The Shrouded Horizon investigation against the Darkode cyber criminal forum involved law enforcement agencies in 20 countries.

Members Arrested in 20 Countries

It was, in effect, a one-stop, high-volume shopping venue for some of the world’s most prolific cyber criminals. Called Darkode, this underground, password-protected, online forum was a meeting place for those interested in buying, selling, and trading malware, botnets, stolen personally identifiable information, credit card information, hacked server credentials, and other pieces of data and software that facilitated complex cyber crimes all over the globe.

Unbeknownst to the operators of this invitation-only, English-speaking criminal forum, though, the FBI had infiltrated this communication platform at the highest levels and began collecting evidence and intelligence on Darkode members.

The Department of Justice and the FBI—with the assistance of partners in 19 countries around the world—announced the results of Operation Shrouded Horizon, a multi-agency investigation into the Darkode forum. Among those results were charges, arrests, and searches involving 70 Darkode members and associates around the world; U.S. indictments against 12 individuals associated with the forum, including its administrator; the serving of several search warrants in the U.S.; and the Bureau’s seizure of Darkode’s domain and servers.


This message (left) was displayed on the Darkode homepage after the FBI seized its web domain and servers.

Said FBI Deputy Director Mark Giuliano, “Cyber criminals should not have a safe haven to shop for the tools of their trade, and Operation Shrouded Horizon shows we will do all we can to disrupt their unlawful activities.”

During the investigation, the Bureau focused primarily on the Darkode members responsible for developing, distributing, facilitating, and supporting the most egregious and complex cyber criminal schemes targeting victims and financial systems around the world, including in the United States.

The Darkode forum, which had between 250-300 members, operated very carefully—not just anyone could join. Ever fearful of compromise by law enforcement, Darkode administrators made sure prospective members were heavily vetted.

As alleged in the charging documents, Darkode was an online, password-protected forum in which hackers and other cyber-criminals convened to buy, sell, trade and share information, ideas, and tools to facilitate unlawful intrusions on others’ computers and electronic devices. Before becoming a member of Darkode, prospective members were allegedly vetted through a process in which an existing member invited a prospective member to the forum for the purpose of presenting the skills or products that he or she could bring to the group. Darkode members allegedly used each other’s skills and products to infect computers and electronic devices of victims around the world with malware and, thereby gain access to, and control over, those devices.

Similar to practices used by the Mafia, a potential candidate for forum membership had to be sponsored by an existing member and sent a formal invitation to join. In response, the candidate had to post an online introduction—basically, a resume—highlighting the individual’s past criminal activity, particular cyber skills, and potential contributions to the forum. The forum’s active members decided whether to approve applications.

Once in the forum, members—in addition to buying and selling criminal cyber products and services—used it to exchange ideas, knowledge, and advice on any number of cyber-related fraud schemes and other illegal activities. It was almost like a think tank for cyber criminals.

The following defendants face charges in the Western District of Pennsylvania:

Johan Anders Gudmunds, aka Mafi aka Crim aka Synthet!c, 27, of Sollebrunn, Sweden, is charged by indictment with conspiracy to commit computer fraud, conspiracy to commit wire fraud, and conspiracy to commit money laundering. He is accused of serving as the administrator of Darkode, and creating and selling malware that allowed hackers to create botnets. Gudmunds also allegedly operated his own botnet, which at times consisted of more than 50,000 computers, and used his botnet to steal data from the users of those computers on approximately 200,000,000 occasions.

Morgan C. Culbertson, aka Android, 20, of Pittsburgh, is charged by criminal information with conspiring to send malicious code. He is accused of designing Dendroid, a coded malware intended to remotely access, control, and steal data from Google Android cellphones. The malware was allegedly offered for sale on Darkode.

Eric L. Crocker, aka Phastman, 39, of Binghamton, New York, is charged by criminal information with sending spam. He is accused of being involved in a scheme involving the use of a Facebook Spreader which infected Facebook users’ computers, turning them into bots which Crocker controlled through the use of command and control servers. Crocker sold the use of this botnet to others for the purpose of sending out massive amounts of spam.

Naveed Ahmed, aka Nav aka semaph0re, 27, of Tampa, Florida; Phillip R. Fleitz, aka Strife, 31, of Indianapolis; and Dewayne Watts, aka m3t4lh34d aka metal, 28, of Hernando, Florida, are each charged by criminal information with conspiring to send spam. They are accused of participating in a sophisticated scheme to maintain a spam botnet that utilized bulletproof servers in China to exploit vulnerable routers in third world countries, and that sent millions of electronic mail messages designed to defeat the spam filters of cellular phone providers.

Murtaza Saifuddin, aka rzor, 29, of Karachi, Sindh, Pakistan, is charged in an indictment with identity theft. Saifuddin is accused of attempting to transfer credit card numbers to others on Darkode.

The following defendant faces charges in the Eastern District of Wisconsin:

Daniel Placek, aka Nocen aka Loki aka Juggernaut aka M1rr0r, 27, of Glendale, Wisconsin, is charged by criminal information with conspiracy to commit computer fraud. He is accused of creating the Darkode forum, and selling malware on Darkode designed to surreptitiously intercept and collect e-mail addresses and passwords from network communications.

The following defendants face charges in the District of Columbia:

Matjaz Skorjanc, aka iserdo aka serdo, 28, of Maribor, Slovenia; Florencio Carro Ruiz, aka NeTK aka Netkairo, 36, of Vizcaya, Spain; and Mentor Leniqi, aka Iceman, 34, of Gurisnica, Slovenia, are each charged in a criminal complaint with racketeering conspiracy; conspiracy to commit wire fraud and bank fraud; conspiracy to commit computer fraud, access device fraud and extortion; and substantive computer fraud. Skorjanc also is accused of conspiring to organize the Darkode forum and of selling malware known as the ButterFly bot.

The following defendant faces charges in the Western District of Louisiana:

Rory Stephen Guidry, aka k@exploit.im, of Opelousas, Louisiana, is charged with computer fraud. He is accused of selling botnets on Darkode.

The charges are part of a coordinated effort by a coalition of law enforcement authorities from 20 nations to charge, arrest or search 70 Darkode members and associates around the world. The nations comprising the coalition include Australia, Bosnia and Herzegovina, Brazil, Canada, Colombia, Costa Rica, Cyprus, Croatia, Denmark, Finland, Germany, Israel, Latvia, Macedonia, Nigeria, Romania, Serbia, Sweden, the United Kingdom and the United States. These actions represent the largest coordinated international law enforcement effort ever directed at an online cyber-criminal forum.

Operation Shrouded Horizon is a prime example of why the most effective way to combat cyber crime—which operates globally—is a law enforcement response that also transcends national borders.   back...