In what seems like a mind-boggling OPSEC #FAIL, a U.K. man associated with thedarkoverlord allegedly used his real details to create bank accounts as well as to open email accounts, phone numbers, vpn, Twitter, and PayPal accounts that thedarkoverlord used as part of its operations to hack and extort victims. For a group that signed their pastes and extortion demands as a “Professional Adversary,” the revelations should be embarrassing, to say the least. But embarrassment may be the least of their problems. Now that Nathan Wyatt is in custody in the U.S. awaiting trial for his alleged role, will he roll on others to get himself a deal? In June, 2016, an individual or group calling themself “thedarkoverlord” (TDO) announced that they/he had hacked three patient databases and put them up for sale on a dark web marketplace. Since that time, this site has reported on TDO’s criminal activities dozens of times, but even the many hacks this site has covered represent only a small fraction of TDO’s actual criminal operations. The scope of their attacks often tends to get lost in mainstream media coverage that tends to only point out hacks involving Orange is the New Black, celebrity patients, or well-known corporations like Gorilla Glue. But TDO has hit numerous big and small businesses, school districts, universities, and big and small medical entities. And over the past few years, those of us who have watched them have seen them grow increasingly aggressive and violent in their imagery and threats. But then things seemed to suddenly stop. In early 2019, KickAss Forum shuttered. Without that forum to post their offerings and banned from most social media platforms they had been using to try to sell hacked files, TDO disappeared from public view. They haven’t responded to emails I have sent to their email account for journalists, and they didn’t re-emerge on New Year’s Eve with a major hack announcement as they have done in past years. So where’s TDO? Are they in custody or have they gone to ground because one of their alleged members, Nathan Wyatt, is now in U.S. custody awaiting trial? Have they continued hacking entities? Or are they just relaxing somewhere enjoying retirement? Significantly, perhaps, their disappearance from public view roughly corresponds with Wyatt losing his appeal of a ruling ordering his extradition to the U.S. Either way, for a criminal operation that often tried to portray itself as a polished and professional adversary, Nathan Wyatt is not a good look for them. Who is Wyatt? Nathan Francis Wyatt, 39, is an unemployed U.K. national who lives in Wellingborough with his fiancee, Kelly Howell, and some of their children. He and his fiancee live off the welfare benefits they receive from the government. Wyatt has acknowledged that he has supplemented those benefits with illegal online activities. Unless there’s some plea deal worked out, Wyatt will be tried in federal court in St. Louis for his alleged role in some of the early TDO hacks and extortion attempts in Missouri, Illinois, and Georgia. The indictment can be found here. Wyatt faces trial here on 6 counts: a single conspiracy charge, two counts of aggravated identity theft, and three counts of threatening damage to a computer. Although DOJ did not name the victim entities in their court filings, I have identified the victim entities (with one possible exception) based on DOJ’s descriptions, my previous detailed reporting on the breaches, and the fact that some of the evidence DOJ provides in the affidavit exactly matches files that had been given to me by TDO for those victims. Wyatt, whose online nicks include “Crafty Cockney,” “Hardcore,” and “Mas,” pleaded not guilty in his first appearance in federal court in December after losing his attempt to prevent extradition. OPSEC? What OPSEC? Anyone reading the affidavit supporting the government’s extradition request may understandably conclude that Wyatt should try try make a plea deal. There appears to be a tremendous amount of compelling evidence supporting the charges, although of course, those are just allegations that need to be proved in court. But then also remember that DOJ did not show all its evidence in the affidavit. They likely withheld what they consider to be other damning evidence that they will present at a later date or use to persuade Wyatt to plead guilty. Actually, if you read the affidavit, you may well wonder what on earth Wyatt could possibly have been thinking when he allegedly used his own personal details to open email, phone, PayPal, and bank accounts that were used for criminal purposes.