Feb 152019

Yet another healthcare provider has revealed that they were hacked by thedarkoverlord (TDO).  Dr. Robert Spies, a plastic surgeon in Scottsdale, Arizona, has notified HHS and his patients of the hackers’ attempt to extort the practice.

Although he does not name the hackers responsible in a notice on his web site, Dr. Spies explains:

On December 10, 2018, we became aware cyber criminals gained unauthorized access to our computer network. We immediately contacted the FBI and local law enforcement authorities and have been cooperating with their investigations. We also engaged computer experts to determine if our systems and information were at risk. The investigation determined that the criminals could have viewed or accessed documents that contained patients’ personal and medical information, including names, addresses, dates of birth, procedure notes, diagnoses, medications and health insurance numbers. For a small handful of patients, the criminals could have viewed Social Security, driver’s license and/or passport numbers, if provided for verification purposes, a credit card number or financial account number, or pre-op photos. At this time, there is no evidence that patient information has been misused.

His report is entirely consistent with other information DataBreaches.net had obtained about this incident. In December,  thedarkoverlord had posted a notice on KickAss that said:

We’ve hacked a high-end plastic surgery business located in Arizona, United States. This surgery center is owned by Doctor Robert J. Spies and operates on celebrity patients. His website is (www.azplasticsurgerycenter.com). We’ll share some of his data with yoou, since he’s refused our most handsome business proposition.

Link: (link redacted by DataBreaches.net, even though it is no longer live).

If you’d like to let him know how foolish he’s been, you can SMS his mobile at (redacted by DataBreaches.net) or his e-mail at (redacted by DataBreaches.net).

The sample data was a 531.8 MB archive with folders containing “Dictations”  (75 files), “Photos” (more than 160 photos),  and “Patient ID Verification” (4 files).  The Dictations folder and Photos folder contained more than one file or image for some patients, so these were not all unique patients in each folder.

Many of the photos in the archive released by the hackers would permit identification of patients because in some cases, you can see the patients’ faces, and in other cases, the filenames for the photos may contain the patient’s first initial and last name.

DataBreaches.net is not reproducing any of the data from the archive the hackers provided.

Inspection of the meta data suggests that the newest dictation files were created December 5, 2018 and related to services or consultations conducted on November 28, 2018.

As with their hack of the London Bridge Plastic Surgery Center,  TDO may have hoped that people — especially celebrities — would pay good money not to have their before, during, or after pictures of plastic surgery released publicly.  Whether TDO is privately trying to extort patients directly is unknown to this site, but Dr. Spies seems to have refused to pay them, and has reported the incident to law enforcement, HHS, and his patients.  According to his notification to HHS,  he has notified 5,524 patients.



Feb 132019

Nicole Rekant and Stevan Pardo write:

The proliferation of data breach cases in Florida courts has focused on Article III standing. To meet the pleading standard under Article III, a plaintiff must allege sufficient facts to show the injury-in-fact is concrete, particularized, actual, and imminent, not conjectural or hypothetical. An allegation of imminent injury may suffice if the threatened injury is “certainly impending” or there is a “substantial risk” harm will occur, as in Clapper v. Amnesty International USA, 568 U.S. 398, 414 n.5 (2013). The injury alleged also must be “fairly traceable to the challenged action of the defendant,” see Resnick v. AvMed, 693 F. 3d 1317 (11thCir. 2012). A showing that a plaintiff’s injury is indirectly caused by a defendant’s actions satisfies the fairly traceable requirement under Resnick. However, allegations of possible future injury are not sufficient. Eleventh Circuit data breach cases such as Resnick established the legal principle that a plaintiff who alleges only speculative, not actual, identity theft will not have standing.

For those who didn’t know this already, one of thedarkoverlord’s hacks wound up in court with an opinion unfavorable to plaintiffs on Article III standing:

Florida cases continue to maintain this threshold for standing. In Stapleton on behalf of C.P. v. Tampa Bay Surgery Center, 2017 WL 3732102 (M.D. Fla. Aug. 30, 2017), a hacker breached a surgery center’s database and published 142,000 patients’ sensitive information online. The plaintiffs did not allege that any of the sensitive information was used. Instead, they alleged they were at an increased risk of having their identity stolen and were forced to incur credit monitoring/identity theft protection costs. After the data breach, the center provided free identity protection services to the plaintiffs and other potentially affected patients.

