Trial starts next week in case of law firm sued by insurer for not disclosing thedarkoverlord hack

A trial involving a lawsuit against a law firm that was hacked in 2016 and paid extortion to thedarkoverlord but never notified their clients of the breach starts next week in Missouri. For some of the background, see previous coverage on this site: Missouri law firm sued by insurer for not disclosing 2016 hack by thedarkoverlord. Hiscox Hack Suit Advances as Warden Grier Loses Dismissal Bid [Complaint] Case number: 4:20-cv-00237-NKL Hiscox Insurance Company Inc. et al v. Warden Grier, LLP Docket on Court Listener

Canadian man linked to thedarkoverlord sentenced to federal prison for trafficking stolen identities on the dark web

ATLANTA – Slava Dmitriev has been sentenced for access device fraud in connection with his possession and sale of over seventeen hundred stolen identities on the dark web.  Dmitriev, a Canadian citizen, was arrested while on vacation in Greece in September 2020 and extradited to the United States in January 2021. “This defendant profited off buying and selling people’s stolen identities, including victims in this district,” said U.S. Attorney Kurt R. Erskine.  “As a result of the diligence of federal agents coupled with valuable cooperation of Greek law enforcement, Dmitriev was arrested, extradited, and is now sentenced to federal prison.” “Dmitriev stole the identities of hard-working citizens of the United States and thought he was safe from prosecution while overseas,” said Phil Wislar, Acting Special Agent in Charge of FBI Atlanta.  “This sentence will serve as a reminder that the FBI will always work diligently with International Law Enforcement partners to bring justice to citizens who have been victimized.” According to U.S. Attorney Erskine, the charges and other information presented in court:  Dmitriev used the moniker “GoldenAce” to buy and sell stolen identities, including social security numbers, on the darknet marketplace AlphaBay.  From May 2016 through July 2017, Dmitriev sold 1,764 items on AlphaBay for approximately $100,000.  The vast majority of these items were stolen identities, including names, dates of birth, social security numbers, and other personally identifiable information.  There were at least five victims residing in the Northern District of Georgia. Dmitriev also collaborated with the cyber-extortionist group “the Dark Overlord” (“TDO”), including: On June 16, 2016, Dmitriev sent TDO access credentials for a New York dentist that Dmitriev had purchased on a criminal marketplace.  The dentist was subsequently breached and extorted by TDO. On July 11, 2016, Dmitriev received a spreadsheet from TDO containing approximately 200,000 stolen identities. On May 24, 2017, Dmitriev sold information stolen by TDO that contained the identity of a victim living in La Quinta, California. On September 8, 2020, Dmitriev was arrested while traveling in Greece.  The following day, Greek authorities executed a search warrant on the residence where Dmitriev was staying and located a computer containing emails discussing the buying and selling of identities and social security numbers, as well as a video about how to perpetrate identify theft. Slava Dmitriev, 29, of Vaughn, Ontario, Canada has been sentenced to three years in prison to be followed by three years of supervised release.  Dmitriev pleaded guilty on August 30, 2021 to the charge of fraud and related activity in connection with access devices. This case was investigated by the Federal Bureau of Investigation, with valuable assistance provided by the Hellenic (Greek National) Police, Naxos Public Prosecutor’s Office, and the Ministry of Justice Directorate of Special Legal Affairs. Assistant U.S. Attorneys Michael Herskowitz, Chief of the Cyber and Intellectual Property Crimes Section, and Nathan Kitchens, Chief of the Public Integrity and Special Matters Section, prosecuted the case.  Valuable assistance was also provided by the Department of Justice, Criminal Division, Computer Crimes and Intellectual Property Section and Office of International Affairs. Source: U.S. Attorney’s Office, Northern District of Georgia Update:  As I tweeted yesterday, Dmitriev’s aka’s, according to his court records, included: Stunna Stunna Slavz Stunnaslavzzz Stunnaslavzz Slavaeurod Salvo Dimtro GoldenAce Tehroyale As also tweeted yesterday, this threat actor was never on my radar at all as part of my reporting and investigating thedarkoverlord. And apparently, Vinny Troia never knew about him, either, as he also said this person was unknown to him.

