{
	"id": "6521615c-e2b3-450c-bb47-0f76bbb84819",
	"created_at": "2026-04-06T00:13:22.260421Z",
	"updated_at": "2026-04-10T03:31:59.301321Z",
	"deleted_at": null,
	"sha1_hash": "db694411ef4ee379c2741ea6a28a6c91fc6e06cd",
	"title": "Dark Basin: Uncovering a Massive Hack-For-Hire Operation - The Citizen Lab",
	"llm_title": "",
	"authors": "",
	"file_creation_date": "0001-01-01T00:00:00Z",
	"file_modification_date": "0001-01-01T00:00:00Z",
	"file_size": 5641901,
	"plain_text": "Dark Basin: Uncovering a Massive Hack-For-Hire Operation - The\r\nCitizen Lab\r\nArchived: 2026-04-05 18:11:38 UTC\r\nKey Findings\r\nDark Basin is a hack-for-hire group that has targeted thousands of individuals and hundreds of institutions on six\r\ncontinents. Targets include advocacy groups and journalists, elected and senior government officials, hedge funds,\r\nand multiple industries.\r\nDark Basin extensively targeted American nonprofits, including organisations working on a campaign called\r\n#ExxonKnew, which asserted that ExxonMobil hid information about climate change for decades.\r\nWe also identify Dark Basin as the group behind the phishing of organizations working on net neutrality advocacy,\r\npreviously reported by the Electronic Frontier Foundation.\r\nWe link Dark Basin with high confidence to an Indian company, BellTroX InfoTech Services, and related entities.\r\nCitizen Lab has notified hundreds of targeted individuals and institutions and, where possible, provided them with\r\nassistance in tracking and identifying the campaign. At the request of several targets, Citizen Lab shared information\r\nabout their targeting with the US Department of Justice (DOJ). We are in the process of notifying additional targets.\r\nIntroducing Dark Basin\r\nWe give the name Dark Basin to a hack-for-hire organization that has targeted thousands of individuals and organizations on\r\nsix continents, including senior politicians, government prosecutors, CEOs, journalists, and human rights defenders. With\r\nhigh confidence, we link Dark Basin to BellTroX InfoTech Services (“BellTroX”), an India-based technology company.\r\nOver the course of our multi-year investigation, we found that Dark Basin likely conducted commercial espionage on behalf\r\nof their clients against opponents involved in high profile public events, criminal cases, financial transactions, news stories,\r\nand advocacy. This report highlights several clusters of targets. In future reports, we will provide more details about specific\r\nclusters of targets and Dark Basin’s activities.\r\nThousands of Targets Emerge\r\nIn 2017, Citizen Lab was contacted by a journalist who had been targeted with phishing attempts and asked if we could\r\ninvestigate. We linked the phishing attempts to a custom URL shortener, which the operators used to disguise the phishing\r\nlinks.\r\nWe subsequently discovered that this shortener was part of a larger network of custom URL shorteners operated by a single\r\ngroup, which we call Dark Basin. Because the shorteners created URLs with sequential shortcodes, we were able to\r\nenumerate them and identify almost 28,000 additional URLs containing e-mail addresses of targets. We used open source\r\nintelligence techniques to identify hundreds of targeted individuals and organizations. We later contacted a substantial\r\nfraction of them, assembling a global picture of Dark Basin’s targeting.\r\nOur investigation yielded several clusters of interest that we will describe in this report, including two clusters of advocacy\r\norganizations in the United States working on climate change and net neutrality.\r\nWhile we initially thought that Dark Basin might be state-sponsored, the range of targets soon made it clear that Dark Basin\r\nwas likely a hack-for-hire operation. Dark Basin’s targets were often on only one side of a contested legal proceeding,\r\nadvocacy issue, or business deal.\r\nResearch Collaborations \u0026 Official Notification\r\nDark Basin has targeted dozens of journalists in multiple countries. Citizen Lab has notified and worked with some of these\r\njournalists over the past three years to assist them in investigating this case. In addition, Citizen Lab has mutually shared\r\nindicators and technical information with researchers at cybersecurity company NortonLifeLock, who have been conducting\r\na parallel investigation into Dark Basin, which they refer to as “Mercenary.Amanda.” Many targets have also cooperated and\r\nassisted our investigation. At the request of multiple targets, Citizen Lab shared materials relevant to their targeting with the\r\nUS DOJ.\r\nLinks to an Indian Operator\r\nWe link Dark Basin’s activity with high confidence to individuals working at an Indian company named BellTroX InfoTech\r\nServices (also known as “BellTroX D|G|TAL Security,” and possibly other names). BellTroX’s director, Sumit Gupta, was\r\nindicted in California in 2015 for his role in a similar hack-for-hire scheme.