An Indian IT firm was reported to be secretly operating as a global hackers-for-hire service or hacking-as-a-service platform.
The organization, BellTroX InfoTech Services, which is based in Delhi was alleged to have targeted more than thousands of high-profile individuals and organizations across six continents for the past seven years.
Hack-for-hire services is not a state-sponsored group but they operate as a hack-for-hire company that performs commercial cyberespionage against given targets on behalf of private investigators and their clients.
According to a report published by the University of Toronto’s Citizen Lab, BellTroX which has been dubbed ‘Dark Basin’ as a hacking group targeted advocacy groups, politicians, government officials, CEOs, journalists, and human rights defenders.
As per the reports, Dark Basin conducted commercial espionage on behalf of their clients against opponents involved in high profile public events, criminal cases, financial transactions, news stories, and advocacy.
Citizen Lab started their investigation into the ‘Dark Basin’ group in 2017 when they were contacted by a journalist targeted with phishing pages that were served via the self-hosted open-source Phurl URL shortener.
It was found that the attackers used the same URL shortener to disguise at least 27,591 other phishing links containing the targets’ email addresses.
The owner of BellTroX company, Sumit Gupta was once summoned in California in 2015 for participating in a similar hack-for-hire scheme, along with two private investigators who admitted to paying him to hack the accounts of marketing executives.
Dark Basin left copies of their phishing kit source code available openly online, as well as log files that recorded every interaction with the credential phishing website, including testing activity carried out by Dark Basin operators.
The researchers managed to identify several BellTroX employees whose activities overlapped with Dark Basin because they used personal documents, including a CV, as bait content when testing their URL shorteners.
They also made social media posts describing and taking credit for attack techniques containing screenshots of links to Dark Basin infrastructure.
Several individuals and institutions targeted by BellTroX were notified by Citizen Lab and also shared their findings with the United States Department of Justice (DOJ) on the request of several targets.
A parallel investigation into Dark Basin’s operations was also conducted by the cybersecurity company NortonLifeLock and it was dubbed as “Mercenary.Amanda” and released a list of Indicators of Compromise (IoC).