Maybe you heard that the domain (@DarkDotFail ) got hijacked. Here's the story on how it happened. A thread! (I've pieced together the data I have so I might have some small errors in this thread, FYI.)
First, the domain was registered through a service I started, @njal_la (or transferred in, not sure here). Njalla in turn uses @tucows as a registrar for .FAIL domains.
On the 28th of April, Tucows receives a court order, from Amtsgericht Köln, the district court of Cologne, NRW, Germany. It contains a list of domain names that they want handed over. Two of three domains listed are registered through Njalla, the last one with @hover.
The PDF looks like a real court order, I've seen a lot of these (...) but this one is fake. It's without spelling errors, referring to a German paragraph that was previously used to get the domain suspended. So really looks legit.
I do not have a copy of the email and headers, but I'm assuming it is sent using a sender from the domain listed in the document, agkoeln-nrw[.]de. The official domain for Amtsgericht Köln is ag-koeln[.]nrw[.]de. I.e. Not the same.
If you go to the listed domain, agkoeln-nrw[.]de, you will be redirected to the correct domain.
If you look at the MX pointers for the domain, it points here:
Whereas the correct MX pointers for the correct Amtsgericht Köln is:
The phishing domain is registered with @Namecheap, and is also using their web redirect service and their email service.
Now, Tucows probably deals with quite a load of court orders, and sloppily let's this one through. It looks convincing, the domain is almost correct and if they tried browsing they would have ended up on the correct site. It's a classic phishing expedition.
The fake court order also included a gag order, to not inform the registrant that this was happening. This means that neither Njalla nor Hover was informed about what was going to happen and had no possibility of stopping the transfer.
We presume that Tucows replied with the transfer codes for the domains to the phishing email. We have asked them for more information (like a full copy of the incoming email with SMTP headers etc) and hope to get that soon.
Very quickly after that happened, the domains were transferred out from Tucows. One of the Njalla-originated domains went to @EpikDotCom and another one to, you guessed it, @Namecheap.
It didn't take long until the websites of the domains (and their MX pointers) all of a sudden had new content. The new sites are now phishing sites, and most likely making a lot of money and collecting sensitive user data.
Njalla (and presumably Hover) informed Tucows very quickly and they were to their credit very quick to put a lot of effort into solving the situation, and they put (from our experience) their best people on it.
Now, I don't like @EpikDotCom from a personal and political standpoint. But credit due: when they were informed about the phishing situation, the domain that was transferred to them was handed back very quickly all things considered.
Now, the dark[.]fail domain is another story. There's been a lot of effort put in from the registrant, the reseller, the registrar and many others to return the hijacked domain. But the gaining registrar, @Namecheap, has still not done anything at all.
We've all asked if they could first of all suspend the domain so that the active phishing site (yes, it's insanely enough still active, visit with caution) would be stopped. And the domain should be returned, as per regulation that Namecheap has agreed to with ICANN/registry.
Njalla has even contacted @DonutsInc that operates the TLD .fail in order to actually get the site shut down and the domain returned. Hopefully this will amount to enough pressure to make @Namecheap actually rectify the situation.
(Personally I even contacted The @NamecheapCEO who has still not returned my e-mails.)
Now, here's the kicker. Today we got informed that @Namecheap doesn't agree that the court order is fake! Even though the domain listed on the court order is registered through them, the web redirect is hosted with them, and the incoming email is hosted by them.
So even though @Namecheap has all the evidence needed to stop not only one but two ongoing phishing attacks (the domain hijacked plus the domain used to do it) hosted by them, they refuse.
The past days has not been great for Tucows nor the people working with them. It was a human error, and unfortunately out of the hands of Njalla (& hover). If the court order would have ended up with Njalla, I'm 110% certain it would not have happened.
I've seen a few people very upset with Njalla for "shitty security". The way that domain names work (with this hierarchy) it's near impossible to optimise this flow. Believe me; I'm trying. I left @njal_la (I'm on the advisory team still) to work on a new registrar!
My registrar is focused on better technology, and a lot more security. However, ICANN refused me to do so. Ironic.…
So if ICANN had not refused me - afraid that I would not follow their regulation - we would not have ended up in a situation where a domain was phished because of low opsec by one ICANN accredited registrar, and then not returned because another is breaking ICANN regulation.
Some of the privacy sensitive domains that used Njalla decided to move. All respect to that. Some have moved to other Tucows-partners (...) and some of them moved to, you guessed it, @Namecheap. Oh do I wish I would had an alternative for them for .fail domains.
Now, the phishing attack is still ongoing, and if enough people would push @Namecheap and their @NamecheapCEO on social media, maybe they will help @DarkDotFail out and get their domain back. Thanks.
BONUS 1: The court order PDF has no metadata. It's written in German with correct spelling, the person processing it at Tucows speaks German.
BONUS 2: The domains transferred to @Namecheap use their privacy service -- would say uncommon for a court to do.
BONUS 3: If @Namecheap is claiming the court order is correct, they must believe that the German court has themselves put up a phishing site.
BONUS 4: The domain transferred to @EpikDotCom listed NRW as the region of the registered name holder in the whois data. Most likely the account created there was registered to match the transfer in? Maybe you can update us Epik?
BONUS 5: The domain that was with @hover seems to also be stuck with @Namecheap.
BONUS 6: The court order makes me believe that the attacker is _very_ well versed in how these court orders usually look, and have directed it extremely well within Tucows. It's not someone without insight.
Resolved! @Namecheap finally agreed to return the domain, after a lot of pressure from many angles. Many thanks for all the support here, and now we're going into analysis and debriefing.