\r\nLinks to India\r\nhttps://citizenlab.ca/2020/06/dark-basin-uncovering-a-massive-hack-for-hire-operation/\r\nPage 1 of 14\n\nTimestamps in hundreds of Dark Basin phishing emails are consistent with working hours in India’s UTC+5:30 time zone.\r\nThe same timing correlations were found by the Electronic Frontier Foundation (EFF) in a prior investigation of phishing\r\nmessages targeting net neutrality advocacy groups, which we also link to Dark Basin.\r\nSeveral of Dark Basin’s URL shortening services had names associated with India: Holi, Rongali, and Pochanchi (Table 1).\r\nHoli is a well-known Hindu celebration also known as the “festival of colours,” Rongali is one of the three Assamese\r\nfestivals of Bihu, and Pochanchi is likely a transliteration of the Bengali word for “fifty-five.”\r\ntable 1\r\nThree of the URL shortener devices used by Dark Basin\r\nAdditionally, Dark Basin left copies of their phishing kit source code available openly online, as well as log files showing\r\ntesting activity. The logging code invoked by the phishing kit recorded timestamps in UTC+5:30, and log files show that\r\nDark Basin appeared to conduct some testing using an IP address in India.\r\nLinks to BellTroX\r\nAlong with our collaborators at NortonLifeLock, we have unearthed numerous technical links between the campaigns\r\ndescribed in this report and individuals associated with BellTroX. These links lead us to conclude with high confidence that\r\nDark Basin is linked to BellTroX.\r\nWe were able to identify several BellTroX employees whose activities overlapped with Dark Basin because they used\r\npersonal documents, including a CV, as bait content when testing their URL shorteners. They also made social media posts\r\ndescribing and taking credit for attack techniques containing screenshots of links to Dark Basin infrastructure. BellTroX and\r\nits employees appear to use euphemisms for promoting their services online, including “Ethical Hacking” and “Certified\r\nEthical Hacker.” BellTroX’s slogan is: “you desire, we do!”\r\nOn Sunday, June 7th 2020 we observed that the BellTroX website began serving an error message. We have also observed\r\nthat postings and other materials linking BellTroX to these operations have been recently deleted.\r\nTechnical evidence of further links between BellTroX and Dark Basin are detailed in Appendix A. Indicators of\r\nCompromise are available in Appendix B.\r\nhttps://citizenlab.ca/2020/06/dark-basin-uncovering-a-massive-hack-for-hire-operation/\r\nPage 2 of 14\n\ntable 2\r\nExcerpt from the CV (left) of an individual matching the name of a then-BellTroX employee (right) shared\r\nusing a shortener link. The “Responsibilities” described match the activities of Dark Basin.\r\nBellTroX’s Director and Previous Hack-For-Hire Schemes\r\nFurther, in 2015, the US DOJ indicted several US-based private investigators and an Indian national, Sumit Gupta (whom\r\nthe DOJ notes also uses the alias Sumit Vishnoi), for their role in a hack-for-hire scheme. To our knowledge, Gupta was\r\nnever arrested in relation to the indictment. An aggregator of Indian corporate registration data lists Sumit Gupta as the\r\ndirector of BellTroX, and online postings by a “Sumit Vishnoi” contain references to BellTroX. The actions described in that\r\nindictment, including the extensive relationships with private investigators, are similar to those we ascribe to BellTroX.\r\nDark Basin’s Connections to Private Investigators\r\nWe have observed Dark Basin’s activities over several years, including the social media activities and posts of individuals\r\nworking at BellTroX. Some of the individuals listed on LinkedIn as working for BellTroX mention activities that indicate\r\nhacking capabilities.\r\nBellTroX staff activities listed on LinkedIn include:\r\nEmail Penetration\r\nExploitation\r\nCorporate Espionage\r\nPhone Pinger\r\nConducting Cyber Intelligence Operation\r\nBellTroX’s LinkedIn pages, and those of their employees, have received hundreds of endorsements from individuals\r\nworking in various fields of corporate intelligence and private investigation.\r\nBellTroX and its employees received endorsements from individuals listing themselves as:\r\nAn official in the Canadian government.\r\nAn investigator at the US Federal Trade Commission and previously a contract investigator for US Customs and\r\nBorder Patrol.\r\nCurrent local and state law enforcement officers.\r\nPrivate investigators, many with prior roles in the FBI, police, military and other branches of government.\r\nDespite a previous DOJ indictment of the BellTroX Director, as well as indictments in other hack-for-hire cases, the\r\ncompanies that provide these services publicly promote their activities. This suggests that companies and their clients do not\r\nexpect to face legal consequences and that the use of hack-for-hire firms may be standard practice within the private\r\ninvestigations industry. A LinkedIn endorsement may be completely innocuous, and is not proof that an individual has\r\ncontracted with BellTroX for hacking or other activity. However it does raise questions as to the nature of the relationship\r\nbetween some of those who posted endorsements and BellTroX.