Member of thedarkoverlord sentenced to 60 months and $1.4 million in restitution

The first — and so far, only — person to have been arrested and charged as a member of “thedarkoverlord” pleaded guilty today in federal court in Missouri. Nathan Francis Wyatt, 39, of Wellingborough, Northamptonshire in the U.K. was sentenced by Judge Judge Ronnie L. White to 60 months in prison and almost $1.5 million in restitution. Wyatt, who used screen names including “Crafty Cockney” and “Mas,” had been indicted by a grand jury in November, 2017, and charged for his role in thedarkoverlord attacks against five victim entities in Missouri and Atlanta. The indictment had contained 6 counts: 1 count of conspiracy, 2 counts of aggravated identity theft, and 3 counts of threatening to damage a protected computer.  Wyatt was extradited to the U.S. in December, 2019, and had been in custody since then in the St. Charles jail. Most of the government’s evidence against Wyatt came from Wyatt himself — he opened a PayPal account, registered a phone account, a Gmail account, a Twitter account, and a virtual private network that were all used as part of the scheme to hack and extort victims — and he created them all using information that led straight back to him. The government was represented by Gwendolyn Eleanor Carroll of the U.S. Attorney’s Office in St. Louis and Laura Kathleen Bernstein of the U.S. Department of Justice Criminal Division. Some of the evidence against Wyatt has been documented in extensive previous coverage of him by this site, but some of the evidence had been under seal, including some very threatening messages TDO sent to victims in this case. While the public was already aware that thedarkoverlord often researched their victims and would refer to their family members in ways that suggested future harassment or harm, the government’s filing contained examples not previously revealed. From the presentencing filing: …. one ransom demand, which is redacted here, threatened, “[w]e imagine that the same, careful, delicate care you give your patients, you also give your beautiful wife. What was her name? S******? S.M.V. (***-**-****)? Let’s hope that she stays beautiful and that nothing unfortunate happens to her. Who knows? It’s bound to happen with you leaving her alone all the time over there on [address] (Parcel ID **-**-**-**-***-****.**). We heard that it is for sale and maybe we will check it out sometime.” Gov’t Sealed Exhibit A. The letter went on to list details about the owner’s children, and even included threats to the owner’s parents: “[y]our elderly parents do not need this sort of stress in their golden years. What were their names again?,” and then listed the full names and social security numbers of the victim’s parents. PSR ¶ 23; Gov’t Sealed Exhibit A. In another example cited by the government, the daughter of one of the victims was on the receiving end of frightening communications that used a telephone account registered by Wyatt: hi [K] you look peaceful….by the way did your daddy tell you he refused to pay us when we stole his company 4 days we will be releasing for sale thousands of patient info. including yours… 19 in febuary?…weve all had a look and we all think your hot. soon some really evil men will be looking at you..possibly thru your window. your father is also looking at multiple say good bye to the house.. all bcs daddy wouldnt pay a much smaller sum to make all this go away. Daddys fucked you [K]….And incest is a crime… sweetdreams  Gov’t Sealed Exhibit C. Note that the government did not claim that Wyatt wrote or transmitted all of the threats. But he was charged with being part of the conspiracy that did engage in those behaviors and a phone used in the conspiracy was registered in his name. Wyatt pleaded guilty to the one count of conspiracy in exchange for the government dropping the other five counts of aggravated identity theft and fraud activity connected to computers.  He was represented by Brocca L. Morrison and Rachel Marissa Korenblat of the federal public defender’s office. Throughout most of the hearing, which was held by Zoom conference because of the pandemic, Wyatt confined himself to quietly answering, “Yes, Your Honor,” or “No, Your Honor” when the judge would ask him questions. After accepting Wyatt’s guilty plea, both the defense and prosecution made statements about sentencing recommendations, having previously agreed on the guidelines’ application to the case. Wyatt’s counsel noted that they couldn’t really contact much family because he had no family in the U.S., but his long-time partner had written a letter to the court describing Wyatt’s character as a loving father and devoted partner. The defense also noted how Wyatt had medical issues, and had only recently been diagnosed with Asperger’s Disorder. Prior to proper diagnosis, medication, and counseling, he had admittedly made bad decisions in a serious case.  As his lawyer noted, Wyatt was caught because he registered accounts in his own name. He was not a sophisticated criminal, while thedarkoverlord was a sophisticated criminal operation. According to his lawyer, Wyatt was not the person who orchestrated TDO.  He had great remorse and shame for what he had done, but especially for what he had done to his family who he had “left in the lurch.” When given an opportunity to speak, Wyatt struggled to compose himself. He admitted that he had mental problems that had led to bad decisions, but now that he was medicated, he was beginning to recognize when he was experiencing mania. But more than anything, he just wanted to go home to his family and never see another computer ever again. Judge White imposed a sentence of 60 months. The judge did not seem swayed by defense counsel’s argument that most defendants get measures like half-way houses or incentive programs that reduce their total time in jail, and that Wyatt would wind up serving at least 85% of his sentence. Wyatt was also sentenced to $1,467,048.07 in restitution: Athens Orthopedic: $877,585.00 Midwest […]

