Special edition: The Rise & Fall of Darkside

🌠 How many Star Wars jokes will we make?

🎉 We’re hiring! Come join Helen and John in building Intrigue Media. We have paid opportunities to work on our team as a content creator or a growth hacker.

🎧 You can listen to this week’s story on SpotifyApple Podcasts, or your favourite podcast player.

❤ Please click that little heart at the very top of the page - it’s like paying us, but for free.

📧 A warm welcome to our 21 intriguing new subscribers this week! Join them here:

Good morning!

It's official. The Aperol spritzes are flowing, restaurants have reopened, Summer Fridays are a thing again, and even music concerts have returned. Tom Hanks has a message from all the way back in 2019:

Let’s all listen to that global treasure and reclaim our sense of absurdity and joy.

Let’s also remember that many places around the world are still very much in the thick of the Covid-19 hell, even as those of us in vaccinated countries party like it’s… well anytime before March 2020.

This week we bring you a special edition:

🌑 The rise and fall of Darkside:

  • what is ransomware-as-a-service?

  • why might outsourcing hacking be a smart geopolitical strategy? 

  • and what does regulating cryptocurrencies have to do with any of it?

Our special editions tend to be a little longer, but stick with us because we really think you'll enjoy it! And if you just want to cut to the chase, you can scroll to the bottom of Part 2 for the key takeaways in <2 minutes.


🌑 Part 1: Darkside emerges

By John + Helen

What is Darkside?

Darkside is a hacker group that was ‘founded’ in August 2020. They hit the mainstream media in May after their ransomware attack shut down the Colonial Pipeline (CP) in the Eastern US.

Darkside earned $90m worth of Bitcoin in ransoms, extracted from 47 targets, from August 2020 to May 2021.

But Darkside is more than a band of dastardly hackers - the group has built a ‘ransomware-as-a-service’ (RaaS) platform. The platform allows third party customers to launch ransomware attacks against private companies.

Think of it as the grown-up equivalent of passing a note to Jimmy via Bobby, telling Jimmy to give you his lunch money otherwise you’ll tell Sandra he smells - your attack cripples the intended target, compels the payment of money, and the middleman takes all the heat 😇.

But just in case you thought these guys were a**holes, fear not… they have a code of conduct:

We didn’t WANT to write about Russia again, but…

Darkside is for Russians, by Russians.

Most news reports point out that Darkside is not associated with the Russian government. But Western intelligence agencies and private cybersecurity firms have said with medium to high confidence that Russia’s GRU (foreign military intelligence agency) at the very least gives its blessing behind the scenes to Darkside’s operations.

So, if the Russian government allows Darkside (and similar groups) to operate within its borders, we should expect Darkside’s targets to generally align with Russian geopolitical goals…

… вуаля! (which we are reliably informed = ‘et voila!’ in Russian):

  1. Russia and Germany: the two countries regularly clash over issues like the Nord Stream 2 pipeline, Alexei Navalny, and Ukraine 👉 in 2020, German companies paid the highest average ransom per attack.

  2. Russia and the US: let’s just say that Russia dislikes most things about the US, at most times 👉 71% of US targeted companies ended up paying a ransom, the highest proportion in the world.

  3. Russia and the EU: there are long-standing issues such as NATO, sanctions, and trade 👉 Spanish, French, Belgian, and Irish companies were among the most targeted by ransomware in 2020.

  4. Oh, and Darkside has never attacked a company in Russia or (as far as our research could tell) a former-USSR country.

Ah yes! But correlation is not causation you say -  those countries also happen to be home to the companies most able to pay the highest ransoms.

Fair point, but there's a bigger strategy behind it all.

The geopolitical advantages of 'outsourced' cyber attacks on private companies

  1. Outsourced cyber attacks are not state-on-state attacks

A private RaaS platform facilitating attacks on seemingly unrelated private companies is very hard to view as 'an act of war'.

But, taken on aggregate, a campaign of cyber attacks on private companies targets economies and does real strategic harm over the long term. If not death by a thousand cuts, then serious economic loss by millions of lines of code.

And remember Darkside's code of conduct 👆?

That isn’t just some weird honour among thieves - these are the kinds of targets that, if attacked, would cause a world leader to pick up the phone to Vladimir the Unpleasant and demand satisfaction.

