Apr 282017
 

After a two-month hiatus, and with pixels to spare, TheDarkOverlord let it be known today that they are still hacking and attempting to extort their victims:

“And so let it be read that the loathsome giants do too fall. Hello Netflix, we’ve arrived.”

NBC, ABC, CBS, Fox, Netflix, IFC, E!…. with a well-placed attack last year, the hacker or hackers known as TheDarkOverlord (TDO) managed to acquire a lot of intellectual property: upcoming episodes of popular TV shows and movies.  Right now they want Netflix to pay them not to release their intellectual property on torrent sites. Eventually, the other networks will likely receive similar demands.

[Note: Because DataBreaches.net cannot confirm whether TDO is actually one individual or a collective, TDO will be described as “they” in this report.]

As TDO has often commented to this blogger, they love going after third-party vendors. On December 26, in an encrypted chat, TheDarkOverlord (TDO) informed DataBreaches.net that they had recently come across what they described as hundreds of GBs of unreleased and non-public media from a studio located in Hollywood. They anticipated announcing the hack shortly after the new year.

TDO provided this site with a preview of some of the material, which included XXX: Return of Xanger Cage (2017), Bill Nye Saves The World (Season 1), and Orange Is The New Black (Season 5).

Screenshot fromXXX: Return of Xanger Cage. Redacted by TDO. 

With a little sleuthing, DataBreaches.net was able to determine that the victim studio was  Larson Studios, Inc., an award-winning audio post-production studio in Hollywood. TDO would later confirm their identity.

TDO would not reveal the attack method nor how much the ransom demand was, but DataBreaches.net was able to obtain a copy of a contract both TDO and a representative of Larson allegedly signed. The contract, signed December 27, indicated that the studio would pay TDO 50 BTC by January 31. TDO signed the contract as “Adolf Hitler.” The signature of the company representative was indecipherable, but TDO claimed that it was the CFO of the firm who signed.

Further investigation revealed that the 37 titles TDO obtained included a number of films and  series that would first premiere in 2017. For existing shows, the entries below indicate that 2017 episodes were acquired by TDO:

A Midsummers Nightmare  – TV Movie
Above Suspicion  – Film
Bill Nye Saves The World  – TV Series
Breakthrough  – TV Series
Brockmire – TV Series
Bunkd – TV Series
Celebrity Apprentice (The Apprentice)  – TV Series
Food Fact or Fiction  – TV Series
Handsome  – Film
Hopefuls  – TV Series
Hum  – Short
Its Always Sunny in Philadelphia  – TV Series
Jason Alexander Project  – TV Series
Liza Koshy Special  – YoutubeRed
Lucha Underground  – TV Series
Lucky Roll  – TV Series
Making History ) – TV Series
Man Seeking Woman  – TV Series
Max and Shred  – TV Series
Mega Park  – TV Series
NCIS Los Angeles  – TV Series
New Girl  – TV Series
Orange Is The New Black  – TV Series

Screenshot from Orange is the New Black, provided by TheDarkOverlord.

Portlandia  – TV Series
Rebel In The Rye  – Film
Steve Harveys Funderdome  – TV Series
Story of God with Morgan Freeman  – TV Series
Superhuman  – TV Series
The Arrangement  – TV Series
The Catch  – TV Series
The Middle  – TV Series
The Stanley Dynamic  – TV Series
The Thundermans  – TV Series
Undeniable with Joe Buck  – TV Series
Win It All  – Film
X Company  – TV Series
XXX Return of Xander Cage – Film

The new year came and went and there was no public announcement from TDO. In encrypted chat, TDO indicated that although the studio had previously agreed to pay, they had stopped responding to TDO.

DataBreaches.net reached out to the owners of Larson Studios in February, after the January 31 deadline had passed, to ask for a statement, but they did not respond to email requests.

In response to subsequent inquiries, TDO claimed that they were having some server difficulties setting up the torrent. But after more time went by, they informed this blogger that with some regret but also some relief, they had decided not to go forward with their plan, telling this site that no one really seemed interested in TV shows and movies.

Sometime between then and now, TDO changed  their strategy, switching from attempting to extort Larson Studios to attempting to extort Netflix.

Today, TDO uploaded what they claim is the first episode of the new season of Orange is the New Black. In a statement originally posted on GitHub and then re-posted on Pastebin, they wrote that Netflix’s failure to respond offended them and forced their hands:

…. Armed with this information, we naturally approached Netflix and the others in an attempt to devise a mutually-beneficial arrangement where we are paid and Netflix and friends don’t wake up to find their hard work plastered on the internet. Our proposals went unanswered so our hands have been forced. We were quite offended by our targets’ responses (or lack thereof).

