Posts Tagged: Butterfly Bot

Dec 17

Former Botmaster, ‘Darkode’ Founder is CTO of Hacked Bitcoin Mining Firm ‘NiceHash’

On Dec. 6, 2017, approximately USD $52 million worth of Bitcoin mysteriously disappeared from the coffers of NiceHash, a Slovenian company that lets users sell their computing power to help others mine virtual currencies. As the investigation into the heist nears the end of its second week, many Nice-Hash users have expressed surprise to learn that the company’s chief technology officer recently served several years in prison for operating and reselling a massive botnet, and for creating and running ‘Darkode,” until recently the world’s most bustling English-language cybercrime forum.

In December 2013, NiceHash CTO Matjaž Škorjanc was sentenced to four years, ten months in prison for creating the malware that powered the ‘Mariposa‘ botnet. Spanish for “Butterfly,” Mariposa was a potent crime machine first spotted in 2008. Very soon after, Mariposa was estimated to have infected more than 1 million hacked computers — making it one of the largest botnets ever created.

An advertisement for the ButterFly Flooder, a crimeware product based on the ButterFly Bot.

ButterFly Bot, as it was more commonly known to users, was a plug-and-play malware strain that allowed even the most novice of would-be cybercriminals to set up a global operation capable of harvesting data from thousands of infected PCs, and using the enslaved systems for crippling attacks on Web sites. The ButterFly Bot kit sold for prices ranging from $500 to $2,000.

Prior to his initial arrest in Slovenia on cybercrime charges in 2010, Škorjanc was best known to his associates as “Iserdo,” the administrator and founder of the exclusive cybercrime forum Darkode.

A message from Iserdo warning Butterfly Bot subscribers not to try to reverse his code.

On Darkode, Iserdo sold his Butterfly Bot to dozens of other members, who used it for a variety of illicit purposes, from stealing passwords and credit card numbers from infected machines to blasting spam emails and hijacking victim search results. Microsoft Windows PCs infected with the bot would then try to spread the disease over MSN Instant Messenger and peer-to-peer file sharing networks.

In July 2015, authorities in the United States and elsewhere conducted a global takedown of the Darkode crime forum, arresting several of its top members in the process. The U.S. Justice Department at the time said that out of 800 or so crime forums worldwide, Darkode represented “one of the gravest threats to the integrity of data on computers in the United States and around the world and was the most sophisticated English-speaking forum for criminal computer hackers in the world.”

Following Škorjanc’s arrest, Slovenian media reported that his mother Zdenka Škorjanc was accused of money laundering; prosecutors found that several thousand euros were sent to her bank account by her son. That case was dismissed in May of this year after prosecutors conceded she probably didn’t know how her son had obtained the money.

Matjaž Škorjanc did not respond to requests for comment. But local media reports state that he has vehemently denied any involvement in the disappearance of the NiceHash stash of Bitcoins.

In an interview with Slovenian news outlet, the NiceHash CTO described the theft “as if his kid was kidnapped and his extremities would be cut off in front of his eyes.” A roughly-translated English version of that interview has been posted to Reddit. Continue reading →

Apr 13

Fool Me Once…

When you’re lurking in the computer crime underground, it pays to watch your back and to keep your BS meter set to  ‘maximum.’ But when you’ve gained access to an elite black market section of a closely guarded crime forum to which very few have access, it’s easy to let your guard down. That’s what I did earlier this year, and it caused me to chase a false story. This blog post aims to set the record straight on that front, and to offer a cautionary (and possibly entertaining) tale to other would-be cybersleuths.

baitOn Jan. 16, 2013, I published a post titled, “New Java Exploit Fetches $5,000 Per Buyer.” The details in that story came from a sales thread posted to an exclusive subforum of, a secretive underground community that has long served as a bazaar for all manner of cybercriminal wares, including exploit kitsspam services, ransomware programs, and stealthy botnets. I’ve maintained a presence on this forum off and on (mostly on) for the past three years, in large part because Darkode has been a reliable place to find information about zero-days, or highly valuable threats that exploit previously unknown vulnerabilities in software — threats that are shared or used by attackers before the developer of the target software knows about the vulnerability.

I had previously broken several other stories about zero-day exploits for sale on Darkode that later showed up “in-the-wild” and confirmed by the affected vendors, and this sales thread was posted by one of the forum’s most trusted members. The sales thread also was created during a time in which Java’s maker Oracle Corp. was struggling with multiple zero-days in Java.

What I didn’t know at the time was that this particular sales thread was little more than a carefully laid trap by the Darkode administrators to discover which accounts I was using to lurk on their forum. Ironically, I recently learned of this snare after white/grey hat hackers compromised virtually all of the administrator accounts and private messages on Darkode.

“Looks like Krebs swallowed the bait, and i got an idea how to catch him now for the next thread,” wrote Darkode administrator “Mafi” in a Jan. 16 private message to a co-admin who uses the nickname “sp3cial1st”.

Following this post, the administrators compared notes as to which users had viewed the fake Java zero-day sales thread during the brief, two-day period it was live on a restricted portion of Darkode. “I have taken a careful examination of the logs related to the java 0day thread,” sp3cial1st wrote to a Darkode administrator who used the nick “187”.

Continue reading →

Nov 11

Attempted Malvertising on

Members of an exclusive underground hacker forum recently sought to plant malware on, by paying to run tainted advertisements through the site’s advertising network — Federated Media. The attack was unsuccessful thanks to a variety of safeguards, but it highlights the challenges that many organizations face in combating the growing scourge of “malvertising.”

Last week, I listed the various ways this blog and its author has been “honored” over the past few years by the cybercrime community, but I neglected to mention one recent incident: On May 27, 2011, several hackers who belong to a closely guarded English-language criminal forum called sought to fraudulently place a rogue ad on The ad was made to appear as though it was advertising BitDefender antivirus software. Instead, it was designed to load a malicious domain: sophakevans. co. cc, a site that has been associated with pushing fake antivirus or “scareware.”

The miscreants agreed to pay at least $272 for up to 10,000 impressions of the ad to be run on my site. Fortunately, I have the opportunity to review ads that come through Federated’s system. What’s more, Federated blocked the ad before it was even tagged for approval.

Darkode members plot to purchase a rogue ad on They failed.

I learned about this little stunt roughly at the same time it was being planned; Much to the constant annoyance of the site administrators, I secretly had gained access to Darkode and was able to take this screen shot of the discussion. The incident came just a few weeks after I Tweeted evidence of my presence on Darkode by posting screenshots of the forum. The main administrator of Darkode, a hacker who uses the nickname “Mafi,” didn’t appreciate that, and promised he and his friends had something fun planned for me. I guess this was it. Interestingly, Mafi also is admin at and is the developer of the Crimepack exploit kit.

Continue reading →