June 9, 2020 — A new report by researchers at the Citizen Lab, at the University of Toronto’s Munk School, reveals an enormous hack-for-hire operation that has targeted thousands of individuals and hundreds of institutions around the globe. Targets included advocacy groups, journalists, and lawyers, including organisations working on a campaign called #ExxonKnew, which asserted that ExxonMobil hid information about climate change for decades.

Dubbed Dark Basin, Citizen Lab began looking into this operator in 2017 when researchers were contacted by a journalist who had been targeted with phishing attempts. We linked the phishing attempts to a custom URL shortener, which the operators used to disguise the phishing links. We also identify Dark Basin as the group behind the phishing of organizations working on net neutrality advocacy, previously reported by the Electronic Frontier Foundation.

“This is one of the largest hack-for-hire operations ever exposed. Our investigation found that no sector is immune from this brazen operation. Dark Basin does not just threaten commerce and government: they are clearly a tool of the powerful to target reporters and advocates attempting to hold them accountable.” – John Scott-Railton, Citizen Lab Senior Researcher

We can now link Dark Basin with high confidence to an Indian technology company, BellTroX InfoTech Services, and related entities. Along with our collaborators at NortonLifeLock, we have unearthed numerous technical links between the campaigns described in this report and individuals associated with BellTroX. For instance, some employees made social media posts describing and taking credit for attack techniques containing screenshots of links to Dark Basin infrastructure.

“We were able to capitalise on the tactics of this hack-for-hire operation, tracking their activity almost daily for over sixteen months. The sheer volume of the phishing campaigns we observed was Dark Basin’s Achilles’ heel, as remaining stealthy at this scale is fundamentally incompatible with operating as a profit-driven enterprise.” – Adam Hulcoop, Citizen Lab Research Fellow

This campaign is characterized by the variety of sectors targeted, the sheer list of individuals quarried, and the persistence of operators. Citizen Lab has notified hundreds of targeted individuals and institutions and, where possible, provided them with assistance in tracking and identifying the campaign. At the request of several targets, Citizen Lab shared information about their targeting with the US Department of Justice (DOJ) and are in the process of notifying additional targets.

Dark Basin’s thousands of targets illustrate that hacking-for-hire is a serious problem for all sectors of society, from politics, advocacy, and government to global commerce. We hope platforms will continue to track and report such hack-for-hire operations and we encourage platforms to be proactive in notifying users that have been targeted by such groups, including providing detailed warnings beyond generic notifications to help enable targets to recognize the seriousness of the threat and take appropriate action.

For Media Inquiries
Miles Kenyon
Communications Specialist, The Citizen Lab

Guide on Citing in Media
Title: Dark Basin: Uncovering a Massive Hack-For-Hire Operation
Authors: John Scott-Railton, Adam Hulcoop, Bahr Abdul Razzak, Bill Marczak, Siena Anstis & Ron Deibert
Published by: The Citizen Lab, Munk School of Global Affairs & Public Policy, University of Toronto
Publication Date: Tuesday, June 9, 2020
URL: https://citizenlab.ca/2020/06/dark-basin-uncovering-a-massive-hack-for-hire-operation/