\r\nTargeting American Nonprofits, Journalists\r\nDark Basin has a remarkable portfolio of targets, from senior government officials and candidates in multiple countries, to\r\nfinancial services firms such as hedge funds and banks, to pharmaceutical companies. Troublingly, Dark Basin has\r\nextensively targeted American advocacy organizations working on domestic and global issues. These targets include climate\r\nadvocacy organizations and net neutrality campaigners.\r\nTargeting American Environmental Organizations\r\nhttps://citizenlab.ca/2020/06/dark-basin-uncovering-a-massive-hack-for-hire-operation/\r\nPage 3 of 14\n\nWe discovered a large cluster of targeted individuals and organizations that were engaged in environmental issues in the US.\r\nIn the fall of 2017, Citizen Lab made contact with these groups and began working with them to determine the nature and\r\nscope of the targeting. We determined that these organizations were all linked to the #ExxonKnew campaign, which\r\nhighlights documents that, the advocacy organizations argue, point to Exxon’s decades-long knowledge of climate change.\r\nAccording to the New York Times, the #ExxonKnew campaign has led to “exposés of the company’s research into climate\r\nchange, including actions it took to incorporate climate projections into its exploration plans while playing down the threat.”\r\nThe New York Times describes an intense legal battle between ExxonMobil, multiple states’ attorneys general, and\r\norganizations engaged in the #ExxonKnew campaign.\r\nTargeted organizations consenting to be named in this report include:\r\nRockefeller Family Fund\r\nClimate Investigations Center\r\nGreenpeace\r\nCenter for International Environmental Law\r\nOil Change International\r\nPublic Citizen\r\nConservation Law Foundation\r\nUnion of Concerned Scientists\r\nM+R Strategic Services\r\n350.org\r\nAt their request, we are not naming all targets within this cluster.\r\nWe provided the targets with search queries to find Dark Basin emails and instructed them on how to use these queries to\r\ngather emails from their inboxes. While this methodology cannot generate a comprehensive set of all Dark Basin phishing\r\nattempts, it provided retrospective data that helped us correlate the timing of phishing emails with key events in the\r\n#ExxonKnew campaign. We identified these key events with the assistance of targeted organizations, as well as a timeline\r\nreleased by ExxonMobil. We noted that targeting increased around certain key events, as illustrated below.\r\nA Stolen Email?\r\nIn January 2016, a group of environmental organizations and funders met privately to discuss the #ExxonKnew campaign. A\r\nprivate email inviting campaigners to the January meeting (the “January Email”) was subsequently leaked by unknown\r\nparties to two newspapers. The January Email was quoted in a story entitled “Exxon Fires Back at Climate-Change Probe”\r\non April 13, 2016 in the Wall Street Journal, and a day later a picture of a printout of the January Email was published in the\r\nFree Beacon.\r\nAfter a reporter queried the attendees about the secret meeting in March 2016, we found no further phishing emails until the\r\nNew York Attorney General made a filing alleging evidence of “potential materially false and misleading statements by\r\nExxon” in June 2017. Targeting also spiked again shortly before New York City2 filed a lawsuit against ExxonMobil in\r\nJanuary 2018.\r\nhttps://citizenlab.ca/2020/06/dark-basin-uncovering-a-massive-hack-for-hire-operation/\r\nPage 4 of 14\n\ntable 3\r\nExxonMobil’s timeline of the advocacy campaign, highlighting the January Email (left) and an excerpt of the\r\n“leaked” January Email (right).\r\nThe leak of the January 2016 Email, as well as suspicious emails noticed by campaigners, led some present at the meeting to\r\nsuspect their private communications may have been compromised. We later determined that all but two recipients of the\r\nleaked January Email were also Dark Basin targets.\r\nWe also note multiple other instances of internal documentation related to individuals publicly connected to these campaign\r\nissues appearing in the press.\r\nWell-Informed Targeting\r\nDark Basin sent phishing emails to targets’ personal and institutional email accounts. They targeted individuals involved in\r\nthe #ExxonKnew campaign, as well as #ExxonKnew campaigners’ family members. In at least one case a target’s minor\r\nchild was among those targeted with phishing. We believe this “off-center” targeting further indicates both the well-informed nature of the targeting, and an intelligence gathering objective.\r\nMuch of the phishing against these individuals referenced targets’ work on ExxonMobil and climate change. Notably,\r\nmultiple phishing messages seemed to reference unspecified confidential documents concerning ExxonMobil. A number of\r\nthese messages impersonated individuals involved in the #ExxonKnew advocacy campaign or individuals involved in\r\nlitigation against ExxonMobil, such as legal counsel.