On July 13, 2020, several reporters began running stories of a hack on Night Lion’s Shadowbyte platform, claiming that stolen data began appearing on several marketplaces. Until now, details of this hack have been intentionally kept quiet while we worked with law enforcement agencies behind the scenes on a global investigation. Shortly after news of the hack began circulating, the Night Lion team compiled and shared a report internally explaining the details surrounding this “hack”.

This report is now available as a free download at the bottom of this blog post.

What Actually Happened

“It’s entirely possible this incident is an elaborate and cynical PR stunt by Troia to somehow spring a trap on the bad guys.” – Brian Krebs

As confirmed by the attacker’s blog post, admin credentials were left available in our unpublished API documentation. Night Lion’s leaked this information to another threat actor knowing the information would reach our intended target: Megadimarus (aka NSFW, aka TheDarkOverlord).

The attack came just days before Troia’s keynote talk at SecureWorld Boston, in an effort to discredit his research revealing the identities of the group members.

“Revenge is mine, saith a hacker. No big deal, saith a researcher.” – Dissent, Databreaches.net

How the Honeypot Helped

Actually, yes. As described in our investigation report on The Dark Overlord hacking group, this was the first time we were able to conclusively link all members of TheDarkOverlord, GnosticPlayers, and Shiny Hunters together. The IP used to access our systems was a dedicated IP address (not a VPN), making this a huge win. Ultimately, a short bout of bad press was worth definitive confirmation of the identities of the people responsible for 40% of non-credit card-related hacks over the last three years.

Once they realized they’d been duped, the group went underground for several months, resulting in ITRC reporting a significant year-over-year drop in hacks during Q3 of 2020, despite similar incidences trending upwards throughout the rest of the year. Coincidence? We don’t think so.

Download the Report

The report is available for a free download. Click the link below.