• • •

Missing some Tweet in this thread? You can try to force a refresh

Keep Current with Peter Sunde Kolmisoppi

Peter Sunde Kolmisoppi Profile picture

Stay in touch and get notified when new unrolls are available from this author!

Read all threads

This Thread may be Removed Anytime!


Twitter may remove this content at anytime! Save it as PDF for later use!

Try unrolling a thread yourself!

how to unroll video
  1. Follow @ThreadReaderApp to mention us!

  2. From a Twitter thread mention us with a keyword "unroll"
@threadreaderapp unroll

Practice here first or read more on our help page!

More from @brokep

1 Mar
A small update to this. The day after my twitter thread about @ICANN I finally got a reply to one of my many e-mails. Quote: "I apologize for our delay in getting back to you" (aka: Thanks for retweeting). And today we had a voice chat about the application. Another thread!
I got some sort of semi-excuse regarding their claim that I lied on my application. They also said that they agreed it wasn't fraud or similar really. So both of the points they made regarding the denial was not really the reason.
However, @ICANN says that IP infringement is as serious to them as fraud. Fraud that happened 10+ years ago is not as serious as potentially aiding with IP infringements that happened 15+ years ago though. Because turns out I'm actually banned from doing business with ICANN.
Read 20 tweets
25 Feb
The non-profit organisation @ICANN, that controls the central backbone of the internet (the root-servers) and has a monopoly on letting registrars (think godaddy) resell .com/.net/.org/etc domains, denied my application to become a registrar. A thread.
Since 2019 I've had an active application with ICANN. They're famous for being a bureaucratic nightmare to deal with, so I expected a long process. It got delayed by the passing of my mom last year and by covid. That's understandable.
By becoming accredited by ICANN you have the possibility to make direct deals with the organisations that run certain top level domains (.COM .NET .ORG etc). ICANN only accredits you, gives you an accreditation ID and you make the deal with each organisation separately.
Read 38 tweets
25 Jan
It's interesting to see so many artists, curators, activists are trying to make physical public spaces available as the public to a lesser extent offers them. We should replicate this understanding to the digital realm -- where public spaces never existed at all.
The Internets as an invention was revolutionary because it was so unregulated and open. The mindset that ruled then, that the network was equalising people, that it would connect erveyone regardless of background, is falsely still the narrative used for the services online.
The private sector has captured this story, and capitalised and taken control of what we believed would be the world's public platform.
Read 20 tweets
14 Jan
People are asking for more pirate bay stories. Sure. I have a few... Thousands.
Do you know that tpb once hijacked North Koreas Internet?…
Someone managed to find a broken router setup which managed to make it possible to pretend to be north Korea, in a more central routing location than actual north Korea. To make it look real even the traffic was slowed down to look like a satellite connection.
Took days before people figured it out. It was quite fun, unfortunately it meant that people in North Korea had issues getting online. But I think their sacrifice was worth the lulz.
Read 16 tweets
10 Jan
The pirate bay, the most censored website in the world, started by kids, run by people with problems with alcohol, drugs and money, still is up after almost 2 decades. Parlor and gab etc have all the money around but no skills or mindset. Embarrassing.
The most ironic thing is that TPBs enemies include not just the US government but also many European and the Russian one. Compared to gab/parlor which is supported by the current president of the US and probably liked by the Russian one too.
Seems a lot of people wants to learn more about the pirate bay. Here's an older documentary, tpb afk.
Read 7 tweets
17 Oct 20
Jag vill gärna påminna lite om turerna kring FRA. En tråd.
FRA-lagen hade inte majoritet i riksdagen när den kuppades igenom. Det var 4 st allianspolitiker som var å det starkaste emot. De blev inkallade på hotfulla möten, där de t.ex. fick veta att de inte skulle få valbar plats på listorna vid nästa val.
En fick en semester till USA och vi har knappt hört från honom sen dess. De tre andra verkade passa på att förhandla lite i sina partier. Tjänster och gentjänster?
Read 18 tweets

Did Thread Reader help you today?

Support us! We are indie developers!

This site is made by just two indie developers on a laptop doing marketing, support and development! Read more about the story.

Become a Premium Member ($3/month or $30/year) and get exclusive features!

Become Premium

Too expensive? Make a small donation by buying us coffee ($5) or help with server cost ($10)

Donate via Paypal Become our Patreon

Thank you for your support!

Follow Us on Twitter!