\r\ntable 4\r\nExamples of phishing messages referencing confidential information and notifications concerning\r\nExxonMobil sent to individuals at advocacy organizations. The messages were sent from accounts\r\nmasquerading as close colleagues of those targeted.\r\nIn other cases, Dark Basin sent fake Google News updates concerning ExxonMobil, clearly a topic of interest to the targets.\r\nhttps://citizenlab.ca/2020/06/dark-basin-uncovering-a-massive-hack-for-hire-operation/\r\nPage 5 of 14\n\nOther ruses included fake Twitter direct messages and other correspondence purporting to concern climate change advocacy.\r\nDark Basin also regularly employed more generic phishing emails using the same infrastructure. We observed a similar mix\r\nof topic-specific and generic attempts by Dark Basin against targets in other clusters, such as targeted hedge funds. Dark\r\nBasin also regularly made use of third-party link tracking services in their messages.\r\nEvidence of Compromise\r\nIn at least one case, Dark Basin repurposed a stolen internal email to re-target other individuals. This incident led us to\r\nconclude that Dark Basin had some success in gaining access to the email accounts of one or more advocacy groups.\r\nWho Was the Client?\r\nDark Basin’s targeting revealed a highly detailed and accurate understanding of their targets and their relationships. Not only\r\ndid phishing emails come from accounts masquerading as targets’ colleagues and friends, but the individuals that Dark Basin\r\nchose to target showed that it had a deep knowledge of informal organizational hierarchies (e.g., masquerading as\r\nindividuals with greater authority than the target). Some of this knowledge would likely have been hard to obtain from an\r\nopen source investigation alone. Combined with the bait content, which was regularly tailored to the #ExxonKnew\r\ncampaign, we concluded that Dark Basin operators were likely provided with detailed instructions not only about whom to\r\ntarget, but what kinds of messages specific targets might be responsive to.\r\nWhile our research concluded with high confidence that Dark Basin was responsible for transmitting these phishing\r\nattempts, we do not have strong evidence pointing to the party commissioning them and we are not conclusively attributing\r\nDark Basin’s phishing campaign against these organizations to a particular Dark Basin client at this time. That said, the\r\nextensive targeting of American nonprofits exercising their first amendment rights is exceptionally troubling.\r\nMore US Civil Society Targets\r\nAt least two American advocacy groups were targeted by Dark Basin during a period in which they were engaged in\r\nsustained advocacy requesting that the Federal Communications Commission (FCC) preserve net neutrality rules in the US.\r\nEFF published a report on this targeting in 2017, observing that US non-governmental organizations Fight for the Future and\r\nFree Press were targeted between July 7 and August 8, 2017. We also observed targeting of additional US civil society\r\ngroups which will be discussed in future reporting.\r\nUS Media Outlets\r\nIn addition to the targeting of civil society, we found that journalists from multiple major US media outlets were also\r\ntargeted. Targets included journalists investigating topics related to the advocacy organizations mentioned above, as well as\r\nmultiple business reporters.\r\nIndustry Targets\r\nDark Basin’s targeting was widespread and implicated multiple industries. In the sample of the targeting collected by Citizen\r\nLab, we found that the financial sector was the most targeted. The following section briefly outlines several industry\r\nverticals of particular interest.\r\nHedge Funds, Short Sellers, Financial Journalists\r\nThe most prominent targeting of the financial sector concerned a cluster of hedge funds, short sellers, journalists, and\r\ninvestigators working on topics related to market manipulation at German payment processor Wirecard AG . We note that\r\nthe offices of Wirecard AG were searched on Friday, June 5 2020 by German police in connection with a criminal\r\ninvestigation against certain executive board members launched by Munich prosecutors.\r\nhttps://citizenlab.ca/2020/06/dark-basin-uncovering-a-massive-hack-for-hire-operation/\r\nPage 6 of 14\n\nAfter extensive work with targeted organizations and individuals surrounding the Wirecard AG case, we concluded the\r\nunifying thread behind this targeting was its aim at individuals who held short positions in Wirecard AG around the time of\r\nthe targeting and financial reporters covering the Wirecard AG case. Some individuals were targeted almost daily for\r\nmonths, and continued to receive messages for years.