An accidental leak revealed that Flock, which has cameras in thousands of US communities, is using workers in the Philippines to review and classify footage.

Multiple websites linked to the infamous ransomware gang REvil are currently offline, according to multiple security researchers. REvil is the group linked to the recent hack of information technology firm Kaseya which an REvil affiliate used to then ransom a wealth of other companies around the world.

"Onionsite not found," an error message currently reads when visiting REvil's dark web site where the group ordinarily posts data stolen from victims.

Lawrence Abrams, owner of information security publication BleepingComputer, said in a tweet that the downtime extended to "all" of REvil's sites, including their sites used for ransom payment.

Pseudonymous research group vx-underground added in a tweet that "Unknown," a representative for REvil, has not posted on popular hacking forums Exploit and XSS since July 8.

Do you have new information about REvil? We'd love to hear from you. Using a non-work phone or computer, you can contact Joseph Cox securely on Signal on +44 20 8133 5190, Wickr on josephcox, OTR chat on jfcox@jabber.ccc.de, or email joseph.cox@vice.com.

The reason for the downtime is unclear. Sometimes dark web sites temporarily go offline and swiftly return. The site has been down now for over eight hours. Vx-underground added that the dumping site became unresponsive at 1AM EST.

REvil is a hugely prolific ransomware group, and was also responsible for the attack on the world's largest meat producer JBS. The group is Russian speaking.

President Biden told President Putin last Friday that Russia must "take action" against cybercriminals based in the country who target the United States. Russian and U.S. officials are meeting this week to discuss the issue.

A scammer used a fake court order to convince a domain registrar to transfer ownership of a domain that lists dark web drug markets, and then used that to point the sites to their own copies of the markets designed to steal peoples' bitcoin.

Hackers often make lookalike sites of dark web markets, but the use of a fake court order is unusual. It bears some similarity to how scammers use fake trademarks to convince Instagram to transfer ownership of valuable usernames.

"I had 2FA and PGP enabled on that account. I am not an idiot when it comes to security," Dark Fail, the pseudonymous admin of the site dark.fail which was a victim of the hijacking, told Motherboard during the account takeover late last week.

Do you know anything else about this phishing campaign? We’d love to hear from you. Using a non-work phone or computer, you can contact Joseph Cox securely on Signal on +44 20 8133 5190, Wickr on josephcox, OTR chat on jfcox@jabber.ccc.de, or email joseph.cox@vice.com.

Dark.fail is a site that aims to provide trusted links to dark web marketplaces.

"This resource is intended for researchers only. I do not vouch for any sites," a message on the Tor hidden service version of the site currently reads.

After the domain hijack, the attacker replaced each link with a phishing site, according to a message on dark.fail posted after Dark Fail regained control of the domain.

"Each site looked real but instead shared all user activity with the attacker, including passwords and messages. Cryptocurrency addresses displayed on these sites were rewritten to addresses controlled by the phisher, intercepting many people's money," the message reads.

Dark.fail was registered with the privacy-focused domain registrar Njalla, which in turn uses the registrar Tucows for .fail domains, according to a tweet from Njalla and The Pirate Bay co-creator Peter Sunde Kolmisoppi.

Sunde added that Tucows received a court order on April 28 listing domain names that a German court allegedly wanted handed over.

"The PDF looks like a real court order, I've seen a lot of these," Sunde wrote. "But this one is fake." It used language previously used in a real court order to seize a different domain, he added. He wrote that the fake document also included a gag order, meaning neither Njalla nor Hover, another impacted registrar, was told about the transfer.

Sunde told Motherboard in an online chat that Tucows shared a copy of the fake order with him.

"We've looked at it quite in detail and quite certain it's possible to narrow down the suspects quite a bit with access to more evidence," Sundes added. He told Motherboard he agreed not to share a copy of the fake order itself since it's a piece of evidence in a potential criminal investigation.

Sundes said in another tweet that the dark.fail domain was transferred to the registrar Namecheap, which did not suspend the domain despite it being used for an active phishing campaign because it believed the court order was legitimate. Days later, Njalla was able to retrieve the dark.fail domain.