The court found that the plaintiffs’ allegations were insufficient to show an injury was certainly impending or that they had a substantial risk of imminent injury. First, the plaintiffs were unable to identify a single patient whose sensitive information was misused as a result of the data breach. Second, the center lessened the plaintiffs’ risks of imminent injury by providing free credit monitoring to all potentially affected persons. Third, the court concluded that the plaintiffs’ allegations relied on a chain of inferences that were too attenuated to constitute imminent harm. The plaintiffs asked the court to find that their sensitive information was viewed online, that someone downloaded that information and would use it, and that the center’s protections would not prevent the misuse. The court did not find an injury was impending and dismissed the amended complaint.

Maybe I should go back and take a closer look at that case. Did the court know that the database had been dumped by the hackers, so that it was possibly in many people’s hands? Would that increase the risk of imminent injury? As I reported on May 4, 2017 when the hackers publicly dumped the database and tweeted a link to it:

The .csv-formatted database contains more than 142,000 patients records. And yes, date of birth and SSN were in plain text. There did not appear to be any health insurance information in this particular database.

So the entity provided credit monitoring services? So what if they did? With all that personal information in plain text and available for download, nothing stops criminals or bad actors from sitting on the information until the year is over and then starting to misuse it. But of course, the defense would argue that that is not “imminent” injury, and hence, there is no Article III standing.

Somehow this system continues to not work well for consumers. And somehow, Congress, in its perpetual ineffective dysglory, continues to not address the concerns.

Read more on Daily Business Review.

Feb 102019

Remember when it seemed like every day we were reading about ID theft and tax refund fraud schemes involving rogue employees of tax preparation firms?

Yeah, well it’s still a thing.  Here’s a story about a former rogue employee at Jackson Hewitt in McKinney, Texas.  If you or someone you know may have used that firm’s branch or a Jackson Hewitt office in north Texas,  you should check your credit report and take steps to protect yourself.

And in other unsettling news involving a Texas tax preparer,  on August 2 of 2018, thedarkoverlord tweeted that they had hacked a Hurst, Texas firm called CB Tax Service.  But they hadn’t hacked that firm at all, as I realized when I started investigating a sample of data the hacker(s) had provided to this site.

This site’s investigation indicated that the firm that they did hack was a firm with a similar name, C & B Tax Preparation.  That firm,  owned by one Wynora Johnson, had and has an address in Dallas.  But a number of attempts to reach Ms. Johnson by phone failed — numbers were disconnected and the one working number was answered by someone who said she knew nothing about Ms. Johnson or that business.

So if you were a customer of C & B Tax Preparation in Dallas,  you would be prudent to assume that thedarkoverlord is in possession of any personal and financial information you shared with that tax preparer.  And you would be prudent to assume that if thedarkoverlord failed to successfully extort the firm  (and for now, I will assume that they failed because they didn’t even have the right victim identified), then your personal and financial data may be up for sale on the dark web at some point.  The sample data they had sent me have a number of image files as well as copies of completed tax-related forms and bank information.  The image files include images of people’s driver’s licenses with name, address, DOB, and picture, as well as images of their and dependents’  Social Security cards.

DataBreaches.net did alert law enforcement in Dallas about the incident in the hopes that they would be able to notify the business or its owner.  This site never received any follow-up, though, as to whether the business or its owner was ever reached — or, even more importantly — whether the business’s customers have been contacted and notified that their information is in the hands of thedarkoverlord. So if you know someone who used that service, you might want to encourage them to take steps to monitor their credit report and take steps to protect themselves.

Jan 102019

Now THIS is very big news on thedarkoverlord front:

Joseph Curtis reports that Nathan Wyatt, who was jailed on fraud charges in the U.K. but has been released from prison there, is now fighting extradition to the U.S. on charges he was involved with hacking and extorting U.S. medical entities as part of  thedarkoverlord. 

Nathan Wyatt, aka “Crafty Cockney.”  File photo.

This journalist had interviewed Wyatt exclusively prior to his first arrest in September, 2016, on charges relating to the hack and attempted sale of pictures of Pippa Middleton.  Wyatt was not jailed on those charges, however, and this journalist had been told by him that the royal family had intervened so as to avert a court case that might lead to the production of embarrassing photos.  Whether that is true or not, this journalist cannot say as lawyers for Wyatt did not respond to inquiries sent at the time.

