A 31-year-old Canadian man has been arrested and charged with fraud in connection with numerous ransomware attacks against businesses, government agencies and private citizens throughout Canada and the United States. Canadian authorities describe him as “the most prolific cybercriminal we’ve identified in Canada,” but so far they’ve released few other details about the investigation or the defendant. Helpfully, an email address and nickname apparently connected to the accused offer some additional clues.
Matthew Philbert of Ottawa, Ontario was charged with fraud and conspiracy in a joint law enforcement action by Canadian and U.S. authorities dubbed “Project CODA.” The Ontario Provincial Police (OPP) on Tuesday said the investigation began in January 2020 when the U.S. Federal Bureau of Investigation (FBI) contacted them regarding ransomware attacks that were based in Canada.
“During the course of this investigation, OPP investigators determined an individual was responsible for numerous ransomware attacks affecting businesses, government agencies and private individuals throughout Canada as well as cyber-related offenses in the United States,” reads an OPP statement.
“A quantity of evidentiary materials was seized and held for investigation, including desktop and laptop computers, a tablet, several hard drives, cellphones, a Bitcoin seed phrase and a quantity of blank cards with magnetic stripes,” the statement continues.
The U.S. indictment of Philbert (PDF) is unusually sparse, but it does charge him with conspiracy, suggesting the defendant was part of a group. In an interview with KrebsOnSecurity, OPP Detective Inspector Matt Watson declined to say whether other defendants were being sought in connection with the investigation, but said the inquiry is ongoing.
“I will say this, Philbert is the most prolific cybercriminal we’ve identified to date in Canada,” Watson said. “We’ve identified in excess of a thousand of his victims. And a lot of these were small businesses that were just holding on by their fingernails during COVID.”
A DARK CLOUD
There is a now-dormant Myspace account for a Matthew Philbert from Orleans, a suburb of Ottawa, Ontario. The information tied to the Myspace account matches the age and town of the defendant. The Myspace account was registered under the nickname “Darkcloudowner,” and to the email address email@example.com.
A search in DomainTools on that email address reveals multiple domains registered to a Matthew Philbert and to the Ottawa phone number 6138999251 [DomainTools is a frequent advertiser on this site]. That same phone number is tied to a Facebook account for a 31-year-old Matthew Philbert from Orleans, who describes himself as a self-employed “broke bitcoin baron.”
Mr. Philbert did not respond to multiple requests for comment.
According to cyber intelligence firm Intel 471, that firstname.lastname@example.org address has been used in conjunction with the handle “DCReavers2” to register user accounts on a half-dozen English-language cybercrime forums since 2008, including Hackforums, Blackhatworld, and Ghostmarket.
Perhaps the earliest and most important cybercrime forum DCReavers2 frequented was Darkode, where he was among the first two-dozen members. Darkode was taken down in 2015 as part of an FBI investigation sting operation, but screenshots of the community saved by this author show that DCReavers2 was already well known to the Darkode founders when his membership to the forum was accepted in May 2009.
Most of DCReavers’s posts on Darkode appear to have been removed by forum administrators early on (likely at DCReavers’ request), but the handful of posts that survived the purge show that more than a decade ago DCReavers2 was involved in running botnets, or large collections of hacked computers.