* Did Wyatt’s alleged co-conspirators have any idea how casual and negligent he was about OPSEC or did they know what he was doing? From statements made to me by TDO in September 2016, they had no idea that “Crafty Cockney’s” real name was Nathan Wyatt and so when they saw the bank accounts he had set up, they did not know it was his real name and his fiancee’s real name and their real addresses. Whether TDO was telling me the truth in disclaiming any previous knowledge of Wyatt’s identity remains to be determined. Wyatt was no stranger to crime The current charges represent only a small part of Wyatt’s alleged criminal activity over the past 3 years.** Charges against him in 2016 for his role in selling hacked photos of Pippa Middleton were dropped and he never served any time for his role in that case. Those close to that situation believe that the charges were dropped to spare Middleton the stress of a court case and not for lack of evidence. Both The Sun and this blogger had quite a bit of evidence showing Wyatt’s involvement in the attempted sale of the photos. But while Wyatt seemed to have caught a break in the Pippa Middleton case, he wound up arrested again months later because in the process of investigating the Middleton matter, prosecutors found evidence of other crimes on his devices. As a result of their discovery and […]
I’ve reported on Nathan Wyatt a number of times, including the extradition request by the U.S., his appeal, and his failure to win his appeal of the extradition order. So we knew this was coming, but let’s start with a recap of the charges he’s facing: One count of conspiracy against the U.S. (18 USC 371 ) Two counts of aggravated identity theft (18 USC 1028) Three counts of threatening damage to a protected computer (18 USC 1030) From the DOJ’s press release of today: MEMBER OF “THE DARK OVERLORD” HACKING GROUP EXTRADITED FROM UNITED KINGDOM TO FACE CHARGES IN ST. LOUIS Defendant Conspired to Steal Sensitive Personally Identifying Information from Victim Companies and Release those Records on Criminal Marketplaces unless Victims Paid Bitcoin Ransoms WASHINGTON – A United Kingdom national appeared today in federal court on charges of aggravated identity theft, threatening to damage a protected computer, and conspiring to commit those and other computer fraud offenses, related to his role in a computer hacking collective known as “The Dark Overlord,” which targeted victims in the St. Louis, Missouri, area beginning in 2016. Nathan Wyatt, 39, was extradited from the United Kingdom to the Eastern District of Missouri and arraigned on Dec. 18 before U.S. Magistrate Judge Shirley Padmore Mensah. He pleaded not guilty and was detained pending further proceedings. A federal grand jury indicted Wyatt on Nov. 8, 2017. According to court records, beginning in 2016, Wyatt was a member of The Dark Overlord, a hacking group that was responsible for remotely accessing the computer networks of multiple U.S. companies without authorization, obtaining sensitive records and information from those companies, and then threatening to release the companies’ stolen data unless the companies paid a ransom in bitcoin. Victims in the Eastern District of Missouri included healthcare providers, accounting firms, and others. Among other things, Wyatt is alleged to have participated in the conspiracy by creating email and phone accounts that he used to send threatening and extortionate emails and text messages to certain victims, including victims in the Eastern District of Missouri. …. The investigation was conducted by the FBI’s St. Louis Field Office. The FBI’s Atlanta Field Office also provided support. The Criminal Division’s Office of International Affairs coordinated the extradition of Wyatt. The department thanks law enforcement and international cooperation authorities in the United Kingdom for their substantial assistance in the investigation. Senior Counsel Laura-Kate Bernstein of the Criminal Division’s Computer Crime and Intellectual Property Section, and Assistant U.S. Attorneys Gwendolyn Carroll and Matthew Drake of the Eastern District of Missouri are prosecuting the case. The details contained in the charging document are allegations. The defendant is presumed innocent until proven guilty beyond a reasonable doubt in a court of law. Related: In a previous post, I have named the victim entities based on the indictment’s description of them and my previous extensive reporting on thedarkoverlord. Related: the Indictment:
Nathan Wyatt, the 38 year-old U.K. resident known as “Crafty Cockney” on AlphaBay market, has lost his bid to convince the High Court to overturn a lower court’s ruling that he should be extradited to the U.S. Today’s ruling means that Wyatt is one step closer to being extradited to stand trial in federal court in the Eastern District of Missouri on charges related to some of the earlier hacks and extortion attempts by thedarkoverlord (TDO). Wyatt was indicted on November 8, 2017 on 6 counts: a single conspiracy charge, two counts of aggravated identity theft, and three counts of threatening damage to a computer. DataBreaches.net has previously hypothesized the identities of the victim medical practices described in the indictment. The High Court’s ruling, issued this morning, began with a recap of the sole issue before the court at this point: The Government of the United States seeks the extradition of the appellant on charges relating to computer hacking with associated demands for money and the dissemination on the internet of personal medical records. On 25 January 2019 District Judge Tempia sent the appellant’s case to the Secretary of State who subsequently ordered his extradition. The sole issue before the judge was whether the forum bar to extradition found in section 83A of the Extradition Act 2003 [“the 2003 Act”] should operate to prevent extradition on the basis that the interests of justice, as defined in that section, favoured prosecution in this jurisdiction. The judge examined each of the statutory factors that inform that question. She concluded that it was in the interests of justice for the appellant to be extradited for trial in the United States. This is his appeal against the decision to send the case to the Secretary of State. Wyatt’s alleged crimes and the extradition case have been covered in previous posts on this site, but they are also explained in the background section of the court’s ruling. It is not clear from the U.S. Department of Justice’s filings whether the DOJ believes that Wyatt is the individual who was the spokesperson for thedarkoverlord (TDO) in 2016 and 2017, or if they believe he was the mastermind behind TDO, or if they believe he was just a member or associate. There were no other suspects named in the DOJ’s filings, although they noted that there were ongoing investigations into others. Significantly, Wyatt was not charged with actually hacking any entity. Was Wyatt really intimately involved in all of TDO’s early hacks and extortion attempts as DOJ alleges? That will be for a trial court to determine. In the immediate future, though, Wyatt and his solicitors have a decision to make. If I understand their processes in the U.K., Wyatt now has 14 days to apply to the High Court for permission to appeal to the U.K.’s Supreme Court. If the High Court refuses his application to appeal — or if he makes no application at all — then he will be extradited within 28 days of the end of the 14 day period. But while Wyatt can apply for leave to appeal, my understanding is that at this point, Wyatt’s basis for any further appeal is extremely limited as he can only seek permission to appeal on a point of law. DataBreaches.net reached out to the Department of Justice International Affairs office, Tuckers Solicitors (Wyatt’s solicitors), and Wyatt’s partner/fiancee for comments on today’s ruling, but received no immediate replies. This post may be updated if comments are received. Update: A spokesperson for DOJ responded that as a matter of longstanding policy, DOJ generally does not comment on extradition-related matters until a defendant is in the United States.
It has been more than three years since a threat actor or group calling themselves thedarkoverlord (TDO) dramatically announced that they were hacking medical practices and demanding large amounts of bitcoin to not dump or sell patient data. Tomorrow, one man allegedly associated with TDO will be hoping that his lawyers can successfully appeal a District Judge’s decision to extradite him to the U.S. His appeal will be heard by a panel of High Court judges. Nathan Wyatt, a 38 year-old man from Wellingborough who is also known as “Crafty Cockney,” faces six counts in an indictment issued by a grand jury in the Eastern District of Missouri: One count of conspiracy against the U.S. (18 USC 371 ) Two counts of aggravated identity theft (18 USC 1028) Three counts of threatening damage to a protected computer (18 USC 1030) The affidavit filed by DOJ lists five victim companies — four in Missouri and 1 in Atlanta. The affidavit links all five victims and extortion attempts to Wyatt in various ways. There is a lot of detail about the evidence the prosecution will be presenting at trial — IP addresses, email addresses, bank account information, phone numbers, and other information that they claim can be traced directly to Wyatt. Based on their detailed affidavit, Wyatt seems to have been stunningly sloppy in his operational security or overconfident as he allegedly used his unmasked personal details to register for accounts that were used to register for other accounts used as part of criminal operations. He left what appears to be a