A U.K. man extradited to the U.S. in December to stand trial for his role in thedarkoverlord (TDO) has agreed to plea guilty to resolve all charges against him. Nathan Francis Wyatt, also known as “Crafty Cockney,” has agreed to plead guilty to charges stemming from his role in some of thedarkoverlord’s attacks on entities in Missouri and Georgia in 2016. The attacks on medical entities shocked the public because the attackers named and shamed their victims and started dumping patient data if the victims did not pay their extortion demands, which were often in the range of hundreds of thousands of dollars. TDO’s tactics also included calling the victim entities or their family members on the phone or sending them aggressive or crude messages. From the description in court filings, the federal charges against Wyatt stemmed from his alleged roles in attacks against Athens Orthopedic Clinic in Atlanta, Midwest Pain & Spine in Missouri, Prosthetic & Orthotic Care in Missouri, Quest Health Information Management Solutions, and one entity not related to healthcare. None of the victims were named in court filings and the preceding attributions are based on this site’s knowledge of TDO’s attacks and the court’s description of the victims. On May 20, Wyatt’s trial, which had been scheduled to begin June 15, had been delayed to September 21 due to the pandemic. The court noted that holding the trial in June would endanger the public and make it difficult to assemble a fair cross-section of citizens to serve on the jury. Yesterday, however, both his counsel and the government filed a joint motion with the court requesting a consolidated plea and sentencing hearing. Wyatt is represented by a federal public defender, Brocca Morrison. The government is represented by Senior Counsel Laura Kate-Bernstein, Jeffrey B. Jensen, United States Attorney for the Eastern District of Missouri, and Gwendolyn E. Carroll of the Eastern District of Missouri. As detailed in previous coverage on this site, Wyatt had been charged with: One count of conspiracy against the U.S. (18 USC 371 ) Two counts of aggravated identity theft (18 USC 1028); and Three counts of threatening damage to a protected computer (18 USC 1030) He was not charged with actual hacking. The agreed-upon but not yet disclosed guilty plea comes as no surprise because the amount of evidence the prosecution had amassed was somewhat staggering. That said, this site and blogger have disputed any claim that Wyatt was ever the leader of thedarkoverlord in 2016 or 2017, but it was clear from my interviews and chats with him that he had been involved in assisting or conspiring with one other person in a number of ways. The plea and sentencing hearing will not take place for at least 90 days. Wyatt is the first person to have been publicly identified as arrested and charged for participation in TDO crimes. He had claimed in the past to know the real identity of the young person that he referred to as “Dark” but that claim may have been part of a scam that he was trying to run. Wyatt reportedly later told someone else that he didn’t know the other’s real identity.
There’s a small update in the proceedings involving Nathan Wyatt, aka “Crafty Cockney,” the U.K. national who has been charged in the Eastern District of Missouri for his alleged role in hacks and extortion attempts by thedarkoverlord (TDO). Wyatt had been charged in a sealed indictment back in 2017, and was arrested in the U.K. after serving jail time there for crimes that included hacking and attempting to extort a law firm as “thedarkoverlords.” The U.S.’s extradition request was granted, and Wyatt has been in custody in the U.S. since December, 2019. In January, he pleaded not guilty to one count of conspiracy to blackmail healthcare providers, two counts of aggravated identity theft, and three counts of threatening damage to a protected computer.involving conspiracy and extortion. On April 20, Wyatt’s attorney notified the court that he was waiving his right to file any pre-trial motions. With that no longer an issue, the court went ahead and scheduled Wyatt’s trial for June 15 before Honorable Ronnie L. White, United States District Judge. Whether this case actually goes to trial or Wyatt makes a plea deal remains to be seen. He can request a plea hearing any time before the June 15 trial date. This site has reported on Wyatt numerous times. You can find previous coverage by searching this site for “Crafty Cockney.” Additional coverage of TDO can be found by searching this site for “thedarkoverlord.”
