All members of Rex Mundi have now been arrested – Europol report

I haven’t posted anything new about Rex Mundi since 2016, but I’ve continued to compile information on them, in part because their use of the extortion model predated the same approach by TheDarkOverlord. But now it appears that all eight members of Rex Mundi have been arrested in a series of arrests beginning in June, 2017. And the fact that Europol was able to link available information on one attack in the U.K. to a French national within one hour, well…. that’s impressive.  Here’s Europol’s press release of June 14:  FRENCH CODER WHO HELPED EXTORT BRITISH COMPANY ARRESTED IN THAILAND – EUROPOL A 25-year-old coder was arrested on 18 May by the Royal Thai Police based on a French international arrest warrant. The arrest of this young cybercriminal was the eight (sic) in an international operation supported by Europol and the Joint Cybercrime Action Taskforce (J-CAT) that started exactly one year ago. In May 2017 a British-based company was the victim of a cyber-attack during which a large amount of customer data was compromised. The attack was immediately claimed by an organisation called Rex Mundi. A few days later, the company received a phone call from a French-speaking person explaining that he was a member of Rex Mundi. This person shared a large number of credentials with the company to prove that they had access to the data. He also demanded ransom of either almost EUR 580 000 for the non-disclosure of the customer data or over EUR 825 000 for information on the security breach and how to handle it. For each day the company failed to pay, there would be a ransom of EUR 210 000. The ransom was to be paid in Bitcoin. Based on information from the Metropolitan Police in the UK, the French National Police (High Tech Crime Unit Central Office OCLCTIC-DCPJ) and Europol were informed and an intense international cooperation started. Within an hour, Europol’s 24/7 Operational Centre was able to link the available information to a French national. Five people were arrested in June 2017 by the French authorities. The main suspect admitted his involvement in the blackmail but hired the services of a hacker on the dark web to carry out the cyber-attack. The French National Police arrested two hackers in France in October 2017 and a final accomplice, also a French national with coding skills, was recently apprehended in Thailand. This case illustrates that cyber-related extortion remains a common tactic among cybercriminals, as identified in the IOCTA 2017. As indicated in the report, for such financially motivated extortion attempts, attacks are typically directed at medium-sized or large enterprises, with payment almost exclusively demanded in Bitcoins. SOURCE: Europol

Loan application data held by AFC Kredieten hacked by Rex Mundi, company responds: Meh, not our customers

Jennifer Baker reports: Hacker collective Rex Mundi has stolen 24,000 financial records from Belgian loan company AFC Kredieten, it claims, and if the company doesn’t pay up before Friday at 8pm, it will publish every loan applicant record in its possession. As proof that they have successfully hacked the company, Rex Mundi has already published some personal accounts and left a banner notification on the AFC Kredieten website. As of the time of this posting, their home page is gone and replaced with a default Plesk page. AFC Kredieten needs a serious attitude adjustment, it seems, as they appear to consider only themselves the victim and did not express any concern for those who provided their details in the hopes of securing loans. Baker reports: A spokeswoman for AFC Kredieten, when asked if customers whose data had been stolen had been informed, replied: “They are not our customers. They are applicants, we had not necessarily organised a loan for them yet. AFC Credits is the victim here. What that group did is illegal and writing about it would be against the law.” She also said that there would not be any reputational damage to the company if the records were published. Read more on The Register.   “Writing about it would be against the law?” I’m calling bullshit on that, oh unnamed spokeswoman. Come after me if you think otherwise. And if you think your company’s reputation can’t be harmed by bad press or outrage on Twitter, think again. In the meantime, this is not the first Belgian entity Rex Mundi has gone after. Has the Belgian Privacy Commission done anything to any of the companies with inadequate security that Rex Mundi has exposed?  

As threatened, Rex Mundi dumps Labio patients’ diagnostic test results

As they had threatened to do if Labio did not pay them €20,000, the hacker collective known as Rex Mundi has started dumping/disclosing identifiable patient data. The dump was announced on Twitter by the @RexMundi2015 account. confirmed that the records appear to be the results of lab tests performed on patients whose names, dates of birth, referring doctor, and test results are now publicly exposed. As of the time of this posting, there is still no mention of the incident on Labio’s web site, and the firm has not yet responded to an inquiry from earlier today as to whether they have notified affected patients or intend to notify them. Labio joins 16 other firms who have had their client or patient data revealed after refusing to pay Rex Mundi’s extortion demands. So far, none of the firms appear to be U.S. – based. When asked what percent of firms do pay them, a spokesperson for Rex Mundi informed that over 50% of the entities they have hacked have paid the demanded monies to keep the hack quiet and to avoid having their clients’, employees’, or patients’ personal information publicly dumped.

