ResearchTargeted Threats

Dark Basin Uncovering a Massive Hack-For-Hire Operation

This report will be followed by additional forthcoming reports providing a more comprehensive overview of certain targets and technical indicators.

Key Findings

  • Dark Basin is a hack-for-hire group that has targeted thousands of individuals and hundreds of institutions on six continents. Targets include advocacy groups and journalists, elected and senior government officials, hedge funds, and multiple industries.
  • Dark Basin extensively targeted American nonprofits, including organisations working on a campaign called #ExxonKnew, which asserted that ExxonMobil hid information about climate change for decades.
  • We also identify Dark Basin as the group behind the phishing of organizations working on net neutrality advocacy, previously reported by the Electronic Frontier Foundation.
  • We link Dark Basin with high confidence to an Indian company, BellTroX InfoTech Services, and related entities.
  • Citizen Lab has notified hundreds of targeted individuals and institutions and, where possible, provided them with assistance in tracking and identifying the campaign. At the request of several targets, Citizen Lab shared information about their targeting with the US Department of Justice (DOJ). We are in the process of notifying additional targets.

Introducing Dark Basin

We give the name Dark Basin to a hack-for-hire organization that has targeted thousands of individuals and organizations on six continents, including senior politicians, government prosecutors, CEOs, journalists, and human rights defenders. With high confidence, we link Dark Basin to BellTroX InfoTech Services (“BellTroX”), an India-based technology company.

Over the course of our multi-year investigation, we found that Dark Basin likely conducted commercial espionage on behalf of their clients against opponents involved in high profile public events, criminal cases, financial transactions, news stories, and advocacy. This report highlights several clusters of targets. In future reports, we will provide more details about specific clusters of targets and Dark Basin’s activities.

Thousands of Targets Emerge

In 2017, Citizen Lab was contacted by a journalist who had been targeted with phishing attempts and asked if we could investigate. We linked the phishing attempts to a custom URL shortener, which the operators used to disguise the phishing links.

We subsequently discovered that this shortener was part of a larger network of custom URL shorteners operated by a single group, which we call Dark Basin. Because the shorteners created URLs with sequential shortcodes, we were able to enumerate them and identify almost 28,000 additional URLs containing e-mail addresses of targets. We used open source intelligence techniques to identify hundreds of targeted individuals and organizations. We later contacted a substantial fraction of them, assembling a global picture of Dark Basin’s targeting.

Our investigation yielded several clusters of interest that we will describe in this report, including two clusters of advocacy organizations in the United States working on climate change and net neutrality.

While we initially thought that Dark Basin might be state-sponsored, the range of targets soon made it clear that Dark Basin was likely a hack-for-hire operation. Dark Basin’s targets were often on only one side of a contested legal proceeding, advocacy issue, or business deal.

Research Collaborations & Official Notification

Dark Basin has targeted dozens of journalists in multiple countries. Citizen Lab has notified and worked with some of these journalists over the past three years to assist them in investigating this case. In addition, Citizen Lab has mutually shared indicators and technical information with researchers at cybersecurity company NortonLifeLock, who have been conducting a parallel investigation into Dark Basin, which they refer to as “Mercenary.Amanda.” Many targets have also cooperated and assisted our investigation. At the request of multiple targets, Citizen Lab shared materials relevant to their targeting with the US DOJ.

We link Dark Basin’s activity with high confidence to individuals working at an Indian company named BellTroX InfoTech Services (also known as “BellTroX D|G|TAL Security,” and possibly other names). BellTroX’s director, Sumit Gupta, was indicted in California in 2015 for his role in a similar hack-for-hire scheme.

Timestamps in hundreds of Dark Basin phishing emails are consistent with working hours in India’s UTC+5:30 time zone. The same timing correlations were found by the Electronic Frontier Foundation (EFF) in a prior investigation of phishing messages targeting net neutrality advocacy groups, which we also link to Dark Basin.

Several of Dark Basin’s URL shortening services had names associated with India: Holi, Rongali, and Pochanchi (Table 1). Holi is a well-known Hindu celebration also known as the “festival of colours,” Rongali is one of the three Assamese festivals of Bihu, and Pochanchi is likely a transliteration of the Bengali word for “fifty-five.”

Table 1: Three of the URL shortener services used by Dark Basin.

Additionally, Dark Basin left copies of their phishing kit source code available openly online, as well as log files showing testing activity. The logging code invoked by the phishing kit recorded timestamps in UTC+5:30, and log files show that Dark Basin appeared to conduct some testing using an IP address in India.

Along with our collaborators at NortonLifeLock, we have unearthed numerous technical links between the campaigns described in this report and individuals associated with BellTroX. These links lead us to conclude with high confidence that Dark Basin is linked to BellTroX.

We were able to identify several BellTroX employees whose activities overlapped with Dark Basin because they used personal documents, including a CV, as bait content when testing their URL shorteners. They also made social media posts describing and taking credit for attack techniques containing screenshots of links to Dark Basin infrastructure. BellTroX and its employees appear to use euphemisms for promoting their services online, including “Ethical Hacking” and “Certified Ethical Hacker.” BellTroX’s slogan is: “you desire, we do!”