For the past few years, this site has covered litigation against Athens Orthopedic Clinic in Georgia related to their hack by thedarkoverlord in 2016. The lawsuit against the clinic, filed by a patient, made it all the way to the Georgia Supreme Court on the issue of whether under Georgia state law, the plaintiff had shown enough harm to survive a motion to dismiss. The state’s highest court agreed with the plaintiff on appeal, and the case has been remanded. And while that case may be costly for the clinic, that hack may also be costly for an alleged member of thedarkoverlord (TDO) who was extradited to the U.S. to stand trial for his alleged role in hacks in Missouri and Atlanta — including, it appears, the Athens Orthopedic Clinic hack (although the court filings do not name the victim entities). According to the federal complaint against him, Nathan Wyatt, aka “Crafty Cockney” and “Mas Mas,” allegedly set up accounts that were used as part of TDO’s hacking and extortion operations, and he allegedly called a victim and threatened him in rap as to what would happen if the victim didn’t pay up. But the Athens Orthopedic Clinic hack may not be the only TDO hack Wyatt was allegedly involved in that has resulted in litigation. Regular readers may recall that in 2018, TDO started leaking what they claimed were hacked files related to 9/11. Those files came from a law firm used by insurer Hiscox. Hiscox informed this site that they had learned of the breach in April 2018, but Hiscox’s statement to this site did not reveal that the unnamed law firm was hacked in December 2016. This week, Hiscox filed suit against the Missouri-based law firm, Worden Grier, LLP. The suit was first reported by Law360.com. In the complaint, the insurer alleges that: 11. On or around December 2016, an international hacker organization known as “The Dark Overlord” (“Hackers”) gained unauthorized access to Warden Grier’s computer system containing all of the sensitive information, including PI, stored on Warden Grier’s servers (the “2016 Data Breach”). 12. On information and belief, Hiscox understands that Warden Grier contacted outside attorneys and the FBI to investigate the matter, but did not hire a forensic IT firm to investigate the 2016 Data Breach or, if it did, has refused to provide Hiscox with the findings of any such investigation. 13. Despite being aware of the 2016 Data Breach, Warden Grier actively concealed or otherwise did not notify Hiscox or Hiscox’s insureds—all of whom were Warden Grier’s clients—of the 2016 Data Breach. Hiscox claims that they became aware of the breach on March 28, 2018, when some of the data appeared on the dark web. When they investigated by contacting Warden Grier, they learned that Warden Grier had not only failed to inform them, but they had not informed any of Hiscox’s clients. According to the complaint, Warden Grier paid TDO ransom or other demand to protect its and its clients’ personal information from dissemination. [DataBreaches.net notes that this would not be the first time that TDO was paid ransom and then disclosed data anyway. TDO occasionally claimed that a victim had violated some provision of their agreement, thereby justifying their actions in either dumping data or demanding further payment.] In any event, the Hiscox lawsuit is interesting because in December 2016, law enforcement in the U.K. charged Nathan Wyatt with a number of crimes, including hacking an unnamed law firm and trying to extort it. Wyatt pleaded guilty to all charges and was jailed. So was that law firm Warden Grier? If so, then Wyatt may have already served time for that hack in a U.K. jail. Or was this yet another law firm? DataBreaches.net has been unable to reach Warden Grier yet, but has sent an inquiry to Hiscox’s law firm in the suit and will update this post if more information becomes available.
DataBreaches.net continues to monitor the court docket in the case of Nathan Wyatt, aka “Crafty Cockney,” an alleged member of thedarkoverlord. As I’ve reported previously, Wyatt, a U.K. citizen who was extradited to the U.S. to stand trial here, is not charged with actually hacking any of the victim entities in a case filed in the Eastern District of Missouri. He is charged with one count of conspiracy, two counts of aggravated identity theft, and three counts of threats to damage protected computers. Not surprisingly, the court has given both the government and defense more time because Wyatt’s case is considered a “complex case.” To give you an idea of how complex this case is, a government motion for findings of fact and a proposed scheduling order was filed on January 6, 2020. That motion states, in part: Evidence and materials collected during the course of the investigation are voluminous in that the investigation took place over a number of years and involved a multiple Federal Bureau of Investigation Field Offices as well as evidence obtained from foreign countries through the use of Mutual Legal Assistance Treaties. A number of different law enforcement agencies from multiple foreign countries have played a role in this investigation. Discovery in this matter will likely be a lengthy and on-going process. Discovery in the case includes hundreds of thousands of pages of documents, records obtained by grand jury subpoenas, search warrants, court orders, pen registers, and mutual legal assistance treaty requests. Additionally, the investigation involved the seizure and forensic examination of several electronic devices. Much of the material obtained contains sensitive medical records and other personally identifying information of victims. Discoverable materials include, but are not limited to: (a) court-authorized search warrants, (b) court-authorized orders issued pursuant to Title 18, United States Code, Section 2703(d), (c) court-authorized orders issued pursuant to Title 18, United States Code, Section 3121, (d) documents and records containing sensitive information provided by victims, (e) mutual legal assistance treaty requests, (f) reports and memoranda related to multiple law enforcement agencies and interviews, and (g) forensically examined electronic devices. That’s a lot of data and evidence to sift through and process. Wyatt’s defense counsel joined the government in the request to have this declared a complex case and to allow more time for discovery in the interests of justice. The court issued the order, as well as a protective order that limits the distribution of materials shared with the defense during discovery. The protective order does not impact court records that are public records, but will impact materials that might include personally identifiable information, protected health information, or other sensitive information. The next court date is February 21 and is an attorneys-only conference to update the court on discovery progress.
