Dec 062018

TheDarkOverlord is back on Twitter with a new account, and their first tweets give a hint as to why their @tdo_hackers account had been suspended.  In two tweets posted overnight to @tdo_hack3rs, TDO writes:

Perhaps Twitter is most concerned with suspending us when we’ve not made any clear violations because 1/2

the FISA order we’re planning to release is one that the USA gov served to Twitter in an attempt to deploy a NIT against us. 2/2

This is not the first time TDO has mentioned a FISA order – or a NIT  (network investigative technique) deployed against them. In November, 2017, reported TDO’s claims, but at the time, they did not provide any details or specifics:

At this time, we’re only at liberty to disclose that in at least one case of a NIT usage, a widely used internet service, used by millions, was a witting accomplice in the NIT’s usage. We can confirm that this widely used internet service is under a legal order. We’ve solicited the assistance of a globally recognised and highly reputable cyber-security firm to further unravel the NITs. We believe these NITs are highly disruptive, and far too dangerous to be in the wild.

If they are now naming Twitter as that service and do release the FISA order, that would be something.

So far, they have not publicly revealed any details of the NIT, but perhaps they will.

Twitter did not immediately respond to a request for comment on the claims.  This post will be updated if a response is received.

Update of December 7:  It appears Twitter has suspended TDO’s new account, too, which is why the embedded tweets no longer show up in this article, although the text was quoted. 

Dec 052018

When TheDarkOverlord hacked Channel Ship Services, they not only acquired personal data that could be misused for fraud, but they claim they also acquired information that can jeopardize maritime security. 

According to Jersey-based Channel Ship Services’ website, CSS Limited provides highly qualified permanent and contract specialist personnel to the global offshore industry. Those personnel have recently had some of their personal data hacked by the hacker(s) known as TheDarkOverlord (TDO).

As anyone who has followed TheDarkOverlord’s criminal activities for the last 2+ years knows, TDO does not take kindly to having their “requests” ignored or refused.  From the fact that this site is reporting on the breach, one can infer that CSS did not cooperate with TDO.

TDO did not provide with copies of any of the communications between them and CSS, so does not know the amount of any request TDO may have made, although a tweet on November 18 from TDO’s currently-suspended Twitter account suggested that a monetary request had, indeed, been made:

Tweet by @tdo_hackers to Christopher Inns and Kevin Gollop of Channel Ship Services, Nov. 18, 2018.

Although copies of communications were not provided to, TDO did provide this site with a small sample of the files they had acquired. Those files included seafarer agreements and contracts that would specify the contractor’s name, their passport number (in some cases), the wage rate that they would be paid, and other contractual provisions.

Other data acquired by TDO and provided to this site included a spreadsheet with client information, including the company name, and the name, email address, position, and telephone number of the contact person at the client’s company. While the data by themselves do not appear sensitive, it would certainly be useful information for anyone trying to socially engineer information or to set up a business email compromise or phishing attack.

As their site explains, CSS provides a range of services, including Seismic, Land Rig, Land, Maritime, Survey, Subsea/ROV, Geotechnical, Environmental, Renewable Energy, SMSS Group, and Medics. Of particular note, CSS also advertises that it provides maritime security:

MDS is the maritime security division of CSS Limited.Our Ship Security Consultants (SSC) are senior former military personnel (HM Royal Marines) and are available to respond to any security threat to the offshore maritime industry, particularly in the Gulf of Aden, the east coast of Africa and into the Indian Ocean. Somali based Piracy has reduced significantly over recent years and now seems to be limited to occasional reported approaches and un-confirmed sightings. With BMP4, the industry guidelines, proving to be almost 100% effective, our Security Analysts have re-assessed the current threat and how it can be approached and managed both with and without the use of firearms. Operational effectiveness is enhanced by full and willing participation from the vessels crew. MDS will provide highly skilled consultants who will utilize the experience and knowledge of protection methods gained throughout their maritime career and will embark a client’s vessel as ‘Ship Security Consultants’, to plan, train and advise the Master, ensuring the vessel steams safely through areas of Piracy. Our team is very conversant with all the high risk areas. CSS Limited / MDS only deploy operatives with a minimum of 5 years’ experience, often as Team Leader, who have conducted over 30 transits. MDS are committed to providing highly qualified Ships Security Consultants for a multitude of tasks, with 24 hours support from our Jersey based Operations team and for further information, please contact us at: [email protected]

