The Dark Overlord is back

UPDATE As of Tuesday evening, both the Twitter account and Reddit thread belonging to cyber extortionists Dark Overlord was suspended with approximately $590 left in the group's wallet.

Cybercriminals on Monday entered the new year with a bang, after a group claiming to have stolen a trove of confidential documents from an as-yet unidentified US law firm threatened to make the information public if its ransom demands were not met.

The group in question is Dark Overlord – a hacking collective with a history of taking responsibility for a number of high-profile cyber extortion campaigns, such as the 2017 leak of the Netflix series Orange is the New Black, ahead of its scheduled fifth season release.

Other attacks have seen the group maliciously target schools and medical centers through extortion-based scams in an attempt to coerce individuals into paying up, under threat of personal embarrassment or reputational damage.

In its latest operation, Dark Overlord alleges to have obtained information from several prominent insurers and wealth management firms, including Hiscox Syndicates and Lloyds of London – organizations said to have insured parts of the World Trade Center. Both organizations faced litigation in the aftermath of the September 11 attacks.

On Tuesday, Dark Overlord posted a ransom note to Pastebin, claiming that it possessed incriminating files belonging to those caught in the 9/11 insurance case, and threatening to make the documents public if an undisclosed fee in Bitcoin wasn’t paid.

“If you’re one of the dozens of solicitor firms who was involved in the litigation, a politician who was involved in the case, a law enforcement agency who was involved in the investigations, a property management firm, an investment bank, a client of a client, a reference of a reference, a global insurer, or whoever else, you’re welcome to contact our e-mail below and make a request to formally have your documents and materials withdrawn from any eventual public release of the materials,” the note reads, explaining that payment would be expected in order to ensure the nondisclosure of the files.

The group has already started to leak some of the stolen documents, although both the impact and authenticity of these files is not clear.

Hiscox has said that it believes the material relates to an incident that the insurer disclosed in April 2018, where a breach at a partner law firm gave hackers unauthorized access to potentially sensitive files.

“The incident involved illegal access to information stored on the law firm’s server, which may have included information relating to up to 1,500 of Hiscox’s US-based commercial insurance policyholders,” the insurer said in an initial press release dated April 12.

“The law firm’s systems are not connected to Hiscox’s IT infrastructure and Hiscox’s own systems were unaffected by this incident.”

Hiscox said that it had notified law enforcement in both the UK and US at the time of the attack.

Shining light on the threat group

Agencies like the UK’s National Cyber Security Centre (NCSC) have warned about the group since it first appeared in 2016.

“They [Dark Overlord] leak snippets of data to the media to encourage them to report on their activity,” said an NCSC advisory published in November 2017.

“This is aimed at ‘proving’ that a breach has taken place, and increases the pressure on the victim to pay the ransom.”

The NCSC added: “Whilst evidence of the stolen data is often provided, the volume and sensitivity of the data may be exaggerated to maximize impact.”

Conspiracy theories surrounding 9/11 have earned Dark Overlord plenty of media coverage.

As part of its publicity drive, the group held a live 4chan discussion to “engage with its fans” and solicit donations in return for making all documents publicly available.

At the time of writing, only three transactions have been made to Dark Overlord’s Bitcoin wallet – totaling the equivalent of around $11.00 in digital funds.

As of January 2018, the FBI believed that Dark Overlord was responsible for an approximate 69 cyber break-ins and the sale of over 100 million records of personally identifiable information.