Rex Mundi statement on their motives and methods

@RexMundi2015 issued a statement today, to set the record straight. Dear friends and foes, Over the past few months, we have read a series of inaccurate facts about us in the press. We therefore would like to take the time to correct some of the most common misconceptions regarding our activities. – The companies we targeted have only one thing in common: mediocre IT security protocols or poorly-designed Web applications. After successfully hacking a website, we always give its owners a clear choice: pay up to protect the data they failed to secure from getting released over the Web or refuse to pay to clean up their own mistakes. To this, of course, some might object that those companies are not responsible for getting hacked — we are. But, think about this scenario for a moment: your best friend lends you her car. You park it at night in a sketchy neighborhood and leave it unlocked with the keys on the front seat. Coming back in the morning, you realize the car has of course been stolen. Who is responsible? The thief of course should be blamed for it. But aren’t you also to blame? Your friend trusted you to keep her car safe, something which you failed to do. Similarly, while we are obviously to blame for these hacks, we feel that the companies we target are also partly responsible for their users’ data getting stolen. All in all, this creates a very interesting and fascinating moral dilemma. – Unlike other groups out there, we have no interest whatsoever in making any kind of political or social statement. We are only interested in making money, which brings us to the code of conduct we have put in place. This code of conduct was devised not out of some misplaced sense of honor, but simply to maximize our chances of getting paid. It is quite simple: * Communication and/or negotiations between us and our targets is never released, regardless of whether we get paid or not. * We never discuss or even acknowledge the fact that some of our past targets might have paid us. * We automatically delete all of the stolen data once a full payment has been made. * We never target the same company twice and, for obvious reasons, we always stick with the original requested amount. Once again, this code of conduct is simply there to ensure we do end up getting paid. If we posted the data of a company that has paid us, no other future target would ever agree to pay us. Similarly, asking for more money once we have already been paid would be pointless as no target would pay a second time out of fear we might ask for even more money a third time. – Finally, we would like to mention that whether a company agrees to pay us or not has no impact on our future endeavors. We will continue to target vulnerable websites, regardless of how many companies refuse or accept to pay. Twitter: @RexMundi2015 Rex Mundi PS: Shouldn’t Labio have informed its patients of the breach?

Rex Mundi threatens to expose patients’ blood test results if lab doesn’t pay extortion demand (update 1)

Rex Mundi is back again. After hacking Synergie and dumping data from Temporis in January, the hackers, who  have made a business of hacking for profit, have announced that they have now hacked a diagnostic laboratory in France, Labio. And once again, they announced the hack on Twitter: hacked last week. 100’s of blood test results in our possession. #infosec #hack #piratage #Labio — Rex Mundi (@RexMundi2015) March 13, 2015 @Cyber_War_News @TheHackersNews We hacked and downloaded 100’s of blood test results in PDF.We post them Tues if Labio doesn’t pay. — Rex Mundi (@RexMundi2015) March 13, 2015 A pop-up notice on the lab’s web site this afternoon indicated that the server was temporarily unavailable due to a “technical problem:” SERVEUR DE RESULTATS INDISPONIBLE Suite à un problème technique, le serveur internet de résultats est temporairement indisponible. En cas d’urgence, merci de vous mettre en relation avec votre laboratoire qui a la possibilité de vous transférer vos résultats pas E-mail, fax ou courrier. La direction de LABIO vous présente ses excuses pour ce désagrément. In response to a tweeted question from, Rex Mundi indicated that they had demanded €20,000 from Labio not to release the data. Because they have followed through on their threats in the past when organizations have not paid the extortion demands, we’ll have to see what happens on Tuesday. Other entities hacked by Rex Mundi include Swiss bank Banque Cantonale de Geneve, French loan company Credipret, Swiss web hosting company Hoststar,,, Easypay Group payroll company in Belgium, Webassur, Thomas Cook Belgium, Finalease Car Credit, Mensura, Drake International,, ECAAssurances, Mutuelle La Frontaliere, and Domino’s Pizza, among their targets. Update 1 (March 14): As they have done in other hacks, the hackers have posted the names of those whose data they have acquired. They did not post any lab results, but the names and dates of the reports were posted with a preface: Dear friends and foes, Last week, we hacked the website of Labio, a French clinical laboratory. From the test results server, we downloaded hundreds of blood test results in addition to all of the 40,000+ stored login credentials. We offered Labio not to release their patients’ data in exchange for a very reasonable EUR 20,000. Unfortunately, so far, it seems as if they would rather save a little bit of money rather than protect their patients’ privacy. Something which is rather ironic considering they failed to secure this data in the first place. If we do not get paid before next Tuesday at 4PM, we will release all of the data in our possession — including the blood test results. If your name is listed below, your results are unfortunately now stored on our servers. Do not hesitate to call Labio and ask them why they so far declined to protect your privacy.