Image credit: Channel Ship Services asked TDO if any of the files they acquired appeared to contain sensitive or classified maritime security information. A spokesperson for TDO responded:

We’ve stolen everything they’ve ever had, and indeed we have information about staffing and routes for armed security for certain maritime vessels. Very sensitive information detailing TTPs [Tactics, Techniques, and Procedures] and the navigation routes. Information pirates would thoroughly enjoy, and we’re currently looking down avenues of having some maritime vessel crews taken hostage. Surely, CSS would pay us then.

It is hard to believe that TDO would go quite that far, but this is certainly not the first time that they have indicated a willingness to arrange to have people harmed.

Because this blogger has no expertise in GDPR, does not know whether notification of this incident would be required under GDPR or any other laws. has sent two e-mails to CSS over the past days seeking their response to certain questions about this hack. Neither e-mail received a reply. An attempt to contact CSS via their Twitter team also failed to get a response.

DataBreaches also sent an e-mail to the Office of the Information Commissioner for Jersey to ask whether this breach had been reported to their office, and in other correspondence, attempted to contact a U.S. resident who contracted as an environmental researcher working on the Fugro Discovery to find out if CSS had notified her of the hack.

No replies have been received from the OIC or the environmentalist.

This post may be updated if more information becomes available.  But in any event, if TDO has developed a special focus on Professional Employer Organizations (PEOs), which is what they tell me and which is what the Prime Staff  Inc.  and CSS hacks indicate, other firms in that sector should be taking extra security precautions these days.

Update:  In response to an inquiry from this site to the OIC of Jersey, a spokesperson explained that under their laws, they cannot comment on any case until after an investigation is completed, but the spokesperson also wrote:

I can confirm that we have made contact with the local organisation and are awaiting a response from them. We can therefore confirm that we are looking into the matter. However, as already stated we cannot make any further comment with regard to ongoing matters, not least because at this stage we do not know the full facts.

So eventually, we will have some determination from that regulator as to whether notification is needed for this situation.

Dec 042018

TheDarkOverlord (TDO) has been busy, it seems. In the past month or so, the hackers – who have seemingly managed to continue to evade capture by law enforcement – have revealed a number of hacks never previously disclosed by them.

Earlier today, reported on TDO’s hack of Caribbean Island Properties. But at the same time that learned of the CIP hack, this site also received an e-mail sent from the account of Rebecca Shields, the principal of another firm, Prime Staff Inc. Shield’s e-mail consisted of one word, “HELP,”  which appeared above the text of what purported to be a communication from TheDarkOverlord.

According to public records, Prime Staff Inc. is a California domestic corporation with a mailing address at 1258 North San Dimas Canyon Road, San Dimas, California.  The corporation listing was  filed on July 7, 2011, and the company’s filing status is listed as Active. Prime Staff Inc. has one principal on record:  Rebecca B. Gaspar from Upland. It appeared to be Ms Gaspar a/k/a Shields who reached out to, although it could have been TDO letting me know about the hack by emailing from her account. responded to the e-mail and asked whether there was some safe way for Ms Shields to contact me or vice versa. In reply, received an e-mail that only said, “There’s no safe way to contact Shields.” At this point, then, it appears that TDO has complete control over the domain and mail server.

About Prime Staff Inc.

Prime Staff Inc. is a Professional Employer Organization (PEO). PEOs provide outsourced personnel and administrative services for both large corporations and SMBs. Businesses and PEOs develop “co-employment” relationships, which means that a business’s employees also become the PEO company’s employees. According to

The PEO will take on many different clients, allowing them to pool one company’s employees with another’s. This helps lower risks and insurance costs. It also allows the PEO to propose a wide range of offerings, as well as access to benefit plans that a small business may not have been able to afford on its own.

