Nathan Wyatt, the 38 year-old U.K. resident known as “Crafty Cockney” on AlphaBay market, has lost his bid to convince the High Court to overturn a lower court’s ruling that he should be extradited to the U.S. Today’s ruling means that Wyatt is one step closer to being extradited to stand trial in federal court in the Eastern District of Missouri on charges related to some of the earlier hacks and extortion attempts by thedarkoverlord (TDO). Wyatt was indicted on November 8, 2017 on 6 counts: a single conspiracy charge, two counts of aggravated identity theft, and three counts of threatening damage to a computer. DataBreaches.net has previously hypothesized the identities of the victim medical practices described in the indictment. The High Court’s ruling, issued this morning, began with a recap of the sole issue before the court at this point: The Government of the United States seeks the extradition of the appellant on charges relating to computer hacking with associated demands for money and the dissemination on the internet of personal medical records. On 25 January 2019 District Judge Tempia sent the appellant’s case to the Secretary of State who subsequently ordered his extradition. The sole issue before the judge was whether the forum bar to extradition found in section 83A of the Extradition Act 2003 [“the 2003 Act”] should operate to prevent extradition on the basis that the interests of justice, as defined in that section, favoured prosecution in this jurisdiction. The judge examined each of the statutory factors that inform that question. She concluded that it was in the interests of justice for the appellant to be extradited for trial in the United States. This is his appeal against the decision to send the case to the Secretary of State. Wyatt’s alleged crimes and the extradition case have been covered in previous posts on this site, but they are also explained in the background section of the court’s ruling. It is not clear from the U.S. Department of Justice’s filings whether the DOJ believes that Wyatt is the individual who was the spokesperson for thedarkoverlord (TDO) in 2016 and 2017, or if they believe he was the mastermind behind TDO, or if they believe he was just a member or associate. There were no other suspects named in the DOJ’s filings, although they noted that there were ongoing investigations into others. Significantly, Wyatt was not charged with actually hacking any entity. Was Wyatt really intimately involved in all of TDO’s early hacks and extortion attempts as DOJ alleges? That will be for a trial court to determine. In the immediate future, though, Wyatt and his solicitors have a decision to make. If I understand their processes in the U.K., Wyatt now has 14 days to apply to the High Court for permission to appeal to the U.K.’s Supreme Court. If the High Court refuses his application to appeal — or if he makes no application at all — then he will be extradited within 28 days of the end of the 14 day period. But while Wyatt can apply for leave to appeal, my understanding is that at this point, Wyatt’s basis for any further appeal is extremely limited as he can only seek permission to appeal on a point of law. DataBreaches.net reached out to the Department of Justice International Affairs office, Tuckers Solicitors (Wyatt’s solicitors), and Wyatt’s partner/fiancee for comments on today’s ruling, but received no immediate replies. This post may be updated if comments are received. Update: A spokesperson for DOJ responded that as a matter of longstanding policy, DOJ generally does not comment on extradition-related matters until a defendant is in the United States.
It has been more than three years since a threat actor or group calling themselves thedarkoverlord (TDO) dramatically announced that they were hacking medical practices and demanding large amounts of bitcoin to not dump or sell patient data. Tomorrow, one man allegedly associated with TDO will be hoping that his lawyers can successfully appeal a District Judge’s decision to extradite him to the U.S. His appeal will be heard by a panel of High Court judges. Nathan Wyatt, a 38 year-old man from Wellingborough who is also known as “Crafty Cockney,” faces six counts in an indictment issued by a grand jury in the Eastern District of Missouri: One count of conspiracy against the U.S. (18 USC 371 ) Two counts of aggravated identity theft (18 USC 1028) Three counts of threatening damage to a protected computer (18 USC 1030) The affidavit filed by DOJ lists five victim companies — four in Missouri and 1 in Atlanta. The affidavit links all five victims and extortion attempts to Wyatt in various ways. There is a lot of detail about the evidence the prosecution will be presenting at trial — IP addresses, email addresses, bank account information, phone numbers, and other information that they claim can be traced directly to Wyatt. Based on their detailed affidavit, Wyatt seems to have been stunningly sloppy in his operational security or overconfident as he allegedly used his unmasked personal details to register for accounts that were used to register for other accounts used as part of criminal operations. He left what appears to be a very compelling trail linking him to thedarkoverlord (TDO) activities. Of course, these are just unproven allegations at this point. But even if Wyatt is not the brains/leader of TDO (and anyone who uses their own details and their fiancee’s personal details to set up bank accounts to receive extortion payments does not strike me as likely to be the brains of a criminal enterprise), the government appears to have built a convincing case that he was a conspirator in this organized hacking and extortion ring. Wyatt’s appeal of the extradition ruling will likely focus on the argument that the crimes that he allegedly committed would have been committed in the U.K., even though their impact might be in the U.S. His solicitors will likely also argue that because Wyatt has no ties to the U.S., but has children in the U.K. and a fiancee with whom he lives and co-parents, the interests of justice would be better served by having him stand trial in the U.K. The DOJ’s filings, which are not public at this point, describe, but do not name the five victim entities, but here’s who I think the filings are describing: Victim 1 is described, in part, as an entity in Farmington, Missouri. The description and dates of emails suggests that Victim 1 is likely Midwest Pain & Spine. Victim 2 is described as a health records management firm. That one would be Quest Health Information Management Solutions. Of note, the government filing