median pay at a generic private sector corp is better than the government wages for that work. So yes, people working in the majority of cybercrime shops are people who either couldn't hack it at a generic boring C# corpo job, or are specifically more interested in being a white hat than getting paid lots of crinkled, sweat-dampened VC money.
Eh. It is more complicated than that. I started out in DIA and a lot of government employees in the "hacker space" are indeed underpaid compared to their civilian counterparts. The way the sausage is really made though is through contracting, and these folks are paid. Bottom line is that if you want to do cyberspace stuff for uncle sam and want to be paid the you shouldn't be going to any careers/*.gov website. Look instead for generic "Network Operations Engineer" type postings that are in Herndon, Bethesda, Baltimore, Annapolis Junction, Fort Meade, and so on.
There are some perks to being a government employee, but you end up in the government framework for pay and what not, which sucks. if I recall correctly the folks at CIA (AFD I believe???) had some sort of system set up where they hired government employees as a POCO billet or something so they could bring talent in at a reasonable pay scale, and then they'd do some political maneuvering to rotate people around so everyone was getting paid. DIA was a charlie foxtrot in that arena and probably still is, so I'd avoid them. The FBI has a pretty good team in quantico, though I'm guessing again that most of the are really just Booz employees.
It's not even just the money, I had a brief experience working within german bureaucracy and i couldn't imagine a more soul sucking, conservative and uninspiring environment. You definitely have to be a certain type of person for that environment, the unpleasant type imho.
I know a few. My observation ist there are basically two types: Market rejects and fanatics who work for the government out of an antiquated sense of duty.
Not really. It's more about understanding that having competent people in the system tends to benefit the community at large, and be willing to endure the (many) downsides.
And yeah, it doesn't work for everyone, and some people genuinely interested in doing the good thing can turn sour after a while. But I rarely see people romanticizing the work conditions or the system they are in.
Also having people willing to trade a pay cut for a way to "make good things" leads to people using their agency in surprising ways, sometimes fucked up.
> an organization that has lost its integrity long ago
That's every org. The relevant part isn't org structure or integrity but whether the org has an impact on stuff that actually matters. Not everyone is interested in optimizing the click rate of ads.
> Not everyone is interested in optimizing the click rate of ads.
that's basically it in a nutshell. the corpo world is all about enshittification, and aren't making things better.
it's debatable if the DIA is, either, but there is at least something to stand for other than greed, or some thought terminating cliché about how the "invisible hand" will somehow fix things.
If you become a German civil servant the hours are lovely, the pension is super and the pressure negligible. You need something, you ask your boss, then wait and twiddle your thumbs and watch YouTube videos until it goes up the chain and at some point comes back down. It’s like an oil tanker. Great in a straight line, but damn hard to change course.
Forget numbers, think Marvel's Endgame, envision cop superheroes from all over the world converging on the supervillain to enact justice and save civilization!
I swear law enforcement and the military choose the cringest name codes, not much better than names kids would pick.
> I swear law enforcement and the military choose the cringest name codes, not much better than names kids would pick.
I have it on good authority that the people in law enforcement and the military — and indeed all humans in general — were in fact kids at one point. Maybe we all just like cool sounding codenames, even if some keyboard jockeys on a forum will call it “cringe”.
I was a cringy kid too, but now I'm an adult that wouldn't call an official war strike "Operation Beastmaster" (real name from the Iraq invasion). Christ, how many years before we see names like "Operation CyBoRgDiNoSaUr"?
> but now I'm an adult that wouldn't call an official war strike "Operation Beastmaster" (real name from the Iraq invasion).
Why? That name’s dope. If you can’t give cool names to military operations of all things, then you can’t give cool names to anything. And as someone else pointed out, the US military does have a framework for how they name operations.
They may seem cringe but, at least the military names, are usually part of an underlying lexicon that outsiders don't understand. Some are inside jokes, others are cover for classified names.
It's standard law enforcement PR. People who are serious about cybersecurity topics might shake their heads a little at the self-aggrandizing naming and Matrix "hacker" backgrounds, but they aren't the target audience. The target audience is for the mass public, to glamorize the police as the Good Guys who are going after the Bad Guys.
