This past July, wepublished a blog post on a new illegal gambling system known as “ French Dark Bets (FDB) .” FDB is run and hosted by one of the biggest French underground marketplace, the French Dark Net (FDN). This betting system runs entirely on Bitcoins (BTC), which make it easy for cybercriminals to inject and collect money through this platform.
In the following weeks,a series of events caught our attention: The FDN and FDB went offline and came back online within a few days, announcing that they were hacked and money was stolen. Following this incident, FDN went back online with changed features.
Looking at these events, a few inconsistencies struck us that leave us wondering what exactly happened here and whether this supposed hack was actually not a staged attempt of the platform owners/administrators to fill their own pockets. We will take a look at the recent events in the French Underground and shed light on the internal dealings and dynamics within the French cybercriminal community.
How does the Bitcoin system work on FDN/FDB?
The FDN/FDB marketplace and betting system has functions to handle all the financial transactions independently. This means that several sources of money are going directly to FDN.Money from customers to vendors: To buy something on FDN, BTCs must be deposited in the FDN BTC wallet. Once the balance is there, the system allows the buyer to use the balance to buy merchandise from a vendor. The vendor gets the BTC equivalent of the item directly from the FDN BTC wallet. Basically, the FDN system acts as an escrow between seller and buyer. Money from bets: To bet on something, the gambler deposits BTCs in the FDN BTC wallet. If he wins a bet, the money gained is transferred from the FDN wallet to the gambler’s BTC wallet. Gifts and donations: The FDN accepts gifts/donations. Fundraising: As crazy as it may sound given this scenario, FDN raised the idea of being of help to people or organizations in need (fight against cancer, etc.) and allows the collection of funds from their BTC wallet.
The FDN’s administrators were heavily promoting the new FDB system by posting a video on YouTube in order to attract more users that don’t typically frequent the dark web. After the video was posted, we noticed that the FDN went offline for several hours on the 13th of July 2016. It went back online on the 14th of July, announcing that they were hacked. They also introduced a few changes to their platforms.
The announcement of the hack was unusually brief, and hardly any explanation was provided by FDN. They told the FDN forum that they were hacked, but the FDN/FDB databases were safe and not compromised/dumped by the hacker.
Only the Bitcoin wallet of FDN was hacked, which resulted in the loss of all the money from all FDN/FDB customers. Whenever such a hack happens, forum administrators usually express hate, anger, and provide some technical details about the attack to back up their claim―something important to keep the community’s trust. In this particular case, no details about the hack itself were disclosed.
Later, a follow-up post from the main admin known as Zulu provides information on what happens moving forward:
Figure 1. Forum post from FDN admin
Summarizing its content, the FDN will basically start from scratch―all orders are set back and all BTCs are considered lost. The FDN also implemented new rules and became a private forum and marketplace.What happens to FDN after the hack?
Shortly after the FDN website went back online, the FDN decided to restrict the access to the forums of FDN.
While the FDB and the marketplace remains available for anyone, the forums have undergone some stricter rules: it is now restricted to paying “VIP” members―EUR 50 must be paid to get access and must go through an additional layer of vetting, still with the possibility of being removed by the admins as necessary.
A staged affair?
Even in the middle of the night, rumors spread quickly in the French underground. A few days before these events happened, some whistleblowers on other French cybercrime underground websites sent alarms to their peers about the possible scenario with FDN.
One in particular caught our attention, posted 7 days before the supposed hack of the FDN:
Figure 2. A user warns his peers about upcoming exit scam
In this post, the user warns of an exit scam arguing a few questionable developments he noticed in the FDN. For most key figures in the French underground community, several facts point clearly to the suspicion that the FDN was not hacked, but the FDN admins stole money from their members through this scam.
Going through several different marketplaces and forums we found these recurring therioes, facts, and thoughts:No technical information about the hack ever surfaced. No database hack for FDN/FDB, yet the admins deleted all the synchronizing private messages between admins and trusted people. Could this be a deliberate action in preparation for the scam? The possibility to send private messages within the website has been deactivated by the FDN administrators, making it impossible to exchange messages with each other. In a public thread on FDN about the loss of the money, several people repeatedly asked for the blockchain transactions information (txid), which is a very interesting lead when it comes to BTC money movements. No answer at all from the admins on this thread. Zulu, FDN’s main admin, posted several messages on another forum thread about the FDN. As the community called him a scammer and clamored to see the BTC blockchains, Zulu never even dared to make a comment about it. When similar previous hacks happened on French Underground forums, the admins partially sent money to the victims, sometimes even the full amount lost. No action of that kind has been done for the FDN―the admins immediately expressed that there would be no money back. Two different members of the FDN talked about the whole story on another marketplace forum. One member says that when the “scam” happened, he had a withdrawal waiting for 2 days already (it can take 2 or 3 days to withdraw money from the FDN system), and when he checked his account, he saw two withdrawals within half an hour that emptied his account on the FDN. A long thread was posted in the FDN about the incident but it was deleted almost immediately without any explanation. Another member confirms the statement. Some FDN members report that shortly before the “hack,” their account passwords were changed. As the administrators claim that there was no database hack, it raises even more suspicion. All the operations done by the FDN admins over the last month have been suspicious to a lot of cybercriminals―all the signs point to a scam was about to happen on the horizon.
How significant was the financial loss?
In another French cybercrime underground forum, a fraudster estimates the amount of lost money involved to be around EUR 180,000. This estimate is based on these assumptions:Thousands of active users each had an average of EUR 350 in the FDN. Inactive users had fewer balances, from 0 to several dozens, or sometimes thousands of Euros in the FDN. Big powerful users had thousands of Euros in the system. One of the most well-known and trusted personalities in the whole French community rebuked this assumption and estimates the