DataBreaches.net was unable to authenticate the episode, but notes that Netflix has not issued any statement denying its authenticity.

Whether TDO will actually attempt to extort any other company remains to be seen, although later today they tweeted that they would be contacting others:

“Who is next on the list? FOX, IFC, NAT GEO, and ABC. Oh, what fun we’re all going to have. We’re not playing any games anymore.”

Netflix has been asked for a statement and this post will be updated if and when one is received.

Update: TDO appears to have leaked the remainder of Season 5 of Orange is the New Black with a statement on Pastebin noting that episodes 2-10 have been released as torrents. TDO also appears to have been busy giving media outlets more details on the incident, suggesting that playing/trying to use the media to increase pressure on targets remains part of TDO’s methods.

Update 2: Netflix sent this site the stock statement that they are sending to all media/news sites:

We are aware of the situation. A production vendor used by several major TV studios had its security compromised and the appropriate law enforcement authorities are involved.

Netflix presumably knew about the hack since December or whenever Larson notified them. The FBI was involved by February, and probably much earlier. So what did Netflix actually do once it learned their IP was in the hands of TDO? Even cursory research on TDO would reveal that they had established a reputation for vindictively dumping data from entities that they felt had not shown them proper respect as “professionals” and/or who had ignored their demands. The dumping of data (episodes) was predictable if Netflix had no plans to pay any extortion demand. So what did Netflix actually do? And will the other networks stand firm, too, and refuse to pay extortion? If even one victim pays extortion, that only encourages more attacks and extortion demands.

For those who are first learning about TheDarkOverlord, just search this site for “thedarkoverlord.” You’ll find dozens of articles on previous hacks, most of which targeted medical clinics and patient data, but some of which targeted businesses, including a Navy contractor.

Update 3: May 1: TDO tweets that it’s “nearly time to play another round.” Thousands of people have followed the @tdohack3r Twitter account since the start of the Netflix dumps, many cheering the hacker(s) on. Before you encourage a blackhat, take a few minutes to find out what else they’ve done. Do you really want to encourage people who hack sensitive patient information and then try to extort clinics so that the patient data isn’t revealed publicly? Are these really your heroes?

And if you’re a journalist new to covering TheDarkOverlord or hacks like these, note that making an extortion demand as they have done is NOT the same thing as using “ransomware.” I’ve blogged about that before, and now Steve Ragan of Salted Hash has also tried to hammer that point home for reporters.

  23 Responses to “TheDarkOverlord leaks upcoming episode of Orange is the New Black after Netflix doesn’t pay extortion demand (Updated)”

  1. Why are you reporting on this monster? He is using your news to extort victims. Don’t you get it?

    • Some of us who report on hackers have certainly considered the ethical aspects of being “useful idiots” for criminals. Do we report news or not report news if reporting might be of some perceived benefit to the criminal? I’ve decided the issue for myself that I will usually report if it’s something likely to be of public concern or interest, but I also respect other journalists who reach different decisions about that.

      But here’s an empirical question for you, because your question seems to make an assumption: does our reporting actually help him extort victims? I haven’t seen any evidence of that.

  2. Since the original pastebin has been removed here is a copy for reference.

    Hello, this is thedarkoverlord (@tdohack3r) here to deliver a message.

    The team here at TheDarkOverlord Solutions works hard but we always remember to play hard too. In fact, one of our coworkers here (who everyone tolerates because a C-level appointed them to their position and said C-level signs our paycheques) often brags at the water dispenser about how they participate in “Netflix and chill” with a prospective mate. During one of these recounts, a bright-eyed and bushy-tailed intern brought up how our notes on Netflix are still valid and pondered why nothing ever came of it. After patting the whippersnapper on the head, we decided that we should look into them again and see what angles we can play. We called for a meeting and decided to take the “intellectual property” route whose trail we may have to blaze ourselves. After creating a list of the most popular Netflix original series, grabbing the credits for each series and grepping for company names, we managed to compose a hitlist. We paid special attention to companies under the “post-*” heading.

    After a significant amount of time was spent on reconnaissance and prodding company perimeters, we managed to weave ourselves into the foundation of one company who gave us access to a significant title in the Netflix original series portfolio: “Orange Is The New Black” – Season 5. But that’s not all, we also helped ourselves to copies of titles from other companies. However, this specific release will focus on Netflix.

    Because the titles were months away from their scheduled airtimes, we pulled back and waited for the trailers to drop to assist us in the verification of our loot – just in case. And sure enough, the trailers dropped and we were able to find the scenes that were used. Armed with this information, we naturally approached Netflix and the others in an attempt to devise a mutually-beneficial arrangement where we are paid and Netflix and friends don’t wake up to find their hard work plastered on the internet. Our proposals went unanswered so our hands have been forced. We were quite offended by our targets’ responses (or lack thereof).