But Wyatt had also talked extensively with DataBreaches.net about his relationship with thedarkoverlord, which included, he said, teaching thedarkoverlord fraud techniques, and being asked by TDO to make an extortion phone call to a U.S. victim.  That call (you can hear it here) was recorded and uploaded to YouTube. Wyatt subsequently linked to it in a post on the now-shuttered Alpha Bay dark web marketplace. At times, Wyatt claimed that he never actually made the call and that he just recorded it as a joke because TDO was pressuring him to do it. But if you listen to the recording, you can hear someone else at the beginning answering the phone.

When Wyatt was arrested in 2016 and his devices seized, police found evidence of other crimes, including a hack of an unnamed law firm and an attempt to extort the law firm.  It was on those charges that he was ultimately tried and sentenced to prison for 3 years.

But law enforcement had also – according to Curtis’s reporting –  found evidence that Wyatt had used his own details and live-in partner’s details to set up bank accounts in the U.K. to funnel payments to thedarkoverlord from U.S. medical entities that TDO was attempting to extort at the time.  In a copy/paste error by an associate of Wyatt’s, DataBreaches.net had accidentally been shown the bank account numbers in July 2016.  At that time, however, DataBreaches.net did not know that “Nathan Wyatt” was the bad actor known to her as “Crafty Cockney.”  And the TDO spokesperson at the time talked about Crafty Cockney as a low-level person or associate but not one of the core people in TDO.  The new charges suggest that TDO may have been downplaying Wyatt’s role, and that Wyatt’s claims of tutoring TDO and assisting in other ways may have been more accurate.

So now Wyatt is reportedly fighting extradition to the U.S., it seems.  According to Curtis’s reporting:

He has been charged with one count of conspiracy to blackmail healthcare providers in the USA, two counts of aggravated identity theft and three counts of threatening damage to a protected computer.


An arrest warrant was issued by the US district of Missouri on November 8th, 2017.

Curtis provides a lot of other details that will sound familiar to those who have followed my reporting on thedarkoverlord since 2016.  The unnamed health records management firm referred to may be Quest Health Information Management Systems. I had reported how they had been hacked by TDO in 2016, which gave TDO login credentials to Quest’s clients, including medical entities in Missouri and Georgia.

The U.S. government likely has a lot of evidence against Wyatt, but for the benefit of readers who may be a bit confused by this new development, I will state here that Wyatt is almost certainly not the person who was the communicator for TDO back in June – July of 2016.  How do I know that? Because I chatted with that individual while Wyatt was still being detained by law enforcement in the U.K. Then too, Wyatt’s writing, which I had ample opportunity to read in extended chats, was nowhere near the level of the individual who ran TDO’s Twitter account back then, who wrote the extortion demands and lengthy letters, and who communicated with journalists.  Law enforcement may not have apprehended that first “TDO” yet.

Will Wyatt appeal to the U.K. to try him there for charges relating to hacking and extorting U.S. entities because he has three children there?  Probably. But there are so many victims and witnesses in the U.S. and I doubt the U.K. will find him a sympathetic figure, even if he has children.  Wyatt does not have the popular support of someone like Lauri Love.

As I frequently have to say when covering all things TDO:  stay tuned.

Note: I do not know whether the law firm that Wyatt was convicted for hacking and extorting is the same law firm involved in the 9/11 files that thedarkoverlord has recently publicized and tried to sell. It wouldn’t surprise me if it was the same law firm, but I have no proof or information either way.

Jan 092019

Updated: After this post was published, other information became available suggesting that law enforcement may not have taken down KickAss and that the seizure notice placed on that url may have either been placed by KickAss or by some third party or parties. See updates at the bottom of this post. This is obviously a developing story. 🙂 

After a few days in which thedarkoverlord did not appear in public, the criminal hackers reappeared today to release more files from 9/11.