One down: Nathan Wyatt of thedarkoverlord agrees to plead guilty

A U.K. man extradited to the U.S. in December to stand trial for his role in thedarkoverlord (TDO) has agreed to plea guilty to resolve all charges against him. Nathan Francis Wyatt, also known as “Crafty Cockney,” has agreed to plead guilty to charges stemming from his role in some of thedarkoverlord’s attacks on entities in Missouri and Georgia in 2016. The attacks on medical entities shocked the public because the attackers named and shamed their victims and started dumping patient data if the victims did not pay their extortion demands, which were often in the range of hundreds of thousands of dollars. TDO’s tactics also included calling the victim entities or their family members on the phone or sending them aggressive or crude messages. From the description in court filings, the federal charges against Wyatt stemmed from his alleged roles in attacks against Athens Orthopedic Clinic in Atlanta, Midwest Pain  & Spine in Missouri,  Prosthetic & Orthotic Care in Missouri, Quest Health Information Management Solutions, and one entity not related to healthcare. None of the victims were named in court filings and the preceding attributions are based on this site’s knowledge of TDO’s attacks and the court’s description of the victims. On May 20, Wyatt’s trial, which had been scheduled to begin June 15, had been delayed to September 21 due to the pandemic. The court noted that holding the trial in June would endanger the public and make it difficult to assemble a fair cross-section of citizens to serve on the jury. Yesterday, however, both his counsel and the government filed a joint motion with the court requesting a consolidated plea and sentencing hearing. Wyatt is represented by a federal public defender, Brocca Morrison. The government is represented by Senior Counsel Laura Kate-Bernstein, Jeffrey B. Jensen, United States Attorney for the Eastern District of Missouri, and Gwendolyn E. Carroll of the Eastern District of Missouri. As detailed in previous coverage on this site, Wyatt had been charged with: One count of conspiracy against the U.S. (18 USC 371 ) Two counts of aggravated identity theft (18 USC 1028); and Three counts of threatening damage to a protected computer (18 USC 1030) He was not charged with actual hacking. The agreed-upon but not yet disclosed guilty plea comes as no surprise because the amount of evidence the prosecution had amassed was somewhat staggering. That said, this site and blogger have disputed any claim that Wyatt was ever the leader of thedarkoverlord in 2016 or 2017, but it was clear from my interviews and chats with him that he had been involved in assisting  or conspiring with one other person in a number of ways. The plea and sentencing hearing will not take place for at least 90 days. Wyatt is the first person to have been publicly identified as arrested and charged for participation in TDO crimes. He had claimed in the past to know the real identity of the young person that he referred to as “Dark” but that claim may have been part of a scam that he was trying to run. Wyatt reportedly later told someone else that he didn’t know the other’s real identity.    

Criminal trial of alleged member of thedarkoverlord scheduled for June

There’s a small update in the proceedings involving Nathan Wyatt, aka “Crafty Cockney,” the U.K. national who has been charged in the Eastern District of Missouri for his alleged role in hacks and extortion attempts by thedarkoverlord (TDO).  Wyatt had been charged in a sealed indictment back in 2017, and was arrested in the U.K. after serving jail time there for crimes that included hacking and attempting to extort a law firm as “thedarkoverlords.” The U.S.’s extradition request was granted, and Wyatt has been in custody in the U.S. since December, 2019.  In January, he pleaded not guilty to one count of conspiracy to blackmail healthcare providers, two counts of aggravated identity theft, and three counts of threatening damage to a protected computer.involving conspiracy and extortion. On April 20, Wyatt’s attorney notified the court that he was waiving his right to file any pre-trial motions.  With that no longer an issue, the court went ahead and scheduled Wyatt’s trial for June 15 before Honorable Ronnie L. White, United States District Judge. Whether this case actually goes to trial or Wyatt makes a plea deal remains to be seen. He can request a plea hearing any time before the June 15 trial date. This site has reported on Wyatt numerous times. You can find previous coverage by searching this site for “Crafty Cockney.” Additional coverage of TDO can be found by searching this site for “thedarkoverlord.”  