\r\nPrivate emails from multiple journalists, short sellers, and hedge funds were made public as part of a “leaks” website and\r\ncampaign, which included a PDF circulated via online posts to various forums. The campaign took its name from Zatarra,\r\nthen a company operated by several of the targets. As Table 5 shows, the document draws heavily on excerpts of\r\ncorrespondence between journalists and their sources. The targets have said that these emails were misleadingly presented\r\nand edited before being posted on the website. We believe that, while the documents may have been based on emails\r\nobtained by Dark Basin through phishing, a second entity may have undertaken the work of compiling and presenting these\r\ndocuments on the website, given the sophistication of the writing, use of investigative jargon, and techniques such as\r\ndetailed organizational charts.\r\ntable 5\r\nPages from the documents posted on the ‘Zatarra Leaks’ website.\r\nAs with the targeting of the organizations involved in the #ExxonKnew advocacy campaign, we are not conclusively\r\nattributing this campaign to a specific sponsor at this time.\r\nGlobal Banking and Financial Services\r\nSeveral international banks and investment firms, as well as prominent corporate law firms in the United States, Asia, and\r\nEurope, were targets. We also found a number of companies involved in offshore banking and finance were also targeted.\r\nLegal Services\r\nLawyers were heavily represented in Dark Basin targeting. We found targeted individuals in many major US and global law\r\nfirms. Lawyers working on corporate litigation and financial services were disproportionately represented, with targets in\r\nmany countries including the US, UK, Israel, France, Belgium, Norway, Switzerland, Iceland, Kenya, and Nigeria.\r\nThe Energy Sector\r\nWe identified targets in multiple energy and extractive sectors, including petroleum companies. Targets ranged from lawyers\r\nand staff to CEOs and executives. In some cases, we observed large swaths of the energy and extractive industry targeted in\r\na particular country, ranging from oilfield services companies and energy companies to prominent industry figures and\r\nofficials at relevant government offices.\r\nEastern and Central Europe, Russia\r\nWe identified a range of targets in Eastern and Central Europe, and Russia, indicative of targeting surrounding the\r\ninvestments and actions of extremely wealthy individuals, including cases surrounding individuals who could be considered\r\noligarchs.\r\nGovernment\r\nhttps://citizenlab.ca/2020/06/dark-basin-uncovering-a-massive-hack-for-hire-operation/\r\nPage 7 of 14\n\nWe identified targets in multiple governments, ranging from senior elected officials and their staff to members of the\r\njudiciary, prosecutors, members of parliament, and political parties. In a number of cases, we were able to connect this\r\ntargeting to specific issues. We identified at least one individual who ran for elected office in the US. We anticipate\r\nproviding future reporting on these cases.\r\nPersonal Disputes\r\nMany of Dark Basin’s targets were high profile, well-resourced individuals. However, we also found that private individuals\r\nwere also targeted, which appeared to correlate with divorces or other legal matters.\r\nTactics, Techniques, and Procedures\r\nOver the course of our investigation, we found Dark Basin regularly adapting techniques, possibly in response to disruptions\r\nfrom email providers filtering their phishing attempts. What follows is a brief overview of these techniques.\r\nPhishing Emails\r\nDark Basin sent phishing emails from a range of accounts, including Gmail accounts as well as self-hosted accounts.\r\nSophistication of the bait content, specificity to the target, message volume, and persistence across time varied widely\r\nbetween clusters. It appears that Dark Basin’s customers may receive varying qualities of service and personal attention,\r\npossibly based on payment, or relationships with specific intermediaries.\r\nURL Shorteners\r\nThe use of URL shorteners for masking phishing sites is a common technique. Over a sixteen month period, we enumerated\r\n28 unique URL shortener services operated by Dark Basin.\r\nThe malicious URL shorteners used in this campaign typically ran an open source URL shortening software called Phurl. We\r\nanalyzed the code and found that Phurl generated sequential shortcodes making it trivial for us to enumerate the URL\r\nshorteners. Figure 4 below shows numerous examples of the Phurl-based malicious shorteners we tracked.\r\nEnumeration\r\nWe tracked these 28 URL shorteners nearly continuously using a Python script. Overall, our enumeration of these shorteners\r\nuncovered 27,591 different long URLs, each of which led to a Dark Basin credential phishing website. This campaign\r\noperated at a scale we had not previously detected in our research into targeted intrusion operations (versus generic phishing\r\noperations). Often, the email address of the target was included in the URL.