- Fotolia

News Stay informed about the latest enterprise technology news and product updates.

Darkode criminal forum reborn less than two weeks after DOJ shutdown

The recently shutdown Darkode cybercriminal community has been rebuilt, and claims the administrators are intact and security will be tightened to better avoid law enforcement.

Less than two weeks after being shut down, the Darkode cybercriminal community has already relaunched and is taking shots at the law enforcement agencies responsible for the takedown. 

Darkode was shut down by the U.S. Department of Justice (DOJ) and an international task force earlier this month. The two-year effort, "Operation Shrouded Horizon," was coordinated by the FBI and Europol, resulting in 70 arrests across 20 countries.

At the time the arrests were made public, security experts said the community had already begun the process of rebuilding. The main admin, known as "Sp3cial1st," was not arrested during the first raid and spoke with a U.K. researcher MalwareTech about the rebuild.

Sp3cial1st said the plan had been to wait until the identities of all 70 arrested users were known before bringing back the site, but recently posted a message at -- the site is currently down -- about the shutdown and plans for the relaunch.

Sp3cial1st began the message by taking a shot at the raid itself, saying "Most of the staff is intact, along with senior members. It appears that the raids focused on newly added individuals or people that have been retired from the scene for years."

The message went on to say Darkode will come back as a hidden site on the Tor Project Inc. network. In order to increase security, the forum will be invite only and each user will be given his or her own onion address to the forum. Authentication will be through blockchain.

Steve McGregory, director of application and threat intelligence at Calabasas, Calif.-based Ixia, was surprised at the way Darkode has come back and said it appears that the raid rattled the community.


"It's pretty brazen that they decided to resurrect with same name and in such a public manner," McGregory said. "They have announced new security measures to protect member accounts from being compromised and that membership will be by invitation only. The administrator also advised members to assume that anyone they dealt with in the past 6 to 8 months might have turned into an informant. This is proof of paranoia and a bit short-sighted."

Chase Cunningham, Ph.D., threat intelligence lead at Richardson, Texas-based FireHost Inc., said the return of Darkode was inevitable and has made the community more difficult to take down again.

"All the operation to 'take them down' has done is force them to increase their security and aid them in figuring out who were the feds and researchers in that forum," Cunningham said. "One point for the Darkode.CC guys; they can move on with almost no impact and keep doing business as they please. They are much better at this cat-and-mouse game than any government organization, and the whack-a-mole approach is a practice that won't yield any real gains. Without changes to how the enforcers do business and real punitive outcomes from these arrests, it's just a minor problem for skilled groups like those at Darkode.CC."

Next Steps

Learn more about the challenge law enforcement and security agencies face with big data.

Dig Deeper on Hacker tools and techniques: Underground hacking sites