indicates that Victim 2 did pay ransom. Victim 3 was described as having multiple locations in Missouri. That sounds like Prosthetic & Orthotic Care. Victim 4 was described as a public accounting firm in St. Louis, whose owner’s first name is “David.” Although I never reported on this one publicly, it sounds like they are describing Smith Patrick LLC. TDO had informed me of that one and shown me some screenshots as proof. He had also tweeted something about this one but then removed the tweets. Victim 5 is a medical clinic in Atlanta. For multiple reasons in the description of this victim, it seems clear that they are referring to the Athens Orthopedic Clinic case that I have reported on numerous times on this site. These five victims are just a drop in the bucket for what TDO did while they were active (and I do not know if they are still active). We do not know how many other grand juries around the U.S. have also indicted Wyatt or what other charges he may face in the U.S. The Eastern Missouri indictment does not indict any other individuals. If Wyatt is extradited and winds up facing a lot of time in a U.S. federal prison, will he flip on others? TDO disappeared from public view in January 2019 after KickAss Forum shuttered its doors. Wyatt learned at the end of January that he would be extradited to the U.S. Is TDO’s continued disappearance since then connected to Wyatt’s extradition situation? To be clear: Wyatt has not been charged with actually doing any hacking (at least not in this indictment). But he doesn’t have to be charged or convicted for actual hacking to face a lot of prison time. Think of Barrett Brown’s case to realize that conspiracy can be a serious matter. One curious note: Wyatt is being represented by Tucker Solicitors. That is a law firm that he is unlikely to be able to afford. In the past, Wyatt told this blogger that the royal family had retained those solicitors to represent him as they didn’t want the hacked pictures of Pippa Middleton coming out. This site could not confirm or refute Wyatt’s claim about that, but if he was telling the truth back then, is the royal family still paying Tucker Solicitors’ fees? DataBreaches.net reached out to the solicitors to ask them some other questions, but got no response at all, so that question hasn’t been put to them. [UPDATED Oct. 22: Wyatt’s fiancee says that the royals are not paying the fees (see her comment below this post). Tomorrow, the lawyers will argue their positions. The High Court panel can then issue a decision immediately or they may reserve judgment until a later date. It will be interesting to see what they decide and why.
Bill Rankin reports: In the spring of 2016, a cyber thief calling himself the “Dark Overlord” hacked into the databases of a Clarke County medical clinic and emerged with the personal information of an estimated 200,000 patients. The Athens Orthopedic Clinic refused to pay the hacker’s ransom and advised current and former patients to set up anti-fraud protections. Now a lawsuit filed by three of those patients — demanding that the clinic pay damages — could set a precedent in Georgia, where reports of data breaches have been soaring. Read more on AJC. The plaintiffs in the case are Christine Collins, Paulette Moreland, and Kathryn Strickland. The case number for the docket is S19G0007.
Yet another healthcare provider has revealed that they were hacked by thedarkoverlord (TDO). Dr. Robert Spies, a plastic surgeon in Scottsdale, Arizona, has notified HHS and his patients of the hackers’ attempt to extort the practice. Although he does not name the hackers responsible in a notice on his web site, Dr. Spies explains: On December 10, 2018, we became aware cyber criminals gained unauthorized access to our computer network. We immediately contacted the FBI and local law enforcement authorities and have been cooperating with their investigations. We also engaged computer experts to determine if our systems and information were at risk. The investigation determined that the criminals could have viewed or accessed documents that contained patients’ personal and medical information, including names, addresses, dates of birth, procedure notes, diagnoses, medications and health insurance numbers. For a small handful of patients, the criminals could have viewed Social Security, driver’s license and/or passport numbers, if provided for verification purposes, a credit card number or financial account number, or pre-op photos. At this time, there is no evidence that patient information has been misused. His report is entirely consistent with other information DataBreaches.net had obtained about this incident. In December, thedarkoverlord had posted a notice on KickAss that said: We’ve hacked a high-end plastic surgery business located in Arizona, United States. This surgery center is owned by Doctor Robert J. Spies and operates on celebrity patients. His website is (www.azplasticsurgerycenter.com). We’ll share some of his data with yoou, since he’s refused our most handsome business proposition. Link: (link redacted by DataBreaches.net, even though it is no longer live). If you’d like to let him know how foolish he’s been, you can SMS his mobile at (redacted by DataBreaches.net) or his e-mail at (redacted by DataBreaches.net). The sample data was a 531.8 MB archive with folders containing “Dictations” (75 files), “Photos” (more than 160 photos), and “Patient ID Verification” (4 files). The Dictations folder and Photos folder contained more than one file or image for some patients, so these were not all unique patients in each folder. Many of the photos in the archive released by the hackers would permit identification of patients because in some cases, you can see the patients’ faces, and in other cases, the filenames for the photos may contain the patient’s first initial and last name. DataBreaches.net is not reproducing any of the data from the archive the hackers provided. Inspection of the meta data suggests that the newest dictation files were created December 5, 2018 and related to services or consultations conducted on November 28, 2018. As with their hack of the London Bridge Plastic Surgery Center, TDO may have hoped that people — especially celebrities — would pay good money not to have their before, during, or after pictures of plastic surgery released publicly. Whether TDO is privately trying to extort patients directly is unknown to this site, but Dr. Spies seems to have refused to pay them, and has reported the incident to law enforcement, HHS, and his patients. According to his notification to HHS, he has notified 5,524 patients.
