How the FBI may have infiltrated Darkode

The FBI relied on two hacker-informants and a previously-undisclosed vulnerability to bust Darkode, one of the Internet's biggest criminal hubs

Darkode was a major hub for cybercriminals—until the FBI came knocking.

The United States government is celebrating the takedown of an infamous cybercrime forum. But according to a source with direct knowledge of the investigation, this major law-enforcement win would not be possible without the help of a mercenary hacker-informant who allegedly gained high-level access to the site—and who is now sitting behind bars.

The forum, called Darkode, served as a catch-all online marketplace for illegal hacking tools and stolen data, including malware, botnets, and personal identifiable information and credit card numbers, as well as tools used to commit wire fraud and money laundering.

Darkode came crashing down Tuesday evening, when a coalition of government forces from 20 countries, including the Federal Bureau of Investigation, seized Darkode and arrested a dozen of its members. The United States Department of Justice called the sting “the largest coordinated international law enforcement effort ever directed at an online cyber-criminal forum.”

Rory Guidry, 28, was one of the 12 people arrested in the U.S.-led raid on the site’s members. According to his heavily redacted federal affidavit, Guidry has been charged with computer fraud and is accused of selling botnets—large collections of computers taken over by malware that give the botnet operator complete control over them—on Darkode.

However, according to a hacker close to the investigation, who requested anonymity due to his ongoing work with the FBI, both he and Guidry were working to bring down Darkode by any means possible—including, in the case of Guidry, working with the FBI as a paid informant. And it was Guidry’s contributions, our source says, that helped lead to the fall of Darkode. The source provided the Daily Dot with multiple emails documenting his work with U.S. law enforcement.

“I think what’s happened is a disconnect within the Department of Justice. They haven’t kept track of who’s talking to who.”

The DOJ admits in its press release that the FBI had one or several moles in Darkode. The use of informants is a common practice in FBI cybercrime investigations. The Guardian reported in 2011 that an estimated one in four hackers in some way serves as a government informant. A number of the highest-profile busts of hacker groups in history, ranging from early hacker Kevin Mitnick to the Anonymous hacker Jeremy Hammond, relied at least in part on other hackers sharing information with the FBI. Hackers working with the FBI have also committed cybercrimes under the Bureau’s eye, as was the case with Hector “Sabu” Monsegur, who directed Hammond and others in a number of attacks on international governments while working as a cooperating witness for the FBI.

The hacker and Guidry, both of whom, our source says, served as informants for the U.S. government in earlier investigations, were first approached the FBI about gaining administrative access to Darkode in 2013. It was a daunting prospect. To become a member of Darkode, a prospective member needed an invitation from a current user and had to go through an application process. The system was meant to keep out government informants and keep the community secure.

There were four levels of access a user could achieve on Darkode. Level 0 was for new users. Levels 1 and 2 were a reflection of your reputation on the website, which users built up through demonstrations of their hacking skills. Level 3 was for administrators, and the status entitled these users to free access to botnets and exploits. 

Guidry stole the the infamous hacking group Lizard Squad’s botnet, the one it used on to knock XBox Live and the Playstation Network offline on Christmas Day, the hacker claimed, and posted it on Darkode. According to cybercrime reporter Brian Krebs, Guidry has made it his mission to take down Lizard Squad, some members of which were also users on Darkode. Guidry’s supply of the stolen botnet code played a key role in gaining the community’s trust, according to our source.

Guidry’s affidavit makes no mention of him acting as an informant, but it does go into detail of the botnet case against him and makes it sound as if it was another informant responsible for his downfall.

It is currently unclear whether Guidry was arrested for activities related to his informant work.

“I think what’s happened is a disconnect within the Department of Justice,” our source said. “They haven’t kept track of who’s talking to who.”

The FBI has not responded to multiple requests for comment.

Correction: this story originally misidentified the once-hacker and current cybersecurity expert Kevin Mitnick, and has since clarified Guidry’s reported role.

Photo via magnus_d/Flickr (CC BY 2.0) | Remix by Fernando Alfonso III

William Turton

William Turton

Once named one of Forbes’ 20 Under 20 and hired as a staff writer for the Daily Dot when he was still a senior in high school, William Turton is a rising tech reporter focusing on information security, hacking culture, and politics. Since leaving the Daily Dot in April 2016, his work has appeared on Gizmodo, the Outline, and Vice News Tonight on HBO.