Home » Articles » Darkode: Extended Background Story
Click Here To Hide Tor

Darkode: Extended Background Story

Quite recently, we have broken the story on this site, of the infamous Darkode forum, a place rife with discussion of fraudulently stolen credit card data (even as against and about which it has, in the past, been warned to avoid speaking), those wishing to sell-sword their spammy flooding services, Distributed Denial of Service (DDoS) attacks – and through all different methods, e.g., SYN and DNS amplification, as well as authors or their designated cohorts vending malware products to the undergound community. First, one has to know, to comprehend the rest, how did this forum come into existence? This is what will be explained in the following.

Darkode started as a forum, as noted by MalwareTech to act as a support system for what was known as the Butterfly or Mariposa (Spanish for ‘Butterfly’) botnet. also known as Palevo (a deriviative fork of the ZeuS or Zbot family of crimeware). Its main functions were revolved around Spam, DDoS, and harvesting details – there was widely-prevalent spam as a result, and its DDoS module/component, the Butterfly Flooder was leaked to the web. Its author, known online as Iserdo (Matjaz Skorjanc), who lived in Slovenia, was running the support forum throughout 2009, until 2010, when he had sold the site to a man who used the online moniker, Mafi or Crim (he primarily used ICQ, and recruited, along with his associate administrators/moderators, people from a forum, well-known as the paradise to many inept but ambitious cybercrooks and others akin to the classification, whose products were simply re-sold in this next destination) – the author of several versions/variants (ver. 1, 2, 3) of the exploit kit (EK), Crimepack. This was a startlingly successful forum, in fact, and it actually expanded upon the Palevo/Mariposa (Butterfly) user-base, eventually garnering sellers of stolen data, and the wares to steal them, from across the globe (even though it was an English-speaking forum, at that). It attracted the likes of Gribodemon (Aleksander Panin: author of SpyEye – another ZeuS family branch and its logo modelled off of Synthetic Marijuana; he was arrested in the beginning of the year 2014, while travelling from his native Russo-Crimean homeland, to the Dominican Republic to meet a friend), whose partners went on to attempt to sell his work in this account, and others, and a particularly unique individual, having gone by the cyber-pseudonym of Bx1. Bx1 was an Algerian man who loved to brag about his crimes, and which, in fact, eventually led to his arrest by the FBI. Bx1 (Hamza Bendelladj) claimed to have helped develop SpyEye’s plugin systems, but was what is, in today’s information security world, known as a script kiddy. He was responsible for the arrest of another of this forum’s frequent miscreants, Symlink, by the Moldovan authorities, in the Eurasian or Eastern European region of that continent.

In 2013, a white-hat security researcher, and founder of the former and reverse engineer of the warez release group, RED, was able to infiltrate the forum, and post plenty of its insides as screenshots to the rest of the world, leaving the more sensitive data to only Law Enforcement. This was risky, not only because of the nature of Darkode, more casually and even colloquially referred to as DK, being a black-hat-centric hub, but also due to the fact that each user’s screenshot of any page from the forum, had a hidden watermark. These weren’t taken out, so the Darkode administration had a belovedly fun time weeding out white-hats and gray-hats, alike.

One thing had come to another, and an individual, a co-administrator to Mafi/Crim, as well as to Fubar, named Sp3cial1st and more casually as Sp3c (XMPP username was: “na,” on a notoriously underground-friendly server), eventually took Mafi’s place, which was when Mafi retired with announcement made. This was the beginning of the end, as more and more Law Enforcement officers and agents had infiltrated the site, having led to several data leaks and breaches, then posted to Pastebin and around, made Sp3cial1st very paranoid – banning was very quite prevalent, even against truest members to the cause, and paved the way in driving away all of its long-time oldies, and opening the doors to a whole new universe of more script kiddies.

The process for getting into the forum was not the simplest, and was made of several tiers before full access had been attributed, but it was not very effective either. Every member was given a handful of invitation codes (you could also be invited by Sp3cial1st if you’d sell a coding project, deemed as worth selling to their semi-exclusive community-standards), after which you would be vetted in an intro process. During the intro process, its already currently-established members would either vouch for you or disapprove – this was what decided whether or not you would be admitted, and whether or not, should you have been denied, the inviting party should have been warned or banned.

This was all “fun and games,” that was, until Sp3cial1st became embedded in the script kiddy brigade of “hacker” groups, the Lizard Squad. This was the nail in the coffin, because the Lizard Squad has, since their DDoS attacks on Microsoft/X-box and Sony, and so on, sustained arrest-after-arrest. Their famous stress tester, built upon the shambles of hijacked home routers, infected with a simplistic, even archaic IRC bot (its source code is on Github by a Unix Sysadmin and spare-time pentester, linked on his Twitter profile at the beginning of this year), was bound to fall, especially since the mediocre payment system engineered to support patronage in it, was not encrypted fully, nor had the credentials of all their users, been. This was leaked as well, in the form of an SQL export-file.

