If you woke up on Oct. 21 and wondered why portions of the internet were gone, the answer may run through HackForums.net.
Even if you’re not familiar with that name, you have most definitely heard of what the website’s members have done in the world of cybercrime.
One month ago, the code powering the Mirai botnet was freely published on HackForums. On Oct. 21, that botnet was partly responsible for one of the biggest distributed denial-of-service attacks of all time, targeting American internet infrastructure in several destructive waves throughout the day. Dozens of the world’s biggest internet companies went down, from Netflix to Twitter. The incident has inspired conversation from Washington to Silicon Valley about the profound insecurity and vulnerability of connecting devices to the internet.
Due to the attack, HackForums finds itself in the spotlight. Mirai is officially new territory for a website that’s used to mixed attention. The section of the site where users have long sold cheap and easy access to denial-of-service attacks was shut down on Friday, almost one week after Mirai’s biggest attacks grabbed the world’s attention.
Run on old-school forum software, HackForums has long been lit up with neon sign-like GIFs advertising botnets for sale, tools for stealing data, and hacking tools in active development. Many salesman accept PayPal. The forum caters mostly to a young audience who are curious and occasionally malicious, but still learning.
Furthermore, HackForums is the kind of internet community that can seem impenetrable, even incomprehensible, to outsiders. It has a reputation for being populated by trolls, chaos-driven children and brazen criminal activity. It can, at any given time, count plenty of undercover police as watchful inhabitants. Despite it all, HackForums not only simply persists but, seven years after launch, it stubbornly continues to matter.
Blackshades RAT was a famous piece of malware created and marketed chiefly on HackForums in the site’s earlier days. A Remote Access Trojan (RAT), Blackshades helped hackers take complete control of their victims’ computers. Blackshades was given a slick Adobe-inspired user interface, some glossy marketing, and sold to HackForums users. Journalist Brian Krebs called it “a tool created and marketed principally for buyers who wouldn’t know how to hack their way out of a paper bag.”
First created by a clever teenager on HackForums, Blackshades went on to be a small worldwide sensation. In the west, it was used to hack Miss Teen USA and eight other women, not to mention thousands of other victims. In the Middle East, it was used by the Syrian regime to target dissidents and rebels in the early days of the Syrian Civil War’s cyberwar. The malware’s sales shot north of $350,000, according to the FBI.
In many ways, Blackshades is indicative of HackForum’s ethos: a clever kid got bored, wanted to make some cash and ended up in a dark place.
Allison Nixon, Director of Security Research at Flashpoint, told CyberScoop that she sees parallels between traditional criminology, the study of gangs and the hacking world present on HackForums.
“You have a bunch of kids, not a lot of adults, and some people have their own predispositions, and sometimes there is not a lot of guidance to steer that in a productive direction,” Nixon said. “You see gangs end up forming. There are these online street gangs so to speak, some of them can get pretty destructive in the same way you have violent street gangs in a neighborhood. The individuals themselves may become part of such a gang in order to get a sense of community, a sense of safety, or perhaps something to do because they’re bored. It seems like there’s a lot of parallels.”
“It follows a sociological norm both in the cyber world and in the physical world,” Flashpoint researcher Zach Wikholm said.
A few years ago, Krebs was less generous, calling the website “a forum that is overrun with teenage wannabe hackers who spend most of their time trying to impress, attack or steal from one another.”
Blackshades was just one piece of malware marketed on the site’s subforums, which has been responsible for multiple millions of dollars in sales over the last seven years.
The funny thing about cybercrime is that an attacker does not need to be an advanced persistent threat with piles of money or a nation-state sponsor behind them in order to have a big impact. Clever or merely chaos-driven kids who get their hands on the right code and scripts — weapons in a certain context — can pretty easily land an outsized blow on the target of their choosing.
In the case of teenage boys — a dominant chunk of HackForums’ population — those targets can become predictable.
A week after the massive DDoS attack on managed DNS service provider Dyn, Flashpoint researchers confidently argued it was connected to the HackForums community, where the Mirai code was first released. After having watched and analyzed the website for years, the researchers’ argument was founded in HackForums’ social norms: The new Mirai attackers cursed just like HackForums kids curse. They harassed the same people. They targeted the same kind of companies.
“When you look at who is attacking gaming companies, you don’t see profit-motivated actors doing it, you don’t see nation-states doing it — they don’t care about video games for the most part,” Nixon told CyberScoop. “What you do see is these HackForum skiddie-type people doing it.”
A “skiddie” is short for script kiddie, an insult hurled at unsophisticated individuals who use other people’s scripts and programs to launch cyberattacks. They may fancy themselves hackers, but they’re considered to be the scene’s bottom feeders.
The Oct. 21 attacks hit a wide range of targets, including most interestingly for Nixon, video game companies. That was a big red flag.
“They do it for notoriety,” Nixon explained. “A lot of the people who are engaged in this type of activity, they’re typically young teenage or adult people who have something to prove. In order to make one self seem powerful is to take down someone who is also seen as powerful. It’s seen as a power play.”
