1. Draft Report v. 1.0.21
—
### Update #1 ( 02.05.17 )
Cloudflare has forwarded abuse complaints regarding criminal.cat directly
to their client - admin@blazingfast.io
Blazingfast.io is known as a bulletproof hosting provider. They ignore
abuse reports. As an example, consider BlazingFast was hosting the
Command & Control Servers for the Mirai Botnet when it was responsible
for knocking a significant portion of the internet for the United States
offline. Blazingfast.io knew they were aiding a criminal operation
responsible for the largest DDOS attacks to date, and did not take action
to remove the offending hosts from their network. It wasn't until one of
the companies under attack (Coelho) reached out to BlazingFast’s 5th
upstream provider (Telia Sonera) that they were able to get the server
null routed. BlazingFast should be considered a criminal operation, they
cater to all forms of illegal activity.
Please read: https://krebsonsecurity.com/2017/01/who-is-anna-senpai-the-
mirai-worm-author/
Ctrl-f "Telia" for the relevant section of this lengthy blog post
concerning disregard for abuse on the part of BlazingFast.
For details on the Mirai attacks see:
https://krebsonsecurity.com/2016/10/ddos-on-dyn-impacts-twitter-spotify-
reddit/
To clarify, BlazingFast will not take any action to remove abuse hosts
from their network. Their clients include the owners of the largest
botnet known to date - Mirai. Their company is responsible for providing
servers for a botnet responsible for the largest attacks against the
United States of America ever seen.
An excerpt from the aforementioned post from KrebsOnSecurity.com
“
After scouring a list of Internet addresses tied to bots used in the
attack, Coelho said he was able to trace the control server for the Mirai
botnet back to a hosting provider in Ukraine. That company —
BlazingFast[dot]io — has a reputation for hosting botnet control networks
(even now, Spamhaus is reporting an IoT botnet controller running out of
BlazingFast since Jan. 17, 2017).
Getting no love from BlazingFast, Coelho said he escalated his complaint
to Voxility, a company that was providing DDoS protection to BlazingFast
at the time.
“Voxility acknowledged the presence of the control server, and said they
null-routed [removed] it, but they didn’t,” Coelho said. “They basically
lied to us and didn’t reply to any other emails.”
Undeterred, Coelho said he then emailed the ISP that was upstream of
BlazingFast, but received little help from that company or the next ISP
further upstream. Coelho said the fifth ISP upstream of BlazingFast,
however — Internet provider Telia Sonera — confirmed his report, and
promptly had the Mirai botnet’s control server killed.
2. As a result, many of the systems infected with Mirai could no longer
connect to the botnet’s control servers, drastically reducing the
botnet’s overall firepower.
“
### Initial Report ( 02.03.17 )
Offending Domains: criminal.cat aka darkode.cc aka darkode
Offending Hosting IP-Address: 162.255.119.249 Upstream: Telia
Offending Name Servers: wally.ns.cloudflare.com, yichun.ns.cloudflare.com
Offending Proxy Servers: 104.28.1.44, 104.28.0.44
Https Certificate issued by: crt.comodoca4.com via Cloudflare
Reason: illegal marketplace - spam, fraud, identity theft, illegal
software (malware)
Details:
criminal.cat aka darkode.cc is a criminal marketplace known as darkode.
The latest domain (criminal.cat) is being hosted on Cloudflare's
nameservers and resolved to IP addressed owned by Cloudflare. The site is
using https certificates issued by Comodo. With sponsoring registrars of
gandi.net (darkode.cat) and enom.com (darkode.cc). Darkode.cc is
currently using hosting provided by namecheap (162.255.119.249). Darkode
is "the most prolific English-speaking cybercriminal forum to date" -
Europool (https://www.europol.europa.eu/newsroom/news/cybercriminal-
darkode-forum-taken-down-through-global-action)
On this forum you can buy/sell/trade of all forms of illegally obtained
personal information and malicious software to further illegal acts
against victims. This forum caters to the type of individuals who operate
all forms of fraud - tax, phishing, scamming, and even wholesale of
botnets and compromised personal computers. To verify the association to
darkode, simply type "darkode.cc" in a browser and observe it is
redirected to criminal.cat, the forums latest domain.
The domain "darkode.cc" aka "criminal.cat" and all associated services
(dns - hosted by cloudflare, web service hosted by namecheap,
certificates issued by Comodo) should be revoked / suspended,
immediately, to prevent more victims from financial loss and the spread
of malicious software infection. By not taking action you are aiding the
criminals. Please help preserve the safety of our friends and family
online, and shut this site down.
Re: darkode.cc is the "new darkode"
*0: http://www.theregister.co.uk/2015/07/28/darkode_returns/
"
The English-speaking forum, established in 2007, was a major player in
the cybercrime underground where vetted members could buy and sell zero
days, trojans, and credit card numbers.
"
Re: "darkode is live under new domain"
*1: https://motherboard.vice.com/en_us/article/darkode-brand-relaunches
"
Law enforcement shut down Darkode in 2015. Now, alleged former members
are trying to bring it back.
The digital underground is a fragile place, with hacking forums sometimes
being shuttered by police. That's what happened to malware-marketplace
3. Darkode last year: in coordinated raids, the FBI, UK's National Crime
Agency, and a slew of other law enforcement bodies arrested over 70
hackers and closed the popular site."