Threat Actor Dark Basin aka Mercenary.Amanda: Unearthing Massive Hack-for-Hire Operation

Hello, guys! How are y’all doing? How does it feel to able to move around freely after a 3-month house arrest? Going well, I hope :)

In today’s blog, I’m going to cover a threat actor called Dark Basin (named by Citizen Lab), or otherwise known as Mercenary.Amanda (named by NortonLifeLock Labs). This threat actor has been carrying out large-scale credential spearphishing campaigns as early as 2013 and an India-based IT company that offers corporate espionage is behind all these attacks. They conduct account intrusions at the request of their customers that includes private investigators. 

And this is where it gets interesting… The guy who leads this small Indian cybersecurity firm is wanted by the FBI!

I’m pretty sure I got your attention now so let’s get acquainted with Mercenary.Amanda!

How it all started?

Phishing attacks! 

Citizen Lab traced multiple phishing attacks to this threat actor. These attacks are designed in a way that will enable remote access to victims’ systems, cloud-based email accounts and more. The purported targets varied from government officials and climate-change activists to financial services and pharmaceutical firms. 

Who do they target?

This hack-for-hire group has targeted thousands of individuals and hundreds of institutions across 6 continents. Advocacy groups, journalists, elected and senior government officials, hedge funds and multiple industries are among some of the many targets Dark Basin was after. Dark Basin performed commercial espionage at the behest of their customers against opponents involved in high profile public events, criminal cases, financial transactions, news stories, and advocacy. 

According to Citizen Lab’s report: 

"Troublingly, Dark Basin has extensively targeted American advocacy organizations working on domestic and global issues. These targets include climate advocacy organizations and net neutrality campaigners."

One of these specific targets are organizations working on the #ExxonKnew campaign that claimed that ExxonMobil withheld information about climate change for decades. 


Figure 1: Phishing messages sent by Dark Basin that targeted activists. These messages pose as Google News updates regarding ExxonMobil. 

In 2017, a journalist, who was hit with multiple phishing attempts, reached out to Citizen Lab requesting them to investigate these attacks. Very soon, it was discovered that the phishing attempts were in connection with a custom URL shortener, which the threat actors utilized to impersonate the phishing links. 

This investigation also led to another discovery: this shortener was a small part of a much larger custom URL shorteners network that is operated by a single group. Dark Basin, duh! 

Because the shorteners created URLs with sequential shortcodes, nearly 28,000 additional URLs containing e-mail addresses of targets were identified. Furthermore, open-source intelligence techniques played a huge role in identifying hundreds of targeted individuals and organizations. Citizen Lab contacted a substantial fraction of them, painting a global picture of Dark Basin’s targets.

This is happening in India?

Yes, it is. 

The links to India was formed due to these factors: 

  • Timestamps in hundreds of Dark Basin phishing emails are consistent with working hours in India’s UTC+5:30 time zone
    • Same timing correlations were discovered by the Electronic Frontier Foundation (EFF) in a previous investigation of phishing messages aiming net neutrality advocacy groups, which is now also linked to Dark Basin.
  • Several of Dark Basin’s URL shortening services had names associated with India: ‘Holi’, ‘Rongali’, and ‘Pochanchi’.
    • Holi is a well-known Hindu celebration also known as the “festival of colours,” Rongali is one of the three Assamese festivals of Bihu, and Pochanchi is likely a transliteration of the Bengali word for “fifty-five.”
  • Dark Basin left copies of their phishing kit source code available openly online, as well as log files showing testing activity.
    • The logging code invoked by the phishing kit recorded timestamps in UTC+5:30, and log files show that Dark Basin appeared to conduct some testing using an IP address in India.


Pinpointing the country involved helped narrow down the scope even further to find the culprit. 

With a high level of confidence, both Citizen Lab and NortonLifeLock Labs link Dark Basin to an India-based technology company, BellTrox InfoTech Services aka BellTroX D|G|TAL Security, BellTroX, and God-knows-what other possible names.


Figure 2: BellTrox’s website as of June 28, 2019 

According to the website, BellTroX's corporate slogan is: "You desire, we do!"

Looking into what exactly is it that BellTroX does, LinkedIn suggested it’s transcription service. This is what’s posted on the company’s LinkedIn page: 

"Established in 2011, BellTroX InfoTech Services has grown into one of the world's premier transcription and digital dictation provider for numerous hospitals, clinics, expert witnesses, independent practitioners and commercial organizations."

The company’s website said the company offered a variety of services, from medical transcription and information security consulting services, all the way to web development and training. However, since 7th June 2020, the website has been down. 

The domain name - that was first registered in 2012 - now resolves to a static page saying: "This account has been suspended."  Besides that, postings and other materials linking BellTroX to these services have been recently deleted.

Several BellTroX employees - who used personal documents, including CVs, as bait content while testing out their URL shorteners - were singled out since their activities coincided with Dark Basin. Very interestingly, these employees created social media posts narrating and even took credit for attack techniques containing screenshots of links to Dark Basin infrastructure. Some of the terms used by BellTroX and its employees to market their services and offerings online include “Ethical Hacking” and “Certified Ethical Hacker.” 


In 2015, the U.S. Department of Justice indicted several US-based private investigators and a 26-year-old Indian national for their role in a hack-for-hire scheme. They were charged "with crimes related to a conspiracy to access the email accounts, Skype accounts, and computers" and the Indian was said to be one of the two hackers hired "to access the email accounts, Skype accounts and protected computers of individuals without authorization."

Citizen Lab says this Indian national was never arrested in relation to the indictment

This Indian national is a Sumit Gupta, or also known as Sumit Vishnoi. An aggregator of Indian corporate registration data lists Sumit Gupta as the Director of BellTroX. 

Here are the indicators of compromise related to Dark Basin in multiple formats.

That’s it for the blog today, y’all! Feel free to drop comments and share this blog if you found it interesting.

Stay safe and stay tuned. 

Until next time, friends!

Credits: Citizen Lab

Add comment