Missouri law firm sued by insurer for not disclosing 2016 hack by thedarkoverlord

For the past few years, this site has covered litigation against Athens Orthopedic Clinic in Georgia related to their hack by thedarkoverlord in 2016. The lawsuit against the clinic, filed by a patient, made it all the way to the Georgia Supreme Court on the issue of whether under Georgia state law, the plaintiff had shown enough harm to survive a motion to dismiss. The state’s highest court agreed with the plaintiff on appeal, and the case has been remanded. And while that case may be costly for the clinic, that hack may also be costly for an alleged member of thedarkoverlord (TDO) who was extradited to the U.S. to stand trial for his alleged role in hacks in Missouri and Atlanta — including, it appears, the Athens Orthopedic Clinic hack (although the court filings do not name the victim entities). According to the federal complaint against him, Nathan Wyatt, aka “Crafty Cockney” and “Mas Mas,” allegedly set up accounts that were used as part of TDO’s hacking and extortion operations, and he allegedly called a victim and threatened him in rap as to what would happen if the victim didn’t pay up. But the Athens Orthopedic Clinic hack may not be the only TDO hack Wyatt was allegedly involved in that has resulted in litigation.  Regular readers may recall that in 2018, TDO started leaking what they claimed were hacked files related to 9/11.  Those files came from a law firm used by insurer Hiscox. Hiscox informed this site that they had learned of the breach in April 2018, but Hiscox’s statement to this site did not reveal that the unnamed law firm was hacked in December 2016. This week, Hiscox filed suit against the Missouri-based law firm, Worden Grier, LLP.  The suit was first reported by In the complaint, the insurer alleges that: 11. On or around December 2016, an international hacker organization known as “The Dark Overlord” (“Hackers”) gained unauthorized access to Warden Grier’s computer system containing all of the sensitive information, including PI, stored on Warden Grier’s servers (the “2016 Data Breach”). 12. On information and belief, Hiscox understands that Warden Grier contacted outside attorneys and the FBI to investigate the matter, but did not hire a forensic IT firm to investigate the 2016 Data Breach or, if it did, has refused to provide Hiscox with the findings of any such investigation. 13. Despite being aware of the 2016 Data Breach, Warden Grier actively concealed or otherwise did not notify Hiscox or Hiscox’s insureds—all of whom were Warden Grier’s clients—of the 2016 Data Breach. Hiscox claims that they became aware of the breach on March 28, 2018, when some of the data appeared on the dark web. When they investigated by contacting Warden Grier, they learned that Warden Grier had not only failed to inform them, but they had not informed any of Hiscox’s clients.  According to the complaint, Warden Grier paid TDO ransom or other demand to protect its and its clients’ personal information from dissemination.  [ notes that this would not be the first time that TDO was paid ransom and then disclosed data anyway. TDO occasionally claimed that a victim had violated some provision of their agreement, thereby justifying their actions in either dumping data or demanding further payment.] In any event, the Hiscox lawsuit is interesting because in December 2016, law enforcement in the U.K. charged Nathan Wyatt with a number of crimes, including hacking an unnamed law firm and trying to extort it.  Wyatt pleaded guilty to all charges and was jailed. So was that law firm Warden Grier?  If so, then Wyatt may have already served time for that hack in a U.K. jail. Or was this yet another law firm? has been unable to reach Warden Grier yet, but has sent an inquiry to Hiscox’s law firm in the suit and will update this post if more information becomes available.  