\r\nFigure 5 shows a sample of the output from one shortener during a single collection period. The first column shows the\r\nspecific “short code” for a shortener hosted on the domain anothershortnr[.]com and the second column shows the “long\r\nURL,” i.e., the actual destination website hosting the credential phishing pages. For example, a phishing email containing\r\nthe shortened link http://anothershortnr[.]com/gu would, when clicked, direct the target to the destination URL:\r\nhttps://emailserver4859[.]com/account.login.system.gmail.com.appredirects.portfoliofa.system-login.app-direct-signin-login.ppsecure-auth/?email=REDACTED@gmail.com\u0026error=Continue to unsubscribe\u0026redirect=//google.com\r\nhttps://citizenlab.ca/2020/06/dark-basin-uncovering-a-massive-hack-for-hire-operation/\r\nPage 8 of 14\n\nThe domain, emailserver4859[.]com, was set up by attackers to host a credential phishing page designed to gather account\r\ncredentials from webmail providers, including Gmail.\r\nCredential Phishing Websites\r\nThe malicious links we discovered during our tracking each led to credential phishing sites, i.e., websites designed to look\r\nidentical to popular online web services such as Google Mail, Yahoo Mail, Facebook, and others. In addition, Dark Basin\r\noperators had created phishing websites which copied the look and feel of specific web services used or operated by the\r\ntarget or their organization (Figure 11).\r\nTABLE 6\r\nImages of several phishing sites deployed in the observed campaigns.\r\nPhishing Kit\r\nIn several cases, Dark Basin left the source code of their phishing kit openly accessible. The source code included references\r\nto log files, which were also publicly accessible. The log files recorded every interaction with the credential phishing\r\nwebsite, including testing activity carried out by Dark Basin operators.\r\nThe source code also contained several scripts that processed details including usernames and passwords entered by victims,\r\nas well as the victims’ IP address. These details were both emailed to a Gmail address controlled by Dark Basin and\r\nrecorded in one or more log files on the web server itself. Several of the scripts recorded these details with a timestamp in\r\nIndia’s UTC+5:30 (IST) timezone (Figure 6).\r\nTesting the Phish\r\nIn reviewing log files left openly available on several of the active phishing servers, we observed Dark Basin operators\r\ntesting their phishing links and credential theft kits.\r\nWe observed numerous occurrences where both real target email addresses and obviously fake email addresses were entered\r\ninto the phishing pages using the password ‘test’, ostensibly to simulate or test the functionality of the phishing page. The IP\r\naddresses which were logged by the phishing kit for these test entries were typically from anonymizing VPN services, but\r\nsometimes the logs showed that the test had been conducted using an IP address associated with an Indian broadband\r\nprovider. Figures 7 and 8 show log excerpts from a pair of tests found in the log files from hostsecuremail[.]com, a Dark\r\nBasin credential phishing site:\r\nhttps://citizenlab.ca/2020/06/dark-basin-uncovering-a-massive-hack-for-hire-operation/\r\nPage 9 of 14\n\nSuccess Rates\r\nIt is clear that Dark Basin operators were successful with at least some of their phishing campaigns. In cases observed by\r\ntargets, Dark Basin was observed using commodity VPNs to access accounts using stolen credentials. We also found that\r\nlogs from some phishing kits were publicly accessible. After reviewing these logs and working with targets, we concluded\r\nthat Dark Basin’s deceptions, while individually not always effective, did achieve some account access in part because the\r\ngroup could be extremely persistent. For example, we found that some “high value” targets were sent more than one hundred\r\nphishing attempts with very diverse content. Some failure to recognize attempted phishing is to be expected when an entire\r\norganization or network of individuals working together on a shared advocacy goal is targeted by such a persistent\r\nadversary.\r\nDark Basin’s reliance on a rarely seen URL shortener software, continued reuse of the same registration identities and\r\nhosting providers for their infrastructure, and the uniqueness of their phishing kit all contributed to our ability to track them\r\ncontinuously during these campaigns. Perhaps most important however was the additional visibility provided by working\r\nclosely with the targeted individuals and organizations. This view into the persistent attempts to compromise the targets\r\ngreatly amplified our ability to follow breadcrumbs left by Dark Basin operators.\r\nMercenary Intrusion: A Global Problem\r\nDark Basin’s thousands of targets illustrate that hack-for-hire is a serious problem for all sectors of society, from politics,\r\nadvocacy and government to global commerce.\r\nMany of Dark Basin’s targets have a strong but unconfirmed sense that the targeting is linked to a dispute or conflict with a\r\nparticular party whom they know. However, absent a systematic investigation, it is difficult for most individuals to\r\ndetermine with certainty who undertakes these phishing campaigns and/or who may be contracting for such services,\r\nespecially given that Dark Basin’s employees or executives are unlikely to be within the jurisdiction of their local law\r\nenforcement. Further, while many of the targets whom we contacted had a sense they were being phished in a targeted\r\noperation, many others did not share this awareness. These targets either concluded that they were being phished for an\r\nunknown reason, or simply did not notice the targeting against the background of unrelated phishing messages and spam.