  1. Therefore, outsourced attacks are far harder to stop

Most countries have underinvested in cyber defences in favour of offensive tools built to create a ‘mutually assured destruction’ dynamic.

This strategy works for nuclear threats because nuclear attacks can’t be safely outsourced to a private, non-government militia.

The problem is, cyber attacks can be outsourced with very little damage to the ‘host’ government. And because an outsourced cyber attack is very hard to definitively call a ‘state-on-state’ attack, it is far less likely to attract the credible threat of massive retaliation.

And if an outsourced cyber criminal group accidentally attacks a nationally important target…

We are apolitical, we do not participate in geopolitics, do not need to tie us with a defined government and look for other our motives. Our goal is to make money and not creating problems for society [sic]

- Darkside, statement posted to the dark web following the Colonial Pipeline attack

… best to reassure everyone that it wasn’t a geopolitical attack.

  1. The attacks can be plausibly denied, and then used as a bargaining chip in future negotiations

Plausible deniability doesn’t mean plausible innocence.

It just means that there’s enough doubt that we don’t know for sure who committed the attack and why. In fact, a well-placed source leaked us a recent transcript that demonstrates this perfectly:

President Biden: Hello Mr. President, we need to talk about your military code wizards casting spells on our honest-as-apple-pie oil companies. What did we ever do to you, apart from you know, collapse you?

President Putin: What do you mean our military? These are criminals, just like you have on say… Wall Street. Our poor comrades are only attacking these companies because they are so rich.

President Biden: President Putin, I’m 143 years old, you can’t pull the wool over my eyes. The worms your comrades are breeding in our fleet of integrated business machines and must be squished.

President Putin: You are a wise old sage Mr. President, but we honestly don’t have enough resources to build my Black Sea Palace and catch the hackers. Perhaps if you really want us to spend so much time and money on fixing your problems, you will consider fixing some of ours in return…

Enough about Russia, why is ransomware 'suddenly' in the news?

To be clear, Russia is far from the only country that launches cyber attacks.

For example, 88% of Saudi Arabian companies reported they were targeted by ransomware attacks in 2020. Saudi Arabia and Iran are bitter rivals, and the latter is a noted hub for ransomware criminals. But these hacks are less likely to make headlines in Western media than Russian hacks on Western targets.

So is the only reason we’re hearing more about cyber attacks because they are becoming more common and more severe? Perhaps, but we think there’s another reason:


🌑 Part 2: Targeting Bitcoin: the fall of Darkside?

Yes, Bitcoin. Again. Don’t blame us, blame the memes.

We've written about how governments are reacting to the threat of cryptocurrencies, but not about why cryptocurrencies pose such a threat.

The Bitcoin threat

Power is derived from money in modern free market economies. Not only from having money, but from seeing where all money is at all times.

  1. 🏛 Governments

Governments want to be able to see the movement of all money in their economic systems. This allows the government to derive accurate data about the economy, and more importantly, to maintain a monopoly on the supply of money.

For regular currencies, money is tracked via ‘know your customer’ laws and other financial disclosure requirements.

👉 Bitcoin threatens governments because transactions are pseudonymous. Plus, Bitcoin can be kept in 'cold storage', away from the prying eyes of the internet and government.

  1. 💵 Financial institutions

Knowing where money is at all times allows financial institutions to create financial products, which produce consistent and repeatable profits.

Take, for example, gold. Most people don't care about owning physical gold, they care about having exposure to the price of gold.

So financial institutions invent and sell financial products like gold ETFs - the customer gets exposure to the price of gold, and financial institutions can sell almost infinite amounts of these gold-related financial products.

Think of it like a sports game: there is only one game and one outcome, but there is almost no limit to the amount of money a betting agency can make by taking bets on that game.

👉 Bitcoin threatens financial institutions because it rejects the intermediation of money. Instead, Bitcoin was created with a powerful narrative about returning to money as a simple means of exchange, without the need for banks as middlemen.

Ok, back to reality - put on your politician's hat

Your mission: regulate Bitcoin by bringing it under ‘know your customer’ type laws.

Why: because your central bank advisors and your hedge fund donors are telling you Bitcoin threatens everything (read: their summer houses).

Conditions: voters are generally sceptical of government intervention, so this regulation must be seen as good and necessary.

Your first step: build a narrative...

Darkside, Ransomware, and Bitcoin

You might have wondered why we are writing about Darkside and Bitcoin together.