Don’t expect a speedy trial date in the case of the alleged member of thedarkoverlord continues to monitor the court docket in the case of Nathan Wyatt, aka “Crafty Cockney,” an alleged member of thedarkoverlord.  As I’ve reported previously, Wyatt, a U.K. citizen who was extradited to the U.S. to stand trial here, is not charged with actually hacking any of the victim entities in a case filed in the Eastern District of Missouri. He is charged with one count of conspiracy, two counts of aggravated identity theft, and three counts of threats to damage protected computers. Not surprisingly, the court has given both the government and defense more time because Wyatt’s case is considered a “complex case.” To give you an idea of how complex this case is,  a government motion for findings of fact and a proposed scheduling order was filed on January 6, 2020.  That motion states, in part: Evidence and materials collected during the course of the investigation are voluminous in that the investigation took place over a number of years and involved a multiple Federal Bureau of Investigation Field Offices as well as evidence obtained from foreign countries through the use of Mutual Legal Assistance Treaties. A number of different law enforcement agencies from multiple foreign countries have played a role in this investigation. Discovery in this matter will likely be a lengthy and on-going process. Discovery in the case includes hundreds of thousands of pages of documents, records obtained by grand jury subpoenas, search warrants, court orders, pen registers, and mutual legal assistance treaty requests. Additionally, the investigation involved the seizure and forensic examination of several electronic devices. Much of the material obtained contains sensitive medical records and other personally identifying information of victims. Discoverable materials include, but are not limited to: (a) court-authorized search warrants, (b) court-authorized orders issued pursuant to Title 18, United States Code, Section 2703(d), (c) court-authorized orders issued pursuant to Title 18, United States Code, Section 3121, (d) documents and records containing sensitive information provided by victims, (e) mutual legal assistance treaty requests, (f) reports and memoranda related to multiple law enforcement agencies and interviews, and (g) forensically examined electronic devices. That’s a lot of data and evidence to sift through and process. Wyatt’s defense counsel joined the government in the request to have this declared a complex case and to allow more time for discovery in the interests of justice.  The court issued the order, as well as a protective order that limits the distribution of materials shared with the defense during discovery. The protective order does not impact court records that are public records, but will impact materials that might include personally identifiable information, protected health information, or other sensitive information. The next court date is February 21 and is an attorneys-only conference to update the court on discovery progress.

What OPSEC? Member of “thedarkoverlord” allegedly used his personal details to set up hacking and extortion-related accounts.