In what seems like a mind-boggling OPSEC #FAIL, a U.K. man associated with thedarkoverlord allegedly used his real details to create bank accounts as well as to open email accounts, phone numbers, vpn, Twitter, and PayPal accounts that thedarkoverlord used as part of its operations to hack and extort victims. For a group that signed their pastes and extortion demands as a “Professional Adversary,” the revelations should be embarrassing, to say the least. But embarrassment may be the least of their problems. Now that Nathan Wyatt is in custody in the U.S. awaiting trial for his alleged role, will he roll on others to get himself a deal? In June, 2016, an individual or group calling themself “thedarkoverlord” (TDO) announced that they/he had hacked three patient databases and put them up for sale on a dark web marketplace. Since that time, this site has reported on TDO’s criminal activities dozens of times, but even the many hacks this site has covered represent only a small fraction of TDO’s actual criminal operations. The scope of their attacks often tends to get lost in mainstream media coverage that tends to only point out hacks involving Orange is the New Black, celebrity patients, or well-known corporations like Gorilla Glue. But TDO has hit numerous big and small businesses, school districts, universities, and big and small medical entities. And over the past few years, those of us who have watched them have seen them grow increasingly aggressive and violent in their imagery and threats. But then things seemed to suddenly stop. In early 2019, KickAss Forum shuttered. Without that forum to post their offerings and banned from most social media platforms they had been using to try to sell hacked files, TDO disappeared from public view. They haven’t responded to emails I have sent to their email account for journalists, and they didn’t re-emerge on New Year’s Eve with a major hack announcement as they have done in past years. So where’s TDO? Are they in custody or have they gone to ground because one of their alleged members, Nathan Wyatt, is now in U.S. custody awaiting trial? Have they continued hacking entities? Or are they just relaxing somewhere enjoying retirement? Significantly, perhaps, their disappearance from public view roughly corresponds with Wyatt losing his appeal of a ruling ordering his extradition to the U.S. Either way, for a criminal operation that often tried to portray itself as a polished and professional adversary, Nathan Wyatt is not a good look for them. Who is Wyatt? Nathan Francis Wyatt, 39, is an unemployed U.K. national who lives in Wellingborough with his fiancee, Kelly Howell, and some of their children. He and his fiancee live off the welfare benefits they receive from the government. Wyatt has acknowledged that he has supplemented those benefits with illegal online activities. Unless there’s some plea deal worked out, Wyatt will be tried in federal court in St. Louis for his alleged role in some of the early TDO hacks and extortion attempts in Missouri, Illinois, and Georgia. The indictment can be found here. Wyatt faces trial here on 6 counts: a single conspiracy charge, two counts of aggravated identity theft, and three counts of threatening damage to a computer. Although DOJ did not name the victim entities in their court filings, I have identified the victim entities (with one possible exception) based on DOJ’s descriptions, my previous detailed reporting on the breaches, and the fact that some of the evidence DOJ provides in the affidavit exactly matches files that had been given to me by TDO for those victims. Wyatt, whose online nicks include “Crafty Cockney,” “Hardcore,” and “Mas,” pleaded not guilty in his first appearance in federal court in December after losing his attempt to prevent extradition. OPSEC? What OPSEC? Anyone reading the affidavit supporting the government’s extradition request may understandably conclude that Wyatt should try try make a plea deal. There appears to be a tremendous amount of compelling evidence supporting the charges, although of course, those are just allegations that need to be proved in court. But then also remember that DOJ did not show all its evidence in the affidavit. They likely withheld what they consider to be other damning evidence that they will present at a later date or use to persuade Wyatt to plead guilty. Actually, if you read the affidavit, you may well wonder what on earth Wyatt could possibly have been thinking when he allegedly used his own personal details to open email, phone, PayPal, and bank accounts that were used for criminal purposes.* Did Wyatt’s alleged co-conspirators have any idea how casual and negligent he was about OPSEC or did they know what he was doing? From statements made to me by TDO in September 2016, they had no idea that “Crafty Cockney’s” real name was Nathan Wyatt and so when they saw the bank accounts he had set up, they did not know it was his real name and his fiancee’s real name and their real addresses. Whether TDO was telling me the truth in disclaiming any previous knowledge of Wyatt’s identity remains to be determined. Wyatt was no stranger to crime The current charges represent only a small part of Wyatt’s alleged criminal activity over the past 3 years.** Charges against him in 2016 for his role in selling hacked photos of Pippa Middleton were dropped and he never served any time for his role in that case. Those close to that situation believe that the charges were dropped to spare Middleton the stress of a court case and not for lack of evidence. Both The Sun and this blogger had quite a bit of evidence showing Wyatt’s involvement in the attempted sale of the photos. But while Wyatt seemed to have caught a break in the Pippa Middleton case, he wound up arrested again months later because in the process of investigating the Middleton matter, prosecutors found evidence of other crimes on his devices. As a result of their discovery and […]