    Now, because we punish in a pervasive guilty-by-association manner, other companies in the American entertainment industry shouldn’t be surprised if they were too wake up to a verbose, condescending, and abusive letter in their inbox extending a hand of friendship and (most likely) demanding a modest sum of internet money. While “modest” is certainly a matter of a particular perspective, we’re inclined to believe that any offer we’ve extended is a most modest one, at that. While we may be vicious internet hooligans, we’re not unreasonable creatures. In fact, here at TheDarkOverlord Solutions, we’re quite proud to say that we’ve been at the forefront of pioneering new friends, business relationships, and producing charitable extensions of our good graces for our said friends, and of course, a request of an always modest sum of internet money.

    Below you will find a links to download the first episode of “Orange Is The New
    Black” – Season 5:
    [link removed by DataBreaches.net]
    [link removed by DataBreaches.net]
    [link removed by DataBreaches.net]

    Like all previous targets, if they realise that ignoring us wasn’t the best decision, we will be open to settling our dispute as our offer(s) are still on the table. Remember that only the first episode has been released. Otherwise, expect a full release to follow suit.

    Your friends,
    thedarkoverlord
    Professional Adversary
    World Wide Web, LLC

    P.S. Enlightening us in regards to the quality of the so graciously released materials is most futile. If you’re not satisfied with our release, you’re more than welcome to release your own episodes of “Orange Is The New Black” – Season 5.
    Reuploads and seeders are welcome.

    • Very interesting note from this message board is TDO writing styke. “They” are trying to appear sound eloquent with certain writing pose but there are very simple grammatical spelling errors which make me question a lot.

      Also the way they describe the dark overlord is not consistent either. Sometimes it is The Dark Overlord or thedarkoverlord.

      • Sometimes “mistakes” are made intentionally. It’s called “OpSec.” Hard to tell/know…

        • That was my other thought too, wondering if the ‘grammatical mistakes’ were intentional to try and trip people to send people thinking in other ways.

      • You mean like YOUR numerous grammatical errors and misspellings Indee One?

        Just an observation on your writing “styke”. 🙂

        • Yes I saw that too… and goofed on myself when I saw it. Pose was also spelled wrong but Dissent changed that for me (that was damn auto correct though)😀

    • Great work, this coverage is way more informative! Quick question: Did they quote the FBI in their “press release” here?:
      “[…] wake up to a verbose, condescending, and abusive letter in their inbox […]”
      IIRC, this exact description was in Justin Shafer’s complaint for the cyberstalking charges from not too long ago.

      • Yes, that’s some of the exact descriptors in the sealed complaint against Shafer. And I’m not surprised that TDO would include that as a subtle “in your face” to the FBI.

      • Yes I saw that too… and goofed on myself when I saw it. Pose was also spelled wrong but Dissent changed that for me (that was damn auto correct though)😀

        Fyi…The Daily​ Show reported/spoofed on TDO last night on the Netflix hack…if you haven’t seen it yet, check out. Worth the watch.

        It was about 2 minutes and they didn’t go into all that much but at least someone else other than Databreaches.net is reporting on it 😀

  3. The new season of its sunny in pa ended months ago and I watch an hd version of the new xxx film weeks ago. These twats expect to get paid for releasing outdated bs? lmao

    • They also have material that has not been released yet. Keep in mind that they acquired material prior to Christmas, 2016 and did nothing with it until now (unless they acquired even more after they first told some of us about it in December).

      • Interesting enough, with Netflix being a huge media sensation, mainstream news media has not really picked this story up to share.

        Keep reporting on it

  4. Tim TheDarkOverlord, this is your mother. You’d better not be on the internet again.

  5. Just another batch of useless Russian criminals. F TDO.

    • I heard from a source in the infosec crowd that the TDO gang are Western European. He didn’t say much more

  6. So do they have content that’s not on this list or not? Thanks for OITNB but otherwise they didn’t get too lucky when they pilfered Larson Studio’s content. It’s clear they weren’t able to get back in after December if they don’t have the last 3 episodes of OITNB.

    I guess what I’m trying to say is…try harder next time… : \

    • I do not know whether they have content not included on that list or not. I have not discussed this breach with them since February, and haven’t heard from them since they first announced they were leaking episodes.

  7. To #TeamJustin:

    I’m holding your comment, for now. Could you please contact me via Jabber ([email protected] or [email protected]) or via email ([email protected] or [email protected]) to discuss? I could use a link or two to see what you were referring to.

    /Dissent

Sorry, the comment form is closed at this time.