In what seems like a mind-boggling OPSEC #FAIL, a U.K. man associated with thedarkoverlord allegedly used his real details to create bank accounts as well as to open email accounts, phone numbers, vpn, Twitter, and PayPal accounts that thedarkoverlord used as part of its operations to hack and extort victims. For a group that signed their pastes and extortion demands as a “Professional Adversary,” the revelations should be embarrassing, to say the least. But embarrassment may be the least of their problems. Now that Nathan Wyatt is in custody in the U.S. awaiting trial for his alleged role, will he roll on others to get himself a deal? In June, 2016, an individual or group calling themself “thedarkoverlord” (TDO) announced that they/he had hacked three patient databases and put them up for sale on a dark web marketplace. Since that time, this site has reported on TDO’s criminal activities dozens of times, but even the many hacks this site has covered represent only a small fraction of TDO’s actual criminal operations. The scope of their attacks often tends to get lost in mainstream media coverage that tends to only point out hacks involving Orange is the New Black, celebrity patients, or well-known corporations like Gorilla Glue. But TDO has hit numerous big and small businesses, school districts, universities, and big and small medical entities.  And over the past few years, those of us who have watched them have seen them grow increasingly aggressive and violent in their imagery and threats. But then things seemed to suddenly stop. In early 2019,  KickAss Forum shuttered. Without that forum to post their offerings and banned from most social media platforms they had been using to try to sell hacked files, TDO disappeared from public view. They haven’t responded to emails I have sent to their email account for journalists, and they didn’t re-emerge on New Year’s Eve with a major hack announcement as they have done in past years. So where’s TDO?  Are they in custody or have they gone to ground because one of their alleged members, Nathan Wyatt, is now in U.S. custody awaiting trial?  Have they continued hacking entities? Or are they just relaxing somewhere enjoying retirement? Significantly, perhaps, their disappearance from public view roughly corresponds with Wyatt losing his appeal of a ruling ordering his extradition to the U.S. Either way, for a criminal operation that often tried to portray itself as a polished and professional adversary, Nathan Wyatt is not a good look for them. Who is Wyatt? Nathan Francis Wyatt, 39, is an unemployed U.K. national who lives in Wellingborough with his fiancee, Kelly Howell, and some of their children. He  and his fiancee live off the welfare benefits they receive from the government. Wyatt has acknowledged that he has supplemented those benefits with illegal online activities. Unless there’s some plea deal worked out, Wyatt will be tried in federal court in St. Louis for his alleged role in some of the early TDO hacks and extortion attempts in Missouri, Illinois, and Georgia. The indictment can be found here. Wyatt faces trial here on 6 counts: a single conspiracy charge, two counts of aggravated identity theft, and three counts of threatening damage to a computer. Although DOJ did not name the victim entities in their court filings, I have identified the victim entities (with one possible exception)  based on DOJ’s descriptions,  my previous detailed reporting on the breaches, and the fact that some of the evidence DOJ provides in the affidavit exactly matches files that had been given to me by TDO for those victims. Wyatt, whose online nicks include “Crafty Cockney,” “Hardcore,” and “Mas,” pleaded not guilty in his first appearance in federal court in December after losing his attempt to prevent extradition. OPSEC? What OPSEC? Anyone reading the affidavit supporting the government’s extradition request may understandably conclude that Wyatt should try try make a plea deal. There appears to be a tremendous amount of compelling evidence supporting the charges, although of course, those are just allegations that need to be proved in court. But then also remember that DOJ did not show all its evidence in the affidavit. They likely withheld what they consider to be other damning evidence that they will present at a later date or use to persuade Wyatt to plead guilty. Actually, if you read the affidavit, you may well wonder what on earth Wyatt could possibly have been thinking when he allegedly used his own personal details to open email, phone, PayPal, and bank accounts that were used for criminal purposes.*   Did Wyatt’s alleged co-conspirators have any idea how casual and negligent he was about OPSEC or did they know what he was doing? From statements made to me by TDO in September 2016, they had no idea that “Crafty Cockney’s” real name was Nathan Wyatt and so when they saw the bank accounts he had set up, they did not know it was his real name and his fiancee’s real name and their real addresses.  Whether TDO was telling me the truth in disclaiming any previous knowledge of Wyatt’s identity remains to be determined. Wyatt was no stranger to crime The current charges represent only a small part of Wyatt’s alleged criminal activity over the past 3 years.** Charges against him in 2016 for his role in selling hacked photos of Pippa Middleton were dropped and he never served any time for his role in that case. Those close to that situation believe that the charges were dropped to spare Middleton the stress of a court case and not for lack of evidence. Both The Sun and this blogger had quite a bit of evidence showing Wyatt’s involvement in the attempted sale of the photos. But while Wyatt seemed to have caught a break in the Pippa Middleton case, he wound up arrested again months later because in the process of investigating the Middleton matter, prosecutors found evidence of other crimes on his devices. As a result of their discovery and […]

Nathan Wyatt, aka “Crafty Cockney” of thedarkoverlord, now on U.S. soil to stand trial in St. Louis

I’ve reported on Nathan Wyatt a number of times, including the extradition request by the U.S., his appeal,  and his failure to win his appeal of the extradition order.  So we knew this was coming, but let’s start with a recap of the charges he’s facing: One count of conspiracy against the U.S. (18 USC 371 ) Two counts of aggravated identity theft (18 USC 1028) Three counts of threatening damage to a protected computer (18 USC 1030) From the DOJ’s press release of today: MEMBER OF “THE DARK OVERLORD” HACKING GROUP EXTRADITED FROM UNITED KINGDOM TO FACE CHARGES IN ST. LOUIS Defendant Conspired to Steal Sensitive Personally Identifying Information from Victim Companies and Release those Records on Criminal Marketplaces unless Victims Paid Bitcoin Ransoms WASHINGTON – A United Kingdom national appeared today in federal court on charges of aggravated identity theft, threatening to damage a protected computer, and conspiring to commit those and other computer fraud offenses, related to his role in a computer hacking collective known as “The Dark Overlord,” which targeted victims in the St. Louis, Missouri, area beginning in 2016. Nathan Wyatt, 39, was extradited from the United Kingdom to the Eastern District of Missouri and arraigned on Dec. 18 before U.S. Magistrate Judge Shirley Padmore Mensah. He pleaded not guilty and was detained pending further proceedings. A federal grand jury indicted Wyatt on Nov. 8, 2017. According to court records, beginning in 2016, Wyatt was a member of The Dark Overlord, a hacking group that was responsible for remotely accessing the computer networks of multiple U.S. companies without authorization, obtaining sensitive records and information from those companies, and then threatening to release the companies’ stolen data unless the companies paid a ransom in bitcoin. Victims in the Eastern District of Missouri included healthcare providers, accounting firms, and others. Among other things, Wyatt is alleged to have participated in the conspiracy by creating email and phone accounts that he used to send threatening and extortionate emails and text messages to certain victims, including victims in the Eastern District of Missouri. ….  The investigation was conducted by the FBI’s St. Louis Field Office. The FBI’s Atlanta Field Office also provided support. The Criminal Division’s Office of International Affairs coordinated the extradition of Wyatt. The department thanks law enforcement and international cooperation authorities in the United Kingdom for their substantial assistance in the investigation. Senior Counsel Laura-Kate Bernstein of the Criminal Division’s Computer Crime and Intellectual Property Section, and Assistant U.S. Attorneys Gwendolyn Carroll and Matthew Drake of the Eastern District of Missouri are prosecuting the case. The details contained in the charging document are allegations. The defendant is presumed innocent until proven guilty beyond a reasonable doubt in a court of law. Related:  In a previous post, I have named the victim entities based on the indictment’s description of them and my previous extensive reporting on thedarkoverlord. Related: the Indictment:  