> Droppers remain such a critical, human-intensive component of nearly all major cybercrime enterprises that the most popular have turned into full-fledged cybercrime services of their own. By targeting the individuals who develop and maintain dropper services and their supporting infrastructure, authorities are hoping to disrupt multiple cybercriminal operations simultaneously.
I presume the counterargument is that it's like someone took down Gmail or some other centralized service or something. Maybe the disrupted centralization will send a lot of operations scrambling, even if it was only a few hundred servers that were doing all the work.
If entrapment is unprotected in a relevant jurisdiction, seized domains/servers could be used to disrupt or even unmask actors. Release a new dropper and make the payload build tool malware itself. Now these actors can't trust what they get from each other, even if they trust the person who is supposed to be in control of the service.
That would be a radical departure from the status quo of boasting loudly and plastering seizure pages up everywhere, and the suggestion here is that they are trying different things.
If a law enforcement official sets up a website offering to sell you an illegal product or service and you buy it, that's not entrapment. It's only entrapment if the police cause you to commit a crime you would not have committed otherwise.
>In addition, Europol released information on eight fugitives suspected of involvement in dropper services and who are wanted by Germany
4 people in the initial arrests. They already have arrest warrants for at least another 8.
It seems they have arrested someone who provided a lot of infrastructure so it wouldn't surprise me if they were able to roll that into more arrests in the near future.
>“It has been discovered through the investigations so far that one of the main suspects has earned at least EUR 69 million in cryptocurrency by renting out criminal infrastructure sites to deploy ransomware,”
I was about to check Spamhaus's ROKSO list, as I recall it listed about 30 people on it who were/are collectively responsible for almost all email spam (but it's down https://www.spamhaus.org/faqs/rokso/). If malware is anything like that, the number of actors may be quite small.
Like seriously, that was like saying that arresting the purveyors of contaminated, tainted meat is harming the food supply. It’s an argument that seems to be intentionally reversed in order to destroy logical debate.
Could it be that the original commenter is saying state and corporate spying gets justified with these kind of succesful and positive operations, and this gives states the goodwill to push for deeper surveillance, which is then used unethically?
Think how the world changed after the PATRIOT (lol) act, and how many terrorists have been actually detained in exchange for such invasive measures on the general public. I'd bet the most benefited from all these years of mass surveillance have been advertisers, not law enforcement.
> Could it be that the original commenter is saying state and corporate spying gets justified with these kind of succesful and positive operations, and this gives states the goodwill to push for deeper surveillance, which is then used unethically?
I think so, but this is backwards. State and corporate spying gets justified by the scammers and fraudsters, not by whether or not the takedown operations are successful. If scammers and fraudsters weren't doing wildly unpopular things like taking health care systems hostage with ransomware, etc, we'd all have a lot more ammo to tell the cops to respect our privacy.
I've worked on several high-profile botnet takedowns that have resulted in arrests. There is a very fine line and a slippery slope that you absolutely need to stay on the right side of, or things can become very invasive and unethical[0].
Online scams, fraud, and malware have been around since the '80s, and we've survived.
Additionally, a huge industry has been built around it, employing many people and generating massive amounts of wealth compared to the direct costs of these activities. Just compare the cost of ransomware to the "cost of cybercrime"[1][2] which is mostly revenue for the cybersecurity industry, and there is a magnitude of difference.
> Online scams, fraud, and malware have been around since the '80s, and we've survived.
That's a really awful take. We've also had plagues killing large chunk of population and we've survived. That doesn't mean it wasn't an issue for people affected. There are people who have lost their life savings and relationships due to scams. There's an individual/society cost to all of this.
In the context I was discussing I consider it a pragmatic take because our response to these issues needs to be understood across multiple domains including privacy.
That's not to say that nothing should be done. Personally, I'd like to see measured legislation placing more security, privacy and liability onto manufacturers and providers.
You consider total ransomware payments the "cost of ransomware"?
And the revenue of the cybersecurity industry the "cost of cybercrime"?
You seem competent, me I don't know much about practical cybersecurity.
But the combined cost of companies or medical facilities being infected by ransomware surely is not covered by the total ransom payments, right?
Sorry if I'n grossly misunderstanding your take, but I struggle to make sense of it.
I see however your point about surveillance.