Call us simplistic, cynical, or both, but the easiest way to pass a law is to appeal to people’s wallets, or their fears.

Even better, do both in one fell swoop:

Cryptocurrency has created opportunities to scam investors, assist criminals and worsen the climate crisis. The threats posed by crypto show that Congress and federal regulators can’t continue to hide out, hoping that crypto will go away.

- Senator Elizabeth Warren, June 9

**chef’s kiss**

Senator Warren is very smart. She knows that if the goal is to regulate cryptocurrencies, the most powerful narrative is the one with the scariest mix of fear and money, and the one that is the least offensive to regulation-averse folks.

That’s why one of the most powerful narratives about why we must regulate Bitcoin is that Bitcoin enables Russian cybercrime. You don't want your family to get scammed, do you? You don't want the Russians to win, do you?

Ok, but cryptocurrencies still should be regulated, right?

We don’t know. Maybe? Probably?

There’s no doubt that ransomware attacks are made far easier by the efficiency and pseudonymous nature of cryptocurrencies.

But it's not like cryptocrimes are totally beyond the reach of international law enforcement - the US Justice Department managed to recover $2.3m of the ~$4.4m paid to Darkside in the CP hack. There are even reports that Darkside has shut up shop as a result.

Let’s be clear-eyed: cryptocurrencies aren’t the reason that Russia (or any other country) allows cybercriminals to operate freely within its borders.

State-sanctioned cybercrime is increasing because Russia, China, Europe, and the US are re-entering a world of geopolitical competition, and distributed cyber attacks are arguably the 21st century analogue of the CIA selling arms to the Mujahideen in Afghanistan during the Cold War.

As we've been saying for a while, this is our new reality. That means cyber attacks are probably going to get worse before they get better, and they will likely happen in whichever country you're currently reading this.

Our tip? Invest in cybersecurity firms - they're about to get very busy.

⏩ tl;dr: the rise and fall of Darkside

Darkside is a new ransomware-as-a-service platform based in Russia

  • it allows third party customers to attack and extort private companies. Darkside takes a cut of the ransom money

  • it operates in Russia, most likely with the implicit approval of the Russian government

Allowing criminal hacking groups to prosper has significant geopolitical advantages

  • outsourcing cyber attacks allows the Russian government to attack foreign targets with plausible deniability

  • ‘cracking down’ on these criminal groups becomes a bargaining chip that Russia can use to extract concessions from its geopolitical rivals

The rise of ransomware attacks is a real problem

  • cryptocurrencies make it more efficient for criminals to extract and cash out ransoms

  • Darkside has extracted ~$90m in Bitcoin payments in about 10 months of operation, and other groups have taken in even more

Almost all governments want to regulate cryptocurrencies

  • cryptocurrencies are an existential threat to government control of money, and a threat to the sustained profit margins of financial institutions

  • few people would accept an outright ban cryptocurrencies, so the goal for regulation is to carefully bring them under the ‘control’ of governments

The best way to regulate cryptocurrencies is to build a narrative that they are dangerous

  • That’s why there have been so many stories about how Bitcoin is ‘fuelling’ the ransomware industry and cybercrime more generally

  • One of the main reasons that groups like Darkside have risen to prominence is increased geopolitical competition, which means cyber attacks will likely get worse before they get better

What did you think of this week’s edition?

😍 😴 👎

➕ Extra intrigue

🔎 Intriguing recommendations

💁🏻‍♀️Helen + 👴Johnstarting next week, Intriguing recommendations is where we're going to start featuring companies we love.

Ultimately, we need to start paying our bills. Based on conversations with you, our readers, partnering with companies we like and think you might enjoy too is the best way to earn a crust.

Here's our promise to you:

  • We won't recommend anything to you that we don't or wouldn't use ourselves.

  • We will always be open and tell you that it is a paid sponsorship.

  • We will always listen to your feedback to ensure that our intriguing recommendations actually add value to your experience.

We'd love you to show support to our sponsors. They help us keep our writing accessible and free. Just like each of you, our sponsors are showing great faith in backing a small media start-up. So, please do check them out and let us know what you think!

If you'd like to sponsor an edition of International Intrigue, we'd love to hear from you!

Thanks for reading!

👋 Say hi by tweeting us @intintrigue, replying to this email, or dropping a comment below.

📢 Please share our work! We’ve even prepared a tweet for you to share if you’re so minded. Thank you.

Until next week!