4:05 PMPakBugs Hackers arrested | Rahul Tyagi
(Thanks to Twitter friends - @nartv, @cedricpernet, @HostExploit - for setting me onto this story mostly by pointing to this article by Lucian Constantin over at SoftPedia, who had the English Language Scoop, as he often does.)
For Pakistani Hackers, July 7, 2010 will be remembered as the beginning of a fearful period in their lives. On that day, Mr. Shahid Nadeem Baloch, the Director of Cyber Crime Investigations for the Federal Information Agency announced the arrest of five ring leaders of the popular hacker forum "PAKBugs" in this release from the Press Information Department. Among those praised by FIA's Director General, Mr. Zafar Ullah Khan, for their roles in the investigation are Mr. Muhammad Idress Mian, who directs the National Response Center for Cyber Crimes (NR3C), Mr. Muhammad Raza, Cyber Crime Circle sub-inspector for the Rawalpindi Police, and NR3C Technical Officers Mr. Aun Abbas, and Mr. Amjad Abbasi.
The hackers arrested or wanted include:
Jawad Ehsan, alias Humza, still at large in Riyadh, Saudi Arabia.
Jawad uses the hacker handle ZombiE_Ksa, and is the founder of PakBugs and probably the most famous of all the PakBugs hackers. He is charged with 169 website defacements.
Ahmad Hafeez, arrested in Lahore.
Ahmad uses the hacker handle vergil, and is a moderator on the boards Pakbugs and Pakhaxorz. He is charged with 480 website defacements.
Hassan Khan, arrested in Peshawar.
Hassan uses the hacker handle x00mx00m, and is a co-founder of Pakbugs. He is charged with 8,697 website defacements.
Farman Ullah Khan, arrested in Bannu.
Farman uses the hacker handle Farman, and was a VIP-member of Pakbugs. Charges against Farman are unknown.
Malik Hammad Khalid, arrested in Rawalpindi.
Malik uses the hacker handle inject0r, and was a "super moderator" at Pakbugs. He is charged with 134 website defacements.
Taimoor Zafar Bhatti, arrested in Rawalpindi.
Taimoor uses the hacker handle h4v0c-, and was a "super moderator" at Pakbugs. He is charged with 105 website defacements.
Also wanted by the FIA Cyber Crimes Department are:
According to the press release:
These individuals have expertise in following techniques:
What the press release doesn't mention is that the NR3C's own website was hacked by these website defacers in January of this year. (image from MastiKorner.com - click image to see original defacement courtesy of Zone-H archive)
In that defacement the Pakbugs hackers suggest that if Pakistani citizens want help with security issues they should turn to Pakbugs rather than the NR3C.
The NR3C defacement was signed:
We are L33t Pakistani H4x0rZ,
That is actually the last website defacement credited to ZombiE_Ksa in the Zone-H archives, although his activities in 2009 included hacking numerous ".gov.pk" websites, temporarily taking over nameservers on the ".ug" registrar to allow defacements of the Ugandan websites for Microsoft, Toshiba, CNN, Citibank, and Google, and hacking the websites of the Saudi "Bank Al Bilad".
Zombie_KSA (KSA = Kingdom of Saudi Arabia) uses the hotmail addresses "Zombie_KsA@hotmail.com" and "email@example.com".
TrendMicro posted screenshots obtained from Zombie_KSA proving that he not only had defaced the website, but actually had control of the email systems of the NR3C.
Despite the ZombiE_KsA hack, the Pakistani government is to be highly praised for taking on Cybercrime in such a proactive way. Pakistanis are encouraged to report cybercrime by emailing firstname.lastname@example.org. The 2007 "Prevention of Electronic Crimes Bill (english language PDF) offers penalties from six months imprisonment all the way up to Capital punishment for 17 types of cyber crimes, with the most significant being "Cyber terrorism".
Other articles show that Zombie_KsA and Cyber-Criminal hacked the Pakistani Air Force website.
Unfortunately for the PakBugs hackers, in addition to having the Pakistani government after them, they had a bigger problem. Greyhat vigilante hacker "email@example.com" posted the entire user database of the PakBugs forums to the mailing list Full-Disclosure back on September 14, 2009. That report revealed the email addresses used by all 12,640 members of PakBugs, including many of the hackers on the FIA wanted list including:
ZombiE_KsA = firstname.lastname@example.org
x00mx00m = email@example.com
Farman = firstname.lastname@example.org
vergil = email@example.com
Injector = firstname.lastname@example.org
h4v0c- = email@example.com
The FIA may want to check out the history of website "loverzpoint.net", which has been "Greeted" several times by ZombiE_KsA, and where two of their "still at large" hackers have email accounts:
Cyb3r-Criminal = firstname.lastname@example.org
BiG Smoke = email@example.com
spo0fer = firstname.lastname@example.org
[a] = email@example.com
loverzpoint.net was originally registered to "firstname.lastname@example.org" with a fraudulent US-based address. In October 2008 that changed to "email@example.com" with a Riyadh address and the name "Syed Jawad Shah".
(According to the Hack, userids 1, 12, 99, 1628 and 3844 all had "Admin" privileges at PakBugs. That would be users = ZombiE_KsA, spo0fer, Maximus, Test User, and Big Smoke, the last of those being the original owner of LoverzPoint.net)
The website "Propakistani.pk" has run a message regarding these arrests which is said to be from the "Pakistan Cyber Army". The PCA was active in a clash between Pakistani and Indian hackers in November of 2008. The message reads:
"Message from Pakistan Cyber Army on arrest of Pakbugs Members
(someone named R4yd3n was a member at PAKBugs as well, using the email firstname.lastname@example.org)