And also, affected companies and institutions + the software companies, consultants etc they work with should carry a certain responsibility in some cases.
For example, a social engineering breach with one employee who had normal privileges shouldn't allow to easily propagate over the whole network etc
The true cost of any of this is very hard to quantify. There are reputational costs (though you generally want to buy the dip after a hack), national security concerns, intellectual property theft, etc. So, it is a weak argument in that regard, but that's only because there's not a lot of good data to even form a solid opinion on. Sorry if my comment seemed a bit ambiguous.
Personally, I have seen during incident response many organizations drop seven figures on EDR, IDS/IPS, and a bunch of widgets while ignoring or refusing to do simple things like network segmentation and configuration/patch management, and it's because they've been sold silver bullets by their vendors, so I also hold a bit of contempt for the industry as well.
This gives me flashbacks. I worked in hospital IT for a few years, and the main IT office was constantly trying to fold the (unpatchable, running a mix of OS2, win95, win98, MSdos, and proprietary OSs in -2007) medical devices into the main, internet accessible network.
I had to spend countless hours in meetings to keep them segregated. At times, I actually had to just pull fiber jumpers out of the switch. They’d eventually have a fit because they couldn’t see the medical devices with their threat scanning software.
They could have just hooked up a laptop to the medical device network and said “yep, every single ip address on there is vulnerable” and sent a strongly worded letter to each manufacturer demanding a patch, which will never be released. Since the devices are FDA certified medical devices, you can’t just patch them without manufacturer endorsement of the software change…so any device more than a few years old is usually vulnerable.
3 months after I left they had a major ransomware event. Weird. Who could have imagined?
Law enforcement industry partnerships weird me out a little bit too. Cases like this are maybe a little more innocent: https://www.wired.com/story/big-pipes-ddos-for-hire-fbi/. But then you have Spamhaus compiling literal dossiers and sharing them with police and pressuring hosts into sharing information to help with their extrajudicial ROSKO investigations. Or the "Shadowserver Foundation," which ostensibly exists to stop botnets, yet also for some reason hosts the seizure page for Liberty Reserve.
Are we following the rule of law here? We are talking about arresting bad actors, built on the fundamental principal of due process. There are rules to follow. If the department of justice wants to bring criminal charges against individuals or corporations, should the first step be 'sieze all assets'? When is the doj allowed to sieze assets, if we think its a scumbag foreigner but what if its an upstanding american tax paying LLC? Should your business be subject to immediate takedowns while the doj investigates and attempts to prosecute you?
Has anyone been convicted of anything? We are siezing control of personally owned assets under the presumption the responsible parties will be found guilty. That seems like a slippery slope.
Why are you assuming that rules weren’t followed? Is there any reason to suspect this? I’m not the greatest fan of the police by far, but it’s not like this (seizing assets without prior conviction) is a novel or anything but standard procedure happening in the frame of clearly defined rules. Should a murderer run free up to his conviction, even when there’s strong evidence of his crimes? Shouldn’t the police seize assets of drug cartels at the moment they can instead of years later when everybody is convicted?
Monitor the transactions, collect evidence, get warrants, seize things, collect evidence, get arrest warrants, etc.
if someone is dumb enough to register with a real name, the amount of time needed to coordinate it can be reduced.
like with the 911S5 botnet, they got evidence over the years to build a case to arrest them.
if it's a large group of people, it may take time or a turncoat to slowly gain evidence on the other parties.
seizure of assets in those countries required the police and courts in those countries to have probable cause that yeah it was definitely related to the crime and necessitated seizure in a coordinated fashion. This is similar to the coordinated quiet takeover of a darkweb market, or the coordinated spooky takedown of another, to scare criminals onto the bugged one.
How tight is the "noose of the surveillance state" when it takes them years to stop groups like this? For example, the smokeloader malware mentioned in the post has been around since at least 2011 [1]
Is the "Think about your next move" messaging that intimidating to hackers, especially those living in non-US-aligned countries?
I suspect this flood of weirdly cyberpunk imagery (seriously, mugshots with a Matrix background?) is more of an artistic choice to flatter the egos of the task force's agents than a strategic move. White hat hackers probably like pretending they're in a spy movie as much as black hats do.