In a post on Steem, that is available on the busy.org frontend, they wrote, in part:

Hello, world. As you’re well-aware, we designed a compensation plan that would allow for the public crowd-funding of our organisation in order to permit the public disclosure of our “9/11 Papers” in the interest of the public. Part of this plan was to create a tiered escalation plan that would result in multiple layers and milestones (which we’re calling checkpoints) to ensure the powers at be are being properly bent over a barrel. We’ve said it before, and we’ll say it again: we’re financially motivated, and you (the public) has spoken to us in our language (internet money, specifically Bitcoin). Remember, continuing to fund our wallet will continue to keep us motivated to help break the truth to the world by open-sourcing what we’re calling the “9/11 Papers”. To create a bit more buzz, we’ve decided to continue forward and release the decryption key for Layer 2.

A quick skim of some Layer 2 files indicates that they contain a lot more of the litigation and subrogation files, but they are also starting to get into some other interesting reports relating to the FBI and CIA investigations.

Those who have followed actor James Wood’s activism and tweets on Twitter will likely be interested in a file that concerns him.  In January, 2002, a memo was created by Todd A. Scharnhorst of Blackwell Sanders Peper Martin that said:

As a clarification to a prior memo, James Woods, a Hollywood actor, was riding in First Class with four men of Middle-Eastern dissent.  He was on an American Airlines flight from Boston to Los Angeles.  He thought the men were acting very suspiciously.  None of them had anything to eat or drink, they did not read, sleep, nor did they appear to make themselves comfortable.  They sat in their seats and stared straight ahead, occasionally “whispering something to one another with inaudible tones.”  Woods thought the behavior was odd.  He reported it to the flight attendants.  He then reported it to the ground crew. Should this have put American Airlines on notice (should they have at least done some type of investigation into the four Middle-Eastern passengers)?  As it turns out, it appears the four passengers were four of the hijackers who took over that same flight and crashed it into the World Trade Center.  It appears James Woods witnessed a “dry run” of their terrorist takeover.

I need to find time to do more reading in this layer.

In the meantime, and in other news concerning thedarkoverlord, not only did they become the first entity ever banned from Steem (or so they tell me, but I’ve seen others who claimed to have been banned, too), but in a joint law enforcement operation, the Kickass Forum where they were posting their offerings and other information  was appeared to have been seized today (see UPDATES).

The notice says:


as part of a joint law enforcement operation by
the Federal Bureau of Investigation, ICE Homeland Security Investigations,
and European law enforcement agencies acting through Europol and Eurojust
in accordance with the law of European Union member states
and a protective order obtained by the United States Attorney’s Office for the Southern District of New York
in coordination with the U.S. Department of Justice’s Computer Crime & intellectual Property Section
issued pursuant to
18 U.S.C. 983(j) by the
United States District Court for the Southern District of New York

So what hack or criminal activity did they allegedly conduct within the Southern District of New York?  Was this a biomedical research firm? Was it Aesthetic Dentistry? Was it some victim that we may not even know about or that I’ve simply forgotten?

As Bits&Digits commented on Twitter, in noting the seizure of the forum:

And like that…. the forum that allegedly ran, is down and out. Now, this criminal organization has to make a choice to cut and run or play the gamble. Never a good sign to have your site seized, so much evidence.

So will they cut and run or will they play the gamble? Mainstream media has not been reporting on them for the most part, Twitter banned them, Steem banned them, and now the forum that was part of their communication strategy was seized.  And the fact that it was seized by order of the Southern District of New York probably means that there is a sealed complaint, too. But all that said, I don’t think we’ve seen the last of them.

Update 1:  AnonFiles, a file-sharing service that thedarkoverlord has used to share files from 9/11 and other hacks, is now down.  Nathan Dimoff broke the news about AnonFiles on Twitter, and I just took a screenshot to confirm it:


Holy crap, Batman…..  there is some serious efforts afoot to stop thedarkoverlord.  Stay tuned…

Update 2:  This is intriguing. AnonFiles is back up and Vinny Troia is claiming that the KickAss seizure notice is a fake and that KickAss just went private on another url.  Other sources tell me that the seizure notice does NOT appear to be by law enforcement,  but that it may not have been posted by KickAss or TDO, either.

When asked about the current situation and risk to users of visiting either site, J. Tate from bits&digits told me,

“I wouldnt trust anything that the intergrity seems to be compromised in. Whether or not there is evidence to support the claims at this moment. All OPSEC engineers know, that in these situations with a multitude of symptoms —safer is to step back.”

So I won’t be going to AnonFiles any time soon… or that KickAss onion url, I guess.