“Crafty Cockney” loses extradition appeal; closer to standing trial in U.S. for alleged role in “thedarkoverlord” attacks

Nathan Wyatt, the 38 year-old U.K. resident known as “Crafty Cockney” on AlphaBay market, has lost his bid to convince the High Court to overturn a lower court’s ruling that he should be extradited to the U.S. Today’s ruling means that Wyatt is one step closer to being extradited to stand trial in federal court in the Eastern District of Missouri on charges related to some of the earlier hacks and extortion attempts by thedarkoverlord (TDO). Wyatt was indicted on November 8, 2017 on 6 counts: a single conspiracy charge, two counts of aggravated identity theft, and three counts of threatening damage to a computer. has previously hypothesized the identities of the victim medical practices described in the indictment. The High Court’s ruling, issued this morning, began with a recap of the sole issue before the court at this point: The Government of the United States seeks the extradition of the appellant on charges relating to computer hacking with associated demands for money and the dissemination on the internet of personal medical records. On 25 January 2019 District Judge Tempia sent the appellant’s case to the Secretary of State who subsequently ordered his extradition. The sole issue before the judge was whether the forum bar to extradition found in section 83A of the Extradition Act 2003 [“the 2003 Act”] should operate to prevent extradition on the basis that the interests of justice, as defined in that section, favoured prosecution in this jurisdiction. The judge examined each of the statutory factors that inform that question. She concluded that it was in the interests of justice for the appellant to be extradited for trial in the United States. This is his appeal against the decision to send the case to the Secretary of State. Wyatt’s alleged crimes and the extradition case have been covered in previous posts on this site, but they are also explained in the background section of the court’s ruling. It is not clear from the U.S. Department of Justice’s filings whether the DOJ believes that Wyatt is the individual who was the spokesperson for thedarkoverlord (TDO) in 2016 and 2017,  or if they believe he was the mastermind behind TDO, or if they believe he was just a member or associate. There were no other suspects named in the DOJ’s filings, although they noted that there were ongoing investigations into others. Significantly, Wyatt was not charged with actually hacking any entity. Was Wyatt really intimately involved in all of TDO’s early hacks and extortion attempts as DOJ alleges?  That will be for a trial court to determine. In the immediate future, though, Wyatt and his solicitors have a decision to make.  If I understand their processes in the U.K., Wyatt now has 14 days to apply to the High Court for permission to appeal to the U.K.’s Supreme Court. If the High Court refuses his application to appeal — or if he makes no application at all — then he will be extradited within 28 days of the end of the 14 day period. But while Wyatt can apply for leave to appeal, my understanding is that at this point, Wyatt’s basis for any further appeal is extremely limited as he can only seek permission to appeal on a point of law. reached out to the Department of Justice International Affairs office, Tuckers Solicitors (Wyatt’s solicitors), and Wyatt’s partner/fiancee for comments on today’s ruling, but received no immediate replies. This post may be updated if comments are received. Update: A spokesperson for DOJ responded that as a matter of longstanding policy, DOJ generally does not comment on extradition-related matters until a defendant is in the United States.