\r\nWe believe there is an important role for major online platforms who have the capacity to track and monitor groups like\r\nDark Basin. We hope Google and others will continue to track and report such hack-for-hire operations. We also encourage\r\nonline platforms to be proactive in notifying users that have been targeted by such groups, such as providing detailed\r\nwarnings beyond generic notifications to help enable targets to recognize the seriousness of the threat and take appropriate\r\naction.\r\nHacking for Hire\r\nhttps://citizenlab.ca/2020/06/dark-basin-uncovering-a-massive-hack-for-hire-operation/\r\nPage 10 of 14\n\nDark Basin’s activities make it clear that there is a large and likely growing hack-for-hire industry. Hack-for-hire groups\r\nenable companies to outsource activities like those described in this report, which muddies the waters and can hamper legal\r\ninvestigations. Previous court cases indicate that similar operations to BellTroX have contracted through a murky set of\r\ncontractual, payment, and information sharing layers that may include law firms and private investigators and which allow\r\nclients a degree of deniability and distance.\r\nThe growth of a hack-for-hire industry may be fueled by the increasing normalization of other forms of commercialized\r\ncyber offensive activity, from digital surveillance to “hacking back,” whether marketed to private individuals, governments\r\nor the private sector. Further, the growth of private intelligence firms, and the ubiquity of technology, may also be fueling an\r\nincreasing demand for the types of services offered by BellTroX. At the same time, the growth of the private investigations\r\nindustry may be contributing to making such cyber services more widely available and perceived as acceptable.\r\nA Clear Danger to Democracy\r\nThe rise of large-scale, commercialized hacking threatens civil society. As this report shows, it can be used as a tool of the\r\npowerful to target organizations that may not have sophisticated cybersecurity resources and consequently are vulnerable to\r\nsuch attacks.\r\nFor example, in a four-year-study, we concluded that digital threats undermined civil society organizations’ core\r\ncommunications and missions in a significant way, sometimes as a nuisance or resource drain, or more seriously as a major\r\nrisk to individual safety. Citizen Lab has also previously researched and documented the harms of phishing campaigns\r\nagainst civil society around the globe.\r\nWe believe it is especially urgent that all parties involved in these phishing campaigns are held fully accountable. For this\r\nreason, and on the request of multiple targets of Dark Basin, Citizen Lab provided indicators and other materials to the US\r\nDOJ.\r\nAcknowledgements\r\nWe thank the many targets that have helped us during the past three years. Without your diligence and effort this\r\ninvestigation would not have been possible. We have special gratitude for the journalists and media outlets for their patience.\r\nWe also personally thank several targets in particular for incredible efforts to help us identify malicious messages and\r\ninvestigate this case:  Matthew Earl of ShadowFall, Kert Davies of the Climate Investigations Center, and Lee Wasserman of\r\nthe Rockefeller Family Fund.\r\nWe thank our colleagues at NortonLifeLock for their hard work. The sheer scale of activities like Dark Basin makes\r\ncollaboration essential.\r\nWe thank those that have requested to not be named, including TNG. You know who you are, and your hard work inspires\r\nus.\r\nSpecial thanks to Citizen Lab colleagues, especially Adam Senft, Miles Kenyon, Mari Zhou, and Masashi Crete-Nishihata.\r\nMany thanks to Peter Tanchak.\r\nThanks to The Electronic Frontier Foundation, especially Eva Galperin and Cooper Quintin.\r\nUpdated to reflect that Citizen Lab research, including the research featured in this report, is supported by multiple\r\nphilanthropies. Click here to learn more.\r\nAppendix A: Links to BellTroX\r\nThe appendix lists various additional links to BellTroX including social media postings and domain registrations.\r\nhttps://citizenlab.ca/2020/06/dark-basin-uncovering-a-massive-hack-for-hire-operation/\r\nPage 11 of 14\n\nSocial Media Post\r\nOne of the domains we had observed Dark Basin using as a URL shortener was pushthisurl[.]com. A submission to\r\nVirusTotal from December 2016 contains an important clue towards attribution. The URL submitted to VirusTotal appeared\r\nto be very similar to phishing URLs deployed by Dark Basin:\r\nhttps://account.facebook.com.supportserviceonline[.]com/profile.php.id=100006944714691\u0026fref=hovercard.100006944714691\u0026lst=10000957285190\r\ni\r\nThe highlighted section in this URL shows a parameter called adroid that contains a URL, http://pushthisurl[.]com/jb. In\r\nexamining the collection of phishing links and the phishing kit used by Dark Basin, we found that the adroid parameter was\r\nused to redirect mobile visitors to a mobile-optimized phishing page.