author photo
By Bruce Sussman
Wed | Jul 15, 2020 | 2:00 PM PDT

Author and pentester Vinny Troia isn't making any friends in the criminal hacking underground, that is for sure.

In fact, just days before his keynote at SecureWorld Boston, Troia was hit with what he calls a revenge cyberattack.

And he kicked off his keynote talking about it.

"In my opinion, it couldn't be more obvious that my research has hit a very deep nerve with the people that we're about to discuss. If my research was wrong, they wouldn't be retaliating in this way," Troia told the online audience.

And what does his research reveal? Never before seen insights into connections between several prolific hacking groups, who the key players allegedly are in real life (hint: teenagers), and the incredible number of hacks he linked back to them.

Hence, the retaliation. But that's not stopping Troia.

"So, game on," he says.

Who are the most aggressive criminal hackers?

In his keynote, Troia details the incredible list of attacks by prolific hacking groups The Dark Overlord, NSFW, Gnostic Players and Shiny Hunters.

He shared the lists of data breaches he and other researchers have successfully tied to each of them. For example, here is the list of breaches attributed to The Dark Overlord (TDO). Troia says there are likely more:

the dark overlord-data breaches

The group made headlines in many of these cases:

dark-overlord-netflix

The Dark Overlord also shut down schools in Montana a few years ago by texting and emailing parents, saying that they were coming to school to kill their kids. 

Troia talked to The Dark Overlord's leader after that attack, and says TDO was bragging about it. Here are his messages to Troia:

the dark overlord-conversation-school-terrorism

And from threatening families to trying to extort money from a cancer clinic, he explained how low TDO would go.

"They also hacked and extorted the Little Red Donor cancer clinic. The subject of the email says, cancer sucks, but we suck more."

Troia shared similar information on dozens of hacks attributed to groups such as Gnostic Players and NSFW. Then he revealed some fresh research on how these "groups" are connected.

Several hacking groups are interconnected

Troia spent years researching and communicating with criminal hackers on the Dark Web to write his new book, "Hunting Cyber Criminals: A Hacker's Guide to Online Intelligence Gathering Tools and Techniques."

He made a remarkable discovery in the process. He believes The Dark Overlord, Gnostic Players, NSFW, and more recently Shiny Hunters hacking groups are linked.

He says their IP addresses gave them away. The chart is small, but check this out (click to expand):

vinny_ip_addresses2

This chart reveals the same VPS (servers) and IPs were used in attacks across groups going back to 2017.

What percentage of cyberattacks can be attributed to these groups?

During Troia's research, he decided to take a different angle on what he was seeing. If all these breaches are linked to the same threat actors, what percentage of overall breaches are they responsible for from 2017 to mid-2020?

By his calculations, if you remove credit card data breaches, and focus on PII and password data breaches, 42% of these breaches are linked to Gnostic Players and NSFW. 

data-breaches-by-actors2

"The number is just massive. I don't know what else to say about that. Again, these are breaches involving non credit card data. And this shows the full scope of everything that they have been involved in over the years."

But who are they, in real life?

Who are the hackers allegedly behind the screen names?

Troia just published a technical paper that explains his reasoning and his evidence in this case.

However, just before doing so, he gave the SecureWorld Boston audience a preview of whom he calls the two key players behind these groups. 

Who is the alleged leader of The Dark Overlord Hacking Group and the more recently revealed group that goes by the moniker Shiny Hunters? Troia claims it is this Canadian teenager:

dark-overlord-identity-revealed

Troia says that Christopher Meunier is also behind the screen names of NSFW and Peace_of_Mind.

And who is the hacker allegedly behind Gnostic Players? Troia says it is this teenager, who goes by Dionysios or Dennis:

gnostic-players-identity-revealed

Troia says from what he has uncovered, these two teens have teamed up for years.

"Given the close relationship between the two boys, they actually grew up together. They're both from Calgary. As far as I can tell, they were lifelong friends and they've been hacking together since they were about 14."

And if Troia has so much evidence on these two teens living in Calgary, why haven't they been arrested? That's something he has not been able to uncover.

However, it is something I asked Troia about and we'll cover in next week's SecureWorld Sessions podcast.

We'll also talk more about the revenge hack against his company, Night Lion Security, and its Data Viper servers. Plus, the Night Lion worm, which has wiped more than 10,000 hackers. Someone in the hacking world named the worm after Troia and had it leave a message with Troia's information in place of the wiped data.

Why would anyone target Troia and do something like this?

The way Vinny Troia sees it, the answer brings this story full circle:

"In my opinion, it couldn't be more obvious that my research has hit a very deep nerve with the people that we're about to discuss. If my research was wrong, they wouldn't be retaliating in this way."

Read Vinny Troia's technical report: The Dark Overlord Cyber Terrorist Investigation 

SecureWorld Podcast: Who hacked the World Health Organization during a Pandemic? Hear from the man who uncovered the breach:

 

Comments