Professional employer organizations are not bound by state borders or limited in the amount of employees they can accommodate, which is why many employers are beginning to see the tremendous value of their services.

Prime Staff Inc. has a number of reviews online, which generally range from poor (Yelp) to average (Indeed).  Details of their operation were not available as all of their files and their site had been wiped out by TDO.

TDO’s Communication

Unlike their communication to Caribbean Island Properties, TDO’s e-mail to Prime Staff does not provide any clue as to how they gained a foothold into their network. As with other “clients,” however, TDO gave the firm three options for payment.

TDO proposed a $50,000 USD amount for their Option 1, with the victim given one year to pay it off. If Prime Staff was willing to vouch for them with future clients, TDO indicated that they would reduce the amount to $37,500 USD (Option 2). The final option was a steeper discount: $25,000 USD in BTC to be paid by December 25. They also offered the firm a few other discount options, including a $10,000 refund if Shields were to convince any future “clients” to cooperate with them and accept their proposal:

If you choose one of the proposed options above, we agree that we’ll securely destroy all of the data and information that we’ve retrieved from you and we’ll make sure that all of this falls through the cracks and becomes forever lost in the darkness below, to not be brought up ever again (we need the storage space anyway, to have the room for our future activities – which don’t involve your companies, provided that one of our proposed options is agreed to and satisfied by the terms requested. We may even be willing to amend the terms of accord and satisfaction in the terms of compensation and time frames, if you ask nicely and if we’re entertaining a satisfied existence at that moment in time.

Consistent with their past activities, the missive contains some clear threats as to what non-cooperation would result in, e.g.,

Oh, and also, if you want your data back, you’ll be required to pay us for it, and since you ignored our SMS messages for hours, we deleted loads of it at random, so who knows what’s left? We’re only jesting. Don’t even bother trying to recover the data from your server drives because it’s been wiped with pseudo-random data which means it’s not recoverable. This wasn’t some flawed ransomware deployment. This was a fucking nuke going off. You’re fucked. If you want it back, you need us. If you don’t want it back, you need us to keep quite. Pay us.

The email ends with a now-familiar sigblock, and a cheeky, “P.S. Give us a follow on our Twitter (@tdo_hackers)!”

The full message to Prime Staff Inc. appears below, followed by the contract. TheDarkOverlord did not provide precise numbers, but informed this site that they had acquired thousands of employees’ personnel files and that they would be selling them on KickAss.




Dec 042018

In recent months, we’ve seen the return of threat actors calling themselves TheDarkOverlord (TDO), although some sources have speculated that arrests announced in May may have damaged the group.  As some journalists and others have noted in conversations, certainly this incarnation of TDO does not seem to know of some events or statements they’ve made in the past and most of their offerings have been old hacks and data breaches. So is it the same TDO with just a new spokesperson, or is this a different TDO?

If today’s development is any indicator, TDO is still standing, and whoever is posting as TDO appears to be the real thing.

Consider what they have claimed to have done to a firm called Caribbean Island Properties.

In a fairly typical long and insulting communication, TDO claims to have wiped out all their files, a data protection disaster enabled by what TDO notes appears to be incredibly sloppy passwords:

We actually did it, although they got in your e-mail because your password was ‘12345’. We pwned your entire infrastructure. Your Domain Admin password was ‘[email protected]’. Now, let’s just start with what we know: you found our Support user that was exfiltrating loads of your data, and you deleted the files we were stealing from you. We weren’t going to delete all your files originally, but since you’ve deleted ours, we deleted all of yours. Now, mind you: we were able to recover ours, but you won’t be able to recover yours. So now we’re the only ones with copies of your files. Right, onto the goods.

The above would be enough to make most site owners or administrators thoroughly nauseous and alarmed.