Other than a place where kids can get their very first cyber weapons, HackForums is where they can get their education. For every malware salesman, there are ten young kids and adults talking and learning with each other about code and security. Numerous HackForums regulars — who have gone on to become security and IT professionals across the tech industry — do not want to talk on the record about their old haunt.
“Most of the stuff that goes in the HackForums community is not anything that even us non-lawyers would call illegal,” Nixon stressed. “The vast majority of it is just fine, there’s a lot of computer enthusiast type stuff going on there. A lot of the actual so-called hacking is more about learning how computers work, learning how exploits work, which is an important part of some people’s career development. Pen testing is a legitimate profession and HackForums does have resources that can be useful for pen testers. I think there’s a lot of potential for communities like this where young enthusiasts help each other and teach each other.”
Created and owned by 46-year-old Las Vegas resident Jesse LaBrocca, HackForums has repeatedly found itself under intense scrutiny. Whether it was the FBI trying to buy the site out, or selling malware that ends up in the hands of oppressive governments half a world away, what happens on HackForums makes waves in the wider world.
That all adds up to LaBrocca — known online as Omniscient — being viewed as a demagogue to an army of kids, young adults, and amateurs who pay for special perks and access that make HackForums the weird, profitable and enduring enterprise it’s become.
LaBrocca is a shotgun-style entrepreneur. In the last few decades, he’s started hundreds of businesses — most of which are online — all over the United States. That includes a video game store in Manhattan (Multimedia 1.0), hundreds of websites and forums and a “cutting edge” bi-monthly gaming magazine (Foul Magazine) aimed at “hardcore adult gamers.”
The magazine, which won a 2008 Best in NYC award from the Village Voice, earned LaBrocca his first mainstream attention. The then-31-year-old founder included a Hot Chick Centerfold in every issue and explainer articles like “How to Get Laid at E3.” He told Spin Magazine in 2002 that Foul’s unofficial motto was “striving to offend, refusing to care.” On a video game review website LaBrocca ran called GameTour.com, he once wrote that his favorite character is “Wario, because he is evil.”
But the New York City chapter of LaBrocca’s life ended a few years later when he closed Multimedia and moved to Las Vegas with four kids and a wife.
It’s HackForums that stands out far above the rest of LaBrocca’s creations.
The site has been the focus of intense law enforcement scrutiny almost since it launched. A federal agent posing as a hacker named “m4v3r1ck” tried to buy HackForums from LaBrocca in 2012. The deal was to turn HackForums into a “black hat” website, explicitly and directly promoting and profiting from illegal hacking and fraud.
LaBrocca declined the sale, but entered into a partnership where he promoted a website that led many HackForums users straight to the FBI, netting the Bureau dozens of arrests in 13 countries. While users openly admitted their hacking and fraud crimes on the sister site, LaBrocca himself deftly avoided problems by not committing any crimes. Instead, he merely profits off of a website that can facilitate it.
Like plenty of big, social websites (e.g. Craigslist, Pastebin, Twitter), HackForums sees users post thinly-veiled criminal content. LaBrocca himself, however, can’t be held legally responsible for most of it.
Web hosts have an extremely low risk of exposure to criminal liability when it comes to what their users do, New York-based lawyer Tor Ekeland told CyberScoop. Section 230 of the 1996 Communications Decency Act — considered by the Electronic Frontier Foundation as “one of the most valuable tools for protecting freedom of expression and innovation on the Internet” — states that online services cannot be liable for third-party content. LaBrocca is under little or no legal obligation to act even if his site has an international reputation for facilitating criminal behavior.
HackForums users themselves, mostly young, have developed a legal mythos that doesn’t quite match up with reality.
“They have their own idea about what’s legal and not legal,” Nixon said. “A very prevalent belief on certain parts of that forum is that the idea that server stress testing,” the act of users paying for DDoS attacks, “is legal because they put in their terms of service you’re only allowed to test on your own servers and that totally means they’re in the clear. That’s what their belief is. I don’t think the FBI agrees with that.”
To dispel that myth, you only have to look to earlier this month when two teens were indicted by the FBI for DDoS attacks and services that targeted — what else? — online gaming services.
But the damage left in Mirai’s wake has caused the forum’s leader to intervene. In a bid to protect the rest of the community, the so-called “Server Stress Testing” section has been shuttered. The site’s botnet section, which is where Mirai’s source code was originally released, remains open.
“I’m personally disappointed that this is the path I have to take in order to protect the community,” LaBrocca wrote. “I loathe having to censor material that could be beneficial to members. But I do need to make sure that we continue to exist and given the recent events I think it’s more important that the section be permanently shut down.”
Even as Mirai has experts urgently crying for action, LaBrocca, who did not respond to an interview request, continues to sit atop a strange and successful empire.
“There’s actually a lot of people in the community that have a natural aptitude for picking this stuff up,” Nixon concluded. “There’s actually some really brilliant stuff that’s happening. The issue is there’s not a lot of guidance. Any situation where you have a whole lot of kids and not a whole lot of adults, well, some of the kids go off the deep end.”