\r\nThis URL suggests Dark Basin had been active earlier than we had observed. More importantly, the domain in this URL,\r\naccount.facebook.com.supportserviceonline[.]com also appeared in a now deleted post on the Information Security forum\r\nwebsite Peerlyst.\r\nIn a screenshot of this post (Figure 10), a user who identifies himself as an employee of BellTroX InfoTech Services\r\nexplains a technique for creating a phishing page posing as a Facebook login screen. The poster provides two screenshots,\r\none of which displays the domain name account.facebook.com.supportserviceonline[.]com.\r\nNotably, this precise technique of using a subdomain which appears similar to a legitimate web service domain was used in\r\nvirtually all of the 27,591 phishing links we discovered in our tracking of Dark Basin activity.\r\nhttps://citizenlab.ca/2020/06/dark-basin-uncovering-a-massive-hack-for-hire-operation/\r\nPage 12 of 14\n\nDomain Registrations\r\nDuring our research into the various infrastructure components of the Dark Basin activity, we noticed a unique recurring\r\npattern in many of the credential phishing URLs. Several examples are provided below, highlighted to show the pattern of\r\ninterest:\r\nhttp://login.reg.service-microsoftonline.hostname-mail-i.optionsothego[.]com/continue-http-rnd-maiiil.com-maiil.u.1.serviice-maiil.rpsnv.11-ct-13475230763454343764-rver.6.1.6206.1.5.rver.6.1.6206.0-wp-mbi.wreply-https/mb/?to=REDACTED\u0026msg=Sign%20in%20to%20continue%20to%20OneDrive\u0026red=//login.live.com/help\r\nhttp://login.service-microsoftonline.reg.hostname-mail-id.fastserverusa[.]com/continue-http-rnd-maiiil.com-maiil.u.1.serviice-maiil.rpsnv.11-ct-13475230763454343764-rver.6.1.6206.1.5.rver.6.1.6206.0-wp-mbi.wreply-https?to=REDACTED\u0026msg=Sign in to confirm your age\u0026red=//youporn.com\u0026adroid=\r\nhttp://login-microsoftonline.auditionregistrationonline[.]com/continue-http-rnd-maiiil.com-maiil.u.1.serviice-maiil.rpsnv.11-ct-13475230763454343764-rver.6.1.6206.1.5.rver.6.1.6206.0-wp-mbi.wreply-https?\r\nto=REDACTED\u0026msg=\u0026red=//youtube.com/watch?v=2WRFwTChdMk\u0026adroid=\r\nWe found a VirusTotal submission of a URL hosted on the domain wsignin[.]info which contained this same string:\r\nhttps://citizenlab.ca/2020/06/dark-basin-uncovering-a-massive-hack-for-hire-operation/\r\nPage 13 of 14\n\nUsing historic WHOIS registration data, we found that during the period between March 22, 2014 and August 26, 2014, the\r\nemail address serviceaccount373[@]yahoo.com was the registrant address for both wsignin[.]info and belltrox[.]org. An\r\ninternet archive screenshot of the belltrox[.]org domain (Figure 12) shows that belltrox[.]org was in fact the webpage of\r\nBellTroX InfoTech Services during this time period.\r\nAccording to historic domain registration data, the belltrox[.]org website was registered to this same email address between\r\nJuly 27, 2013 and November 29, 2014. After this date, the registrant email was changed to tech.belltrox[@]gmail.com.\r\nAppendix B: Indicators of Compromise\r\nCitizen Lab and NortonLifeLock are jointly releasing this list of Indicators of Compromise.\r\nSource: https://citizenlab.ca/2020/06/dark-basin-uncovering-a-massive-hack-for-hire-operation/\r\nhttps://citizenlab.ca/2020/06/dark-basin-uncovering-a-massive-hack-for-hire-operation/\r\nPage 14 of 14",
	"extraction_quality": 1,
	"language": "EN",
	"sources": [
		"ETDA",
		"MISPGALAXY",
		"Malpedia"
	],
	"references": [
		"https://citizenlab.ca/2020/06/dark-basin-uncovering-a-massive-hack-for-hire-operation/"
	],
	"report_names": [
		"dark-basin-uncovering-a-massive-hack-for-hire-operation"
	],
	"threat_actors": [
		{
			"id": "1a933813-3deb-4d6f-8e0f-33b9187970f9",
			"created_at": "2023-01-06T13:46:39.147547Z",
			"updated_at": "2026-04-10T02:00:03.230111Z",
			"deleted_at": null,
			"main_name": "Dark Basin",
			"aliases": [],
			"source_name": "MISPGALAXY:Dark Basin",
			"tools": [],
			"source_id": "MISPGALAXY",
			"reports": null
		},
		{
			"id": "60b64223-652b-4177-a678-3d675b79cff4",
			"created_at": "2022-10-25T16:07:24.478235Z",
			"updated_at": "2026-04-10T02:00:05.004167Z",
			"deleted_at": null,
			"main_name": "Dark Basin",
			"aliases": [
				"Mercenary.Amanda"
			],
			"source_name": "ETDA:Dark Basin",
			"tools": [],
			"source_id": "ETDA",
			"reports": null
		}
	],
	"ts_created_at": 1775434402,
	"ts_updated_at": 1775791919,
	"ts_creation_date": 0,
	"ts_modification_date": 0,
	"files": {
		"pdf": "https://archive.orkl.eu/db694411ef4ee379c2741ea6a28a6c91fc6e06cd.pdf",
		"text": "https://archive.orkl.eu/db694411ef4ee379c2741ea6a28a6c91fc6e06cd.txt",
		"img": "https://archive.orkl.eu/db694411ef4ee379c2741ea6a28a6c91fc6e06cd.jpg"
	}
}