The firm was then offered various options for payment to recover their data, with the first option being:

You, our client, accord and satisfy a complete transfer of 100.000 GBP of Bitcoins (BTC) over a twelve calendar month period of time with your first transfer to be a thirty percent down-payment transfer of 30.000 GBP of BTC to be made by the date and time of 2018-12-25 23:59 UTC. Follow-up transfers of approximately 5.833 GBP of BTC will be made by the end of each calendar month for the next twelve months, in order to accord and satisfy this proposed option. A primary benefit of this arrangement is that you know we want the Bitcoins and we’ll not be motivated to go ill on our arrangement because we’ll be motivated to hold out. While we’re providing you a guarantee we won’t go ill on our word, we realise this option may appear attractive due to your prejudice against us believing we’re cyber-baddies.

The entire missive to “Cindy and David” appears at the bottom of this post, as does a copy of the contract that TDO posted on Pastebin.

Long-time followers of TDO will recognize much of the concept and the text, as those options and approach have been used before by TDO.

As someone who has followed their work since June 2016, and who had read the Larson documents and contract, as well as their communications to other victims, yes, this is the writing of TheDarkOverlord.  But is it someone just copying/pasting their past work?  A lot of what I read today could have been just changing the names of the victims and dates, so are we looking at new writing or a template from the past?

My impression is that this is still TDO and not copycats. If you think otherwise, you are welcome to use the Comments section below to explain why you think so.

And yes, I know that some journalists have opted not to report on TDO so that they (other journalists) are not somehow complicit in putting any pressure on TDO’s victims to pay up. This site continues to try to balance that concern with a strong sense that the public needs to be kept informed about threat actors so that more businesses and entities will take steps to protect themselves from attacks.

In the meantime, did not respond immediately to an email asking them for a comment about the claimed hack and what steps they are taking, but a check on the BTC wallet specified in the contract, 152r8afrWfq7xxGFTpsBgyHChPP8fmHfpz, shows no transactions as yet.

This post may be updated as more information becomes available.   And this is not the only newly revealed hack by TDO today. received an email from another firm claiming that TDO had hacked them. This site may have more on that one later today.

About Us - Caribbean Island Properties



Nov 022018

I thought I posted something on this already, but apparently I didn’t, so if you hadn’t heard already, an Australian shipbuilder who also has contracts with the U.S. Navy was hacked and the hacker made extortion demands that the firm has refused.

Jeremy Kirk reports:

Australia’s largest defense exporter says it hasn’t responded to an extortion attempt after ship design schematics were stolen by a hacker.

Austal, which is based in Henderson, Western Australia, is one of the country’s largest shipbuilders; it has built vessels for the U.S. Navy.

The company, which is listed on Australia’s ASX stock exchange, announced the breach late Thursday. The announcement came just a day after a security researcher in France posted screenshots on Twitter of the purported stolen data.

Austal says the material is neither sensitive nor classified and that it has taken steps to secure its data systems.

Read more on GovInfoSecurity.

Here is some of what appeared on Twitter a few days ago:

Is TheDarkOverlord Behind This?

Because of the nature of the crime – a hack and extortion attempt – some people have wondered whether this might be the work of TheDarkOverlord.  The question is understandable, particularly since I reported almost exactly one year ago had TDO had attacked  U.S. Navy defense contractors, including ATS, whose METBENCH software was used on warships. Now another firm that does defense work for the U.S. Navy was attacked? It’s understandable that people would wonder, except if you look at the listings posted on Twitter, those listings are not consistent with TDO’s sales listings, although the April, 2016 join date is intriguing. But selling such important material for 1 BTC?  Would TDO sell for so little? It’s unlikely, but it would be a good way to put pressure on Austal – offer the data so cheaply that lots of people might buy it.

When asked directly whether they were behind the attack and extortion, a TDO spokesperson declined to confirm or deny. But they were willing to make a statement about attacking defense contractors, telling in an e-mailed statement:

U.S. Defence contractors are easy pickings and they always house very juicy materials that competing nation-states are very interested in. At some times they can be a tough nut to crack, but given enough time, we always crack the nut. Naval contractors are among the most important contractors to breach as surface and sub-surface warfare vessels allow nation-states to extend their attack capabilities in a very mobile and speedy way.