Alongside all of these antics, also came an earlier stint of the Darkode administrators cooperating with a Bulletproof hosting provider named Offshore (sells on a Russian board called Exploit), to disrupt Spamhaus and Cloudflare’s operations, in a formed coalition of several, otherwise-competing Bulletproof service providers, who clearly had left a European bulletproof hosting company, in an old, previously-abandoned World War II bunker, naming it Cyberbunker (this was a previous home to Wikileaks as well as ThePirateBay, before they had moved on to Cambodia, after which it was raided in the Autumn of 2014, re-launching as a promised return, in February of 2015, initially hosted in Moldova behind Cloudflare, and later, elsewhere), as a scapegoat. This operation was the anti-type of Spamhaus, and named accordingly as StopHaus. It ended with another arrest, following a particularly nasty chain of heavy DDoS attacks through a method called DNS amplification, where DNS queries are made to a target server, spoofed as having not come from its own, subjecting the server to endless traffic volume, beyond what a simple SYN or TCP attack could afflict.

If you have checked out the list of those arrested during the raid which took down Darkode just a few days ago, one might notice that Sp3cial1st is quite conspicuously, much like the friends from Hackforums, Sky and Pernicious, M.I.A. in that report – this is, by educated speculation, due to the likelihood that he was working with Law Enforcement, in the coming moments of this inevitably doomed forum’s ultimate demise. To further speculate, one has to wonder whether, should he have been arrested, and considering that he was buddies with the now well-known LizardSquad, that was how he might have ended up in negotiations with the federal authorities; the fact he is missing from the report is signal of that, by itself.


  1. The take-home message is, as always, that if you engage in illegal online behavior, you can and WILL be betrayed, eventually. LE will utilize the classic Prisoner’s Dilemma. Best advice, as always, is to work ALONE and to trust NO ONE! And, if LE does show-up at your door, say NOTHING!!!

  2. I would truly appreciate your help and I am really looking for the chance to get things I loved in CA and I am not able since moving to Ma and I am illiterate in computers

  3. hi bro add link , yo newtwork , thanks

  4. I was interested but this is unreadable. Obviously the author doesnt speak English very well, which is kind of important when writing an article.

  5. Maybe you aren’t very effective at comprehending upper-end English syntax? What did you expect me to do: end sentences with prepositions?

    I have always gotten flying colors on all my English/writing classes at a LITTLE-IVY tier.

    also: http://www.theregister.co.uk/2015/07/28/darkode_returns

    • Canahontra

      Aside from that, H0tsh0t has also been arrested.

      • ENGLISH2

        This is horribly written. Excellent if this is your second language. Lol “upper-end English syntax” You gave it away with that one.

        • canahontra

          there’s absolutely nothing wrong with saying “upper-end.” Syntax is both grammar as well as spelling, etc. I live in the U.S. and as I’ve already previously stated, I get straight As in my English/writing courses at a pretty prestigious [private/Catholic] university – I have 3 scholarships. So, excuse me if I don’t take your crudddy advice and shove it elsewhere.

          • catholic school

            I just had multiple people in a room together, reading this article. Everyone agreed it was unreadable. Maybe straight As from a Catholic University don’t mean as much as you think they do.

          • Canahontra

            Without all due respect (I mean that), there are doctoral professors who spell what should be “you’re” as “your.”

            If educated people can’t even learn how to write properly, what makes you think an uneducated circle of fools can learn how to read? I’m not buying whatever it is that you’re selling.

            You might consider yourself educated, but perhaps you’re kidding yourself.

          • Canahontra

            1st sentence: *?

  6. Thank you for your article and the time and effort that you have clearly put into it but it is an extremely haRd read, I’m not saying your English is bad by any stretch of the imagination but I am saying that it is a hard read and could have been written very differently to make it more appeasing to us the reader.

    But aside from that, thanks for the article. Very interesting and the internal facts were enjoyable to learn.
    Stay safe

  7. It even gets more easy that some of the so called site these days offer hackers service . I was recently engrossed in a conversation with my boss’s wife and she told me about two site where she gets hackers and programmers from .

    hirehackersandprogrammers.com and hackerlist.com are both places where she uses more of those .

    she outrightly said that the hirehackersandprogrammers website deal with handpicked hackers and programmers and that is where she goes to more often .

    I have so far used one of hackers and programmers service and I must say it was a good experience .

Leave a Reply

Your email address will not be published. Required fields are marked *


Captcha: *