A multibillion-dollar industry has been thriving in the shadows of the internet, influencing geopolitics, whole economic sectors, and even the livelihoods of average netizens.
For as long as there has been an internet, there has been cybercrime, but never has it been more virulent than it is now, or more lucrative.
While the full scope of cybercrime is by nature elusive, a recent report by the FBI’s Internet Crime Complaint Center pegged potential losses by Americans in 2021 at $6.9 billion, a $2 billion jump from the previous year.
“There is a very thriving community of threat actors that are earning billions of dollars every year from cyberattacks — which is the new form of being a thief, a burglar, where you can take something that is not yours and try to make money off of it,” says Yochai Corem, CEO of Cyberint Technologies Ltd., an Israel-based company specializing in cyber-intelligence.
Often these nefarious cyber-actors — known as “cyber-mercenaries” due to their hacker-for-hire business model and reputation of being willing to do things wildly outside the bounds of the law — act as third parties that execute operations like large data breaches, credit card fraud and identity fraud on behalf of crime syndicates or nation-states.
Within the Israeli security sphere, there are several companies that offer the services large corporations and governments require to fight cyber-mercenaries. Corem’s Cyberint is one of them.
Founded in 2010, the company focuses on tracking cyber-mercenaries and threat actors, exposing them and alerting entities both public and private of their presence. The Petah Tikva-based company raised $40 million in a Series C round in June.
“Our goal in cyber is actually to be able to identify this commerce, this communication between hackers, and any other early indication that will give us the knowledge that something is ongoing, and potentially allow us to fix it before it becomes a problem,” Corem told The Times of Israel in a recent interview.
An eagle-eyed view
Earlier this year, a new threat actor popped up on the scene. Dubbed the “Atlas Intelligence Group” (also, Atlantis Cyber Army), it is led by a mysterious figure who goes by the name Mr. Eagle.
Hacking collectives spring up all the time on the cyber black market. But Atlas was a curious case.
Cyberint researcher Shmuel Gihon has been tracking the group for several months. He published a post this summer titled “Atlas Intelligence Group (A.I.G) – The Wrath of a Titan” that detailed its activities.
“I witnessed Atlas first in an underground forum and a couple of underground Telegram channels around May. They were trying to build a business model that makes them pretty much unique [in the cybercrime arena],” Gihon told The Times of Israel.
Many illicit enterprises only offer one or two services — things like distributed denial of service (DDoS) attacks, which overload a webpage with traffic to take down servers, or hacking databases — but Atlas offered a full menu of services.
Its DDoS attacks were one of its most popular services, and it provided solid proof of execution for €20 ($19.52) per victim, Gihon found. Atlas also offered leaked databases from all over the world, and in different sectors like finance, government, education, manufacturing, and tech, starting at €15 ($14.64).
“That’s pretty much what makes them interesting in my eyes, so I tried to follow them and try to infiltrate their private groups to try to understand pretty much what they’re all about,” Gihon said.
By July, Atlas had spread like a virus, its reach extending to the United States, Israel, the United Arab Emirates, Pakistan, and Colombia, he added.
Two more key elements stood out to Gihon. Atlas offered “VIP services” that allude to access or connections at large global institutions, and its operational structure was unusual for cybercriminals.
Cyberint’s research unveiled an ad from Atlas that claimed established connections with European law enforcement, enabling the company to access and procure sensitive information about selected targets. The ad offered access to Germany’s police database to search for private addresses and personal information through police stations.
This ability (and the working assumption is that Atlas is being honest with this claim) shows how deep its ties go and how far-reaching this collective is, even outside of the cyber-sphere, Gihon said.
Most notably, the group appeared to be organized much like a spy agency unit: a top-down hierarchy where only its leader, Mr. Eagle, seemed to know the full scope of the operation at play, while the rest of the threat actors are essentially hired guns carrying out tasks based on specific capabilities but on a need-to-know basis.
“What I discovered was that the structure of the group is pretty interesting, because they have one leader, and everyone is behind him. He is the only mastermind of the plan, he’s the only mastermind of the campaigns that they’re conducting,” Gihon said.
The segregation between the operatives based on capabilities “keeps all those doing the ‘dirty work’ in the dark,” Gihon wrote in the post. “Applying this technique results in a high level of operations security [OpSec] for the operators and helps them avoid ongoing relationships with other threat actors.”
A penchant for hacktivism
In addition to its profitable business side, Atlas also seems to harbor a hacktivism ethos. One of the group’s side projects is exposing pedophiles via doxxing, publishing identifying information about where they live or work.
