The Dark Overlord & 9/11 Documents: 5 Fast Facts You Need to Know

Jonathan Xie

The Dark Overlord hacker group, known previously for leaking episodes of Netflix’s Orange is the New Black, has claimed that they hacked insurance companies connected with 9/11 litigation and will release the information if they aren’t paid a Bitcoin ransom. After making the initial announcement, the group later said that it would also accept Bitcoin payments in exchange for releasing some of the information. So far more than $300 has been paid to the group, and in response the group released two new “Checkpoints” of information. The Dark Overlord’s Twitter account has been suspended, but they are continuing to communicate on Pastebin and sites like 4chan and Reddit. (Update: After being suspended from Reddit, the group moved to Steemit.) The group has hacked companies like Netflix in the past, but the content of the current hack is unclear. Here’s a look at The Dark Overlord’s history and what has happened so far.


1. The Dark Overlord Hacking Group Initially Said It Had 18,000 Secret Documents that It Would Release If It Wasn’t Paid a Ransom

News about the breach originated on Pastebin, when a hacker group called The Dark Overlord announced that it had breached law firms and insurance companies connected to September 11 cases, Motherboard reported. The announcement read, in part: “Hiscox Syndicates Ltd and Lloyds of London are some of the biggest insurers on the planet insuring everything from the smallest policies to some of the largest policies on the planet, and who even insured structures such as the World Trade Centers.”

They claimed to have obtained 18,000 secret documents from the leak:

The Dark Overlord

Twitter

A spokesperson for the Hiscox Group told Motherboard: “The law firm’s systems are not connected to Hiscox’s IT infrastructure and Hiscox’s own systems were unaffected by this incident. One of the cases the law firm handled for Hiscox and other insurers related to litigation arising from the events of 9/11, and we believe that information relating to this was stolen during that breach… Once Hiscox was informed of the law firm’s data breach, it took action and informed policyholders as required. We will continue to work with law enforcement in both the UK and US on this matter.”

In April 2018, Hiscox reported a data breach. Their press release reads, in part: “Hiscox recently learned of an information security incident affecting a specialist law firm in the US that provided advice to Hiscox or its policyholders on some of its US commercial liability insurance claims. The incident involved illegal access to information stored on the law firm’s server, which may have included information relating to up to 1,500 of Hiscox’s US-based commercial insurance policyholders. US small business online policyholders and all non-US policyholders are unaffected by this incident. The law firm’s systems are not connected to Hiscox’s IT infrastructure and Hiscox’s own systems were unaffected by this incident…”

Jeff Stone, a reporter who covers cybercrime, noted that both Silverstein and Lloyd’s of London had said they were not breached.

Since making these announcements, the Dark Overlord’s Twitter account has been suspended. If you visit @tdo_h4ck3rs, you’ll see the message below.

Twitter

The group said on Pastebin that their motivation was purely financial. “You’re welcome, heathens and what’s the final lesson? When you’re a client of ours and you’ve accepted an agreement of ours: follow it to the letter. We’re not motivated by any political thoughts. We’re not hacktivists. We’re motivated only by our pursuit of internet money (Bitcoin).”

In a Pastebin note, the group said it was appealing the suspension and was now on Reddit. The thread on Reddit was later removed and, hours later the group’s subreddit and user accounts were also banned. They are now on Steemit.


2. The Group Is Now Accepting Payment To Release More Documents & You Can Track Those Payments Online. So Far, Enough Was Given to Release Two New Sets of Documents.

In its initial note, the group included a link to a 10 GB archive of encrypted files, Motherboard reported. The cache has multiple layers and multiple decryption keys to access those layers. The group has said that unless they are paid a Bitcoin ransom, they will release all the files. Their note read, in part: “Pay the f*** up, or we’re going to bury you with this. If you continue to fail us, we’ll escalate these releases by releasing the keys, each time a Layer is opened, a new wave of liability will fall upon you.”

But now, the group has said that it is accepting payment to release layers of the information it hacked. In a Pastebin note, the group wrote, in part:

There’s five layers to go. Layer 1, 2, 3, 4, and fine finally Layer 5. Each layer contains more secrets, more damaging materials, more SSI, more SCI, more government investigation materials, and generally just more truth. Consider our motivations (money, specifically Bitcoin), we’re not inclined to leak the juiciest items until we’re paid in full. However, in the interest of public awareness and transparency, we’re officially announcing our tiered compensation plan. Below, we’ll announce the required cost to release each layer of damaging documents that are filled with new truths, never before seen. There’s only one way we can be paid: Bitcoin…  As more BTC is generated, more information will be released. We’re also going to introduce checkpoints between each major funding goal that will result in some small samples to be released from the next layer before the entire layer is allowed to be decrypted.”

The group then went on to list how much money they’re accepting for each layer:

  • Checkpoint 01 – 250 USD of BTC = 25 ‘random’ documents from Layer 1.
  • Checkpoint 02 – 500 USD of BTC = 25 ‘random’ documents from Layer 1.
  • Checkpoint 03 – 750 USD of BTC = 40 ‘random’ documents from Layer 1.
  • Checkpoint 04 – 1.000 USD of BTC = 50 ‘random’ documents from Layer 1.
  • Layer_1.container – 5.000 USD of BTC (All Layer 1 Documents)
  • Checkpoint 05 – 6.500 USD of BTC = 50 ‘random’ documents from Layer 2.
  • Checkpoint 06 – 8.500 USD of BTC = 50 ‘random’ documents from Layer 2.
  • Checkpoint 07 – 12.000 USD of BTC = 50 ‘random’ documents from Layer 2.
  • Checkpoint 08 – 25.000 USD of BTC = 50 ‘random’ documents from Layer 2.
  • Layer_2.container – 50.000 USD of BTC (All Layer 2 Documents)
  • Checkpoint 09 – 65.000 USD of BTC = 100 ‘random’ documents from Layer 3.
  • Checkpoint 10 – 85.000 USD of BTC = 100 ‘random’ documents from Layer 3.
  • Layer_3.container – 100.000 USD of BTC (All Layer 2 Documents)
  • Checkpoint 11 – 250.000 USD of BTC = 250 ‘random’ documents from Layer 4.
  • Checkpoint 12 – 500.000 USD of BTC = 250 ‘random’ documents from Layer 4.
  • Layer_4.container – 1.000.000 USD of BTC (All Layer 4 Documents)
  • Checkpoint 13 – 1.500.000 USD of BTC = 5 ‘random’ documents from Layer 5.
  • Layer_5.container – 2.000.000 USD of BTC (All Layer 5 Documents)

They noted that, for example, $100,000 USD in the form of Bitcoin would release a decryption key for all of Layer 2.

You can track how many payments have been made so far at this link. It appears that 16 transactions have gone through at the time of the publication’s update, for a total of about 3.277 BTC, which is more than $12,300. However, as some commenters on Steemit have pointed out, the group appears to be accepting Bitcoin payments for multiple topics, not just 9/11, at the same Bitcoin address.

The group created a Reddit account at u/tdo_h4ck3rs and released a “Checkpoint 01” cache based on payments it received through Bitcoin. The group announced the documents’ release on Reddit, but then was quickly banned after the announcement.

The group is now on Steemit and announced the release of a second checkpoint of files. It’s unclear at this time what is in those files. They have also released documents on Steemit not related to 9/11, and were criticized on Steemit for posting documents from a plastic surgery clinic.


3. The First Set of Documents Released Related Mostly to Legal Procedures Involving Insurance Payments. Two More Sets of Files Were Later Released in Response to Bitcoin Payments.

RedditPost in response to Bitcoin payments before the account was banned on Reddit

To prove they did indeed hack some related accounts, The Dark Overlord group published some letters, emails, and documents that mentioned firms, the FAA, and the TSA, Motherboard reported. The group published a decryption key on Pastebin and on Twitter.

A group of people on Reddit were discussing the release before they were banned (and one of the original posters was banned completely from Reddit.) At the time, they shared a Google Drive and a WeTransfer link with the documents, but most people agreed that the initial documents were simply related to litigation involving insurance companies. This litigation involved attorneys’ trying to find reasons that a third party might have to cover some of the liability for 9/11, rather than the insurance company paying a full settlement. This might be due to inadequate security or services that, from a legal standpoint, might have mitigated some of the damage from 9/11. The initial document release seemed to be mostly about insurance companies seeking not to have to pay their full claim. Some documents also revealed how much different entities requested in insurance payments and how much they received.

For example, one file discussed how The Port Authority of New York and New Jersey may have failed to fully ensure the safety of the buildings. They had a command bunker on the 23rd floor of 7 WTC, according to some documents, which included diesel fuel tanks that powered the generators. The insurance claim suggested this might have contributed to the fires that destabilized the building.

The group released a second cache in response to Bitcoin payments, and commenters have said that this file did not contain anything that wasn’t already known. They announced the release on Reddit in a subreddit called The Dark Overlords shortly after 6 p.m Eastern on Wednesday. Their post and their account were quickly banned from Reddit, and any posts linking to the files were also removed, with some people who posted them subsequently banned. The group is now on Steemit and released a Checkpoint 02 late Wednesday night. So far, no one has commented about anything substantial in the documents that were not already publicly known for the most part.


4. The Group Claimed on 4Chan to Have UFO Documents

4chan

Many people are discussing a claim by the group on 4Chan that they have UFO documents to release also. You can see a screenshot of that claim here or above. They wrote in an AMA on 4Chan: “Now our next release about UFOs, yeah, that’s a 10 mate, but it’s going to wait until we’re done here. If you’d like to buy 911 documents from us, read the answers above.”

The UFO documents were not mentioned in their Pastebin announcement from January 2.


5. The Dark Overlord Previously Released Netflix Episodes, Hacked a School District, & Hacked U.S. Medical Clinics

The group has a series of successful hacks in their history. They hacked and released episodes from Orange is the New Black before Netflix released Season 5. The first 10 episodes were shared in a file that totaled 11.46 GB, Variety reported. Variety later reported that in an electronic conversation, The Dark Overlord group confirmed that they had leaked the show despite receiving a $50,000 ransom payment. They said they did so in order to punish Larson Studios for talking to the FBI, which they said was a violation of its “contract.”

In May 2017, The State reported that The Dark Overlord had stolen numerous patient records from U.S. medical and dental clinics and posted them online. They would freeze clinic records and then demand payment in Bitcoin. A Twitter account associated with the group wrote about the Tamp Bay Surgery Center records: “This clinic didn’t do anything wrong except annoy us.”

In October 2017, Daily Beast reported that the Johnston Community School District in Iowa had closed several schools after parents got texts threatening to kill their children. The Dark Overlord group claimed responsibility for the texts to Daily Beast, saying it obtained a cache from the school district during a hack and used that to send out the threatening texts.

Then in May 2018, Serbian authorities claimed that they arrested a 38-year-old man connected to The Dark Overlord group, while working with the FBI, The State reported. But the group said on Twitter that the man didn’t have any connection to them. “No one’s been arrested who operates within thedarkoverlord organisation.”