The Dark Overlord & Shiny Hunters - Cyber Investigation

In 2016, a hacking group known as ‘The Dark Overlord’ (TDO) began terrorizing and extorting organizations. The group quickly became known throughout the media for its extortion of medical providers and the sale stolen medical records. Some of the group’s first publicized hacks include medical facilities and law firms in Missouri.

In 2017, the group gained additional headlines for extorting companies like Disney and Netflix, threatening to release advanced copies of their studio productions if their ransom demands were not met.

Later that year TDO moved from traditional hacking and extortion schemes to terror-based attacks, when they targeted school districts, and directly threatened the lives of students if their demands were not met. This act forced the closure of more than 30 schools for an entire week.

The Dark Overlord report, published by cybersecurity author Vinny Troia, provides provide evidence of an ongoing criminal collaboration between Mr. Christopher Meunier and associate, Dionysios “Dennis” Karvouniaris, both of Calgary, Canada.

Troia's published book, "Hunting Cyber Criminals", published by Wiley Books, provides a more detailed look into the investigation, providing investigative examples and techniques used to uncover the group's additional aliases.

Using additional group names such as NSFW, Gnostic Players, and Shiny Hunters, the collaboration of these two individuals can be directly attributed to roughly 42% of all non-credit card related data breaches that occurred between January 2017 to June of 2020.

A secondary investigative report on the group shows that they have re-branded as Gnostic Players being identified as Gabriel Bildstein and Shiny Hunters as Nassim Benhadou.

The Group's final member, Natan Wyatt, a 38 year-old man from Wellingborough who is known as “Crafty Cockney,” was extradited to the United States, facing six counts in an indictment issued by a grand jury in the Eastern District of Missouri:

Download The Dark Overlord report for the full investigative details.

On July 12, 2020, Night Lion Security received messages from several reporters regarding a "hack" on its Data Viper platform. The hackers posted an onion page with a detailed zine, and several downloads including Data Viper's MySQL databases, a list of data breaches contained within the platform, and sample data claiming to have originated from the Data Viper Elasticsearch cluster.

Information of the hack was sent to media outlets just days before Night Lion Security CEO, Vinny Troia, was set to give a talk and release a technical report exposing the identities of this hacker and his affiliations.

The zine also contained a digital copy of Troia’s book, Hunting Cyber Criminals (in which the threat actor is the primary focus), and early copy of the technical report, alongside several pages of his own written comments and criticisms.

Databases claiming to have been exfiltrated from Data Viper have been listed for sale on Empire Market by user "Nightlion".

As discussed in our report of The Dark Overlord (and related hacker groups), the data for sale on Empire has been already been listed for sale by the same actor/groups. One example supporting this point are the following screenshots from Raidforums, showing. Megadimarus' sales list before and after the Data Viper incident.

As described in our full technical report, the main IP which attacked the Data Viper servers can conclusively be linked to breaches by Gnostic Players, NSFW (The Dark Overlord), and Megadimarus.

It has long been our theory that there has been a single consistent person was the core of each of these major hacking groups. Until this event, we had been unable to find any conclusive evidence to support that theory.

Now we can see the single IP, 141.98.103.xxx, was used over a 2-3-year period to attack sites claimed by Gnostic Players, NSFW, Megadimarus, and finally the attack on Data Viper.