“Now, it’s not something that we were used to seeing. There are a lot of vigilantes around the world that this is their purpose,” Gihon said. “But you don’t see cybercriminal gangs and cybercriminal groups, you don’t see them going after pedophile stuff like that.”
According to Gihon, the group has released the personal information — including addresses, pictures, and home phone numbers — of alleged pedophiles in several European countries.
Gihon believes Mr. Eagle and their deputies are European. “My gamble is that they’re from a European-based country, and a very developed one… France, and Germany… these type of countries.”
Earlier this month, Atlas Intelligence Group was one of several hacking groups that used their networks to help protesters in Iran amid a violent government crackdown on a women-led movement demonstrating against the regime’s violent theocracy. The protests, which have rocked the country for over a month, were sparked by the death of 22-year-old Mahsa Amini after her arrest for allegedly violating the country’s strict dress code for women. Authorities have restricted internet access and criminalized the sale of virtual private networks (VPNs) used to skirt these restrictions.
Israeli cybersecurity giant Check Point reported in early October that hacker groups have been taking to encrypted social media channels and the dark web to help the protestors bypass regime restrictions and communicate. Atlas has been leaking data such as officials’ phone numbers and emails, as well as maps of sensitive locations. There’s a premium on information for members of the Islamic Revolutionary Guard Corps (IRGC) and its paramilitary force, the Basij.
Following the publication of his post outing the group, Gihon said Mr. Eagle — or someone posing as the alleged ringleader — made contact.
“After we published the report, Mr. Eagle understood that we are inside his inner circle in a way,” he said. “And he wanted us to reach out to him, he wanted to talk.”
Rather than threatening, Gihon said, Mr. Eagle came off surprisingly upbeat.
“‘Hey, I heard you’re looking for me,’ Gihon recalled Mr. Eagle saying. “And he’s pretty much just complimenting us. That’s pretty much what he did, to be honest. And he was like, ‘That was a great, great job that you did there, I really enjoyed it,'” Gihon said.
The reaction highlighted one of the dangers of publishing research into criminal groups, which can end up providing these formerly little-known organizations with publicity and credibility.
Gihon said he tried to parlay Mr. Eagle’s willingness to talk into obtaining further insight into the organization, with limited success.
“He’s very, very careful about his anonymity. So he didn’t share too much information about where he is from. But he did shed some light about things, about his relationship with the other members of the group and the relationships of the group with other entities, such as government.”
(Mr. Eagle’s claims cannot be independently verified by The Times of Israel. Any of his claims are muddied by the fact that Mr. Eagle’s very purpose is to obfuscate and avoid detection.)
The new warfare
While some of the world’s most powerful hacking groups are backed by state governments — and are often used to carry out large-scale attacks that can paralyze infrastructure and affect wide swaths of people — most cybercrime is actually carried out by independent hackers looking for a score.
“If you look at most breaches, they’re not coming from very sophisticated nation-state groups. They’re coming from cyber criminals with the intent of making money,” Ophir Bleiberg, VP product and R&D at Cyberint, told The Times of Israel.
“Those are going to be the ones who hit the banks.”
While Atlas bears the hallmarks of a freelance criminal network, there also appears to be a symbiosis between it and certain governments who might seek out its services, according to Cyberint.
Mr. Eagle said that most of the group’s income comes from government entities that hire their services, according to Gihon. He also claimed to have strong connections, particularly in the United States and Germany.
Gihon provided a hypothetical example of the National Security Agency, the US intelligence agency made infamous by whistleblower Edward Snowden.
“If, for example, the United States wants to conduct a campaign against an ally [for espionage]. They don’t want to be linked to any group. So they have to hire underground mercenaries, underground groups, such as [Atlas Intelligence Group], in order to do the dirty work for them,” he explained.
The surreptitious relationship between cyber-mercenaries and government agencies has surfaced in recent years, putting a spotlight on the vigilantism that global powers sometimes engage in.
In 2016, Russia’s Internet Research Agency was exposed as an unofficial arm of the Kremlin’s propaganda machine, using online bots and other methods to influence the US presidential election and sow divisions.
The Ukrainian-Russian war has brought a new dimension to decentralized hacking activism, allowing anybody with enough desire and computing power to impact major economic and military institutions.
“Many people who think what Russia is doing is wrong and think that they can join the fight, they’re going to commit for Kyiv, and put their computer on their knees and start trying to hack the Central Bank of Russia,” Corem, Cyberint’s CEO, said.
While on the macro scale there are real concerns affecting geopolitics or global economies, the true impact of cybercrime is usually more individualized. And as more entities like internet companies gather and store our data and connectivity access, there is not enough awareness of the risks, said Corem.