very compelling trail linking him to thedarkoverlord (TDO) activities. Of course, these are just unproven allegations at this point. But even if Wyatt is not the brains/leader of TDO (and anyone who uses their own details and their fiancee’s personal details to set up bank accounts to receive extortion payments does not strike me as likely to be the brains of a criminal enterprise), the government appears to have built a convincing case that he was a conspirator in this organized hacking and extortion ring. Wyatt’s appeal of the extradition ruling will likely focus on the argument that the crimes that he allegedly committed would have been committed in the U.K., even though their impact might be in the U.S. His solicitors will likely also argue that because Wyatt has no ties to the U.S., but has children in the U.K. and a fiancee with whom he lives and co-parents, the interests of justice would be better served by having him stand trial in the U.K. The DOJ’s filings, which are not public at this point, describe, but do not name the five victim entities, but here’s who I think the filings are describing: Victim 1 is described, in part, as an entity in Farmington, Missouri. The description and dates of emails suggests that Victim 1 is likely Midwest Pain & Spine. Victim 2 is described as a health records management firm. That one would be Quest Health Information Management Solutions. Of note, the government filing indicates that Victim 2 did pay ransom. Victim 3 was described as having multiple locations in Missouri. That sounds like Prosthetic & Orthotic Care. Victim 4 was described as a public accounting firm in St. Louis, whose owner’s first name is “David.” Although I never reported on this one publicly, it sounds like they are describing Smith Patrick LLC. TDO had informed me of that one and shown me some screenshots as proof. He had also tweeted something about this one but then removed the tweets. Victim 5 is a medical clinic in Atlanta. For multiple reasons in the description of this victim, it seems clear that they are referring to the Athens Orthopedic Clinic case that I have reported on numerous times on this site. These five victims are just a drop in the bucket for what TDO did while they were active (and I do not know if they are still active). We do not know how many other grand juries around the U.S. have also indicted Wyatt or what other charges he may face in the U.S. The Eastern Missouri indictment does not indict any other individuals. If Wyatt is extradited and winds up facing a lot of time in a U.S. federal prison, will he flip on others? TDO disappeared from public view in January 2019 after KickAss Forum shuttered its doors. Wyatt learned at the end of January that he would be extradited to the U.S. Is TDO’s continued disappearance since then connected to Wyatt’s extradition situation? To be clear: Wyatt has not been charged with actually doing any hacking (at least not in this indictment). But he doesn’t have to be charged or convicted for actual hacking to face a lot of prison time. Think of Barrett Brown’s case to realize that conspiracy can be a serious matter. One curious note: Wyatt is being represented by Tucker Solicitors. That is a law firm that he is unlikely to be able to afford. In the past, Wyatt told this blogger that the royal family had retained those solicitors to represent him as they didn’t want the hacked pictures of Pippa Middleton coming out. This site could not confirm or refute Wyatt’s claim about that, but if he was telling the truth back then, is the royal family still paying Tucker Solicitors’ fees? DataBreaches.net reached out to the solicitors to ask them some other questions, but got no response at all, so that question hasn’t been put to them. [UPDATED Oct. 22: Wyatt’s fiancee says that the royals are not paying the fees (see her comment below this post). Tomorrow, the lawyers will argue their positions. The High Court panel can then issue a decision immediately or they may reserve judgment until a later date. It will be interesting to see what they decide and why.
Bill Rankin reports: In the spring of 2016, a cyber thief calling himself the “Dark Overlord” hacked into the databases of a Clarke County medical clinic and emerged with the personal information of an estimated 200,000 patients. The Athens Orthopedic Clinic refused to pay the hacker’s ransom and advised current and former patients to set up anti-fraud protections. Now a lawsuit filed by three of those patients — demanding that the clinic pay damages — could set a precedent in Georgia, where reports of data breaches have been soaring. Read more on AJC. The plaintiffs in the case are Christine Collins, Paulette Moreland, and Kathryn Strickland. The case number for the docket is S19G0007.