Now THIS is very big news on thedarkoverlord front: Joseph Curtis reports that Nathan Wyatt, who was jailed on fraud charges in the U.K. but has been released from prison there, is now fighting extradition to the U.S. on charges he was involved with hacking and extorting U.S. medical entities as part of thedarkoverlord. This journalist had interviewed Wyatt exclusively prior to his first arrest in September, 2016, on charges relating to the hack and attempted sale of pictures of Pippa Middleton. Wyatt was not jailed on those charges, however, and this journalist had been told by him that the royal family had intervened so as to avert a court case that might lead to the production of embarrassing photos. Whether that is true or not, this journalist cannot say as lawyers for Wyatt did not respond to inquiries sent at the time. But Wyatt had also talked extensively with DataBreaches.net about his relationship with thedarkoverlord, which included, he said, teaching thedarkoverlord fraud techniques, and being asked by TDO to make an extortion phone call to a U.S. victim. That call (you can hear it here) was recorded and uploaded to YouTube. Wyatt subsequently linked to it in a post on the now-shuttered Alpha Bay dark web marketplace. At times, Wyatt claimed that he never actually made the call and that he just recorded it as a joke because TDO was pressuring him to do it. But if you listen to the recording, you can hear someone else at the beginning answering the phone. When Wyatt was arrested in 2016 and his devices seized, police found evidence of other crimes, including a hack of an unnamed law firm and an attempt to extort the law firm. It was on those charges that he was ultimately tried and sentenced to prison for 3 years. But law enforcement had also – according to Curtis’s reporting – found evidence that Wyatt had used his own details and live-in partner’s details to set up bank accounts in the U.K. to funnel payments to thedarkoverlord from U.S. medical entities that TDO was attempting to extort at the time. In a copy/paste error by an associate of Wyatt’s, DataBreaches.net had accidentally been shown the bank account numbers in July 2016. At that time, however, DataBreaches.net did not know that “Nathan Wyatt” was the bad actor known to her as “Crafty Cockney.” And the TDO spokesperson at the time talked about Crafty Cockney as a low-level person or associate but not one of the core people in TDO. The new charges suggest that TDO may have been downplaying Wyatt’s role, and that Wyatt’s claims of tutoring TDO and assisting in other ways may have been more accurate. So now Wyatt is reportedly fighting extradition to the U.S., it seems. According to Curtis’s reporting: He has been charged with one count of conspiracy to blackmail healthcare providers in the USA, two counts of aggravated identity theft and three counts of threatening damage to a protected computer. […] An arrest warrant was issued by the US district of Missouri on November 8th, 2017. Curtis provides a lot of other details that will sound familiar to those who have followed my reporting on thedarkoverlord since 2016. The unnamed health records management firm referred to may be Quest Health Information Management Systems. I had reported how they had been hacked by TDO in 2016, which gave TDO login credentials to Quest’s clients, including medical entities in Missouri and Georgia. The U.S. government likely has a lot of evidence against Wyatt, but for the benefit of readers who may be a bit confused by this new development, I will state here that Wyatt is almost certainly not the person who was the communicator for TDO back in June – July of 2016. How do I know that? Because I chatted with that individual while Wyatt was still being detained by law enforcement in the U.K. Then too, Wyatt’s writing, which I had ample opportunity to read in extended chats, was nowhere near the level of the individual who ran TDO’s Twitter account back then, who wrote the extortion demands and lengthy letters, and who communicated with journalists. Law enforcement may not have apprehended that first “TDO” yet. Will Wyatt appeal to the U.K. to try him there for charges relating to hacking and extorting U.S. entities because he has three children there? Probably. But there are so many victims and witnesses in the U.S. and I doubt the U.K. will find him a sympathetic figure, even if he has children. Wyatt does not have the popular support of someone like Lauri Love. As I frequently have to say when covering all things TDO: stay tuned. Note: I do not know whether the law firm that Wyatt was convicted for hacking and extorting is the same law firm involved in the 9/11 files that thedarkoverlord has recently publicized and tried to sell. It wouldn’t surprise me if it was the same law firm, but I have no proof or information either way.