How the criminal community of HackBB was rocked by its own hacking—and revelead the community’s nature.
Imagine you’re walking up to Branch Number One of your bank on a normal day—a big, well-known, multi-national bank. You look up, and where just yesterday there was a seemingly eternal monument to capitalism, today there is nothing but the shell of a bombed out building.
That is how users of HackBB felt this March.
HackBB is one of the largest forums on what is called the “Deep Web,” that is, sites hidden behind walls of encryption and anonymity that typically focus on all sorts of cybercrime, from identity theft and ATM hacking to online scams.
Earlier this year a user named Boneless used his administrator access to delete huge portions of the site. It was a body blow not just to the site but to online criminals. HackBB was a place where online criminals met to talk shop, to learn the skills of their trade, and to make deals. In fact, HackBB ran an escrow service that provided a key tool for users to actually make deals. HackBB held the money when one criminal sold something (a list of credit card numbers, for example) to another. It solved the problem of honor among thieves.
After the deletion, users of HackBB—led by the site’s owner, OptimusCrime—began to rebuild. They deleted the offending user account, and dug up old copies of wikis that explain phishing or phone hacking, in essence rebuilding the hackers’ bazaar one piece at a time.
Naturally, sharks scented blood in the water. In the chaos, the forum was beset by scams that targeting the scammers: users pretending to have restored escrow services, for example, only to make off with the cash.
And Boneless wasn’t finished. He (or she) had created dummy accounts for himself during the first attack; two months after the first hacking, he used them to destroy the site again.
Still, the community has been fighting its way back. Today, money flows again through its escrow accounts. OptimusCrime says he has restored security and is on the path to tracking down Boneless.
The thing is, hacking is not a small community. Current estimates place the cost of hacking at $300 billion or more, annually.
While HackBB caters to the hardcore cybercriminal community and hosts internal transactions, sites like Silk Road and Atlantis link them with the casual scofflaw—their mass-market customers. Using them, you can buy weed (or heroin, or pretty much anything else) and have it sent to you by FedEx.
The sites provide anonymity and security, much like the privacy services that have suddenly become more popular after revelations that the NSA may be watching. But they also provide user feedback, seller ratings like eBay does, and even health information on the benefits and side effects of the controlled substances, like WebMD does.
The question remains, however, as to just how secure such sites really are. Critics of the community have argued that while bitcoin (Silk Road’s transaction currency) is anonymous, that doesn’t mean that law enforcement can’t figure out who used it—using statistical methods. Whether law enforcement is ready for that is so far uncertain.
What we do know is that the DEA has arrested at least one person for selling marijuana and prescription pills on Silk Road.
If the new world of online crime is forcing law and order to quickly adapt, it is also affecting information: the fourth estate.
The Daily Dot itself was hacked last week (see my hilariously unintentionally ironic emails), joining the ranks of the Associated Press, National Public Radio, the Financial Times, the Onion, and the Atlantic. Shortly, thereafter, Thomson Reuters joined the club as well.
But way better than that, independent reporter Brian Krebs, who covers the Deep Web, was pranked by the hacker Fly. I can’t decide if it wasn’t actually quite a generous act, but in any case: Fly sent Krebs a gram of heroin via the U.S. Postal Service.
As Krebs put it: #epic.
News organizations have always had to mind their own security. IRL, the stakes are higher, but less frequent. An angry reader might send in death threats, not a gift-bag of smack. And they tend not to be professional criminals. It’s hard to imagine Willie Sutton blaming the Daily News for reporting his crimes. But in the hidden, online world, criminals expect that their crimes will remain as anonymous as they do.
What was so shocking about the HackBB hacking was the fact that it was perpetrated by a pillar of the community. Boneless wasn’t just a moderator, he was one of those centers of gravity without whom a group of people never really becomes a community. He developed new knowledge (including how to disappear online) and shared it with the group; he took others under his wing; and he helped maintain the site and the conversation.
He was, in fact, so trusted and beloved that many HackBB users refused to believe it was actually Boneless. In a sublimely revealing moment, some have even suggested that Boneless didn’t hack the forum—he merely sold his credentials to someone else (as if opening the door of the henhouse for the fox absolves you of any guilt in a chicken slaughter).
The surprise, and the mass rush to defend a trusted ally, colleague, mentor, and friend, reveals that thieves do have their own code of honor. The members of HackBB may be on the wrong side of society, but they are still a community of their own.
Correction: The estimated annual cost of hacking is $300 billion, according to a new study unwritten by McAfee.
Photo by Tim Samoff/Flickr
Pure, uncut internet. Straight to your inbox.