Namecheap said in a statement that "Namecheap responsibly and thoroughly investigates every allegation of reported abuse. We are also proactive in identifying individual abuse, broad scale abuse patterns, and working with federal agencies to collectively get in front of new forms of abuse.We are in regular contact with law enforcement agencies and voluntarily provide analysis of what we are seeing, how we are trying to combat the abuse, and how we can best work together to find ways to stop any uncovered fraud."

The statement also disputed that Namecheap believed the fake court order to be legitimate. "In this case, we were not provided any actionable evidence of phishing or abuse from Tucows or Njalla (a Tucows reseller) and immediately began an internal investigation upon receipt of a transfer dispute request. For clarity sake, Namecheap never stated that the court order was legitimate, nor have we received a copy of a court order from Tucows or Njalla. Upon investigating the case, and without knowledge of what had led Tucows to initially allow the transfer of the domains to Namecheap, we quickly determined a court order provided to us by the new registrant to be a falsified document. We then commenced the process to transfer the domains back to Tucows. Namecheap suspended the domains for phishing prior to their transfer back to Tucows, along with two other associated domains that we identified were used in this incident of abuse," the statement added.

"Our findings show that Tucows was the victim of an intricate phishing scheme presented under the guise of a secret court order. This was a hyper-targeted phish designed with the direct intent of hijacking select domains," Madeleine Stoesser, PR and corporate communications lead at Tucows, said in a statement. "We immediately began steps to successfully retrieve the domains and have implemented new processes to mitigate future issues. As the second-largest domain name registrar in the world by volume, Tucows is committed to the continued privacy and security of domains and our customers."

In 2016 the Justice Department announced charges against someone for running dark web phishing sites. He was sentenced to just over a year in prison.

"Once someone controls your domain you're toast," Dark Fail told Motherboard.

Updated: This piece has been updated to include statements from Tucows and Namecheap.

Subscribe to our cybersecurity podcast CYBER, here.

The FBI paid a non-profit organization focused on unmasking child predators $250,000 for access to a series of hacking tools, according to public procurement records viewed by Motherboard.

The news provides more insight into how the FBI obtains some of its hacking tools, or so-called network investigative techniques (NITs). The contract also highlights the close relationship between private parties and the FBI when hacking suspects. Facebook, for example, previously bought a hacking tool for the FBI to use to unmask one of the social network's users who was aggressively targeting minors on the platform.

The procurement record says the FBI's Child Exploitation Operational Unit (CEOU) is "purchasing a set of NITs." The contract dates from June 2020.

The NITs "have been demonstrated for OTD and CEOU and which have the capability, if activated, of providing the true internet address of the subject," the product description continues, referring to the Operational Technology Division, a part of the FBI that carries out hacking operations. The latter half of the product description is cut-off, but reads in part "of providing the true internet address of the subject even when hidden behi," presumably referring to whether the target is behind a proxy or anonymization network.

Do you produce NITs for the government? Do you know someone who does? We'd love to hear from you. Using a non-work phone or computer, you can contact Joseph Cox securely on Signal on +44 20 8133 5190, Wickr on josephcox, OTR chat on jfcox@jabber.ccc.de, or email joseph.cox@vice.com.

The non-profit that the FBI paid for the NITs is called the Innocent Lives Foundation (ILF).

"We unmask anonymous child predators to help bring them to justice," the organization's website reads. "We use Open Source Intelligence Gathering (OSINT) methods to identify child predators. Once we have gathered the appropriate amount of information to confirm the identification of the predator, that file is then submitted to law enforcement," the website continues.

The ILF includes a board of directors, various corporate roles such as a Chief Operating Officer, and a number of volunteers who are accepted by invitation only, the website reads. In 2019, hacking conference DerbyCon selected the ILF as one of the featured non-profits of the conference, and provided the charity with more than $25,800 in donations, the ILF website adds.

U.S. law enforcement's umbrella term of network investigative technique has previously encompassed a wide range of different technologies and approaches. In some investigations NIT has referred to a booby-trapped Word document that once opened phoned home to an FBI controlled server, revealing the recipient's IP address. At the higher end, the FBI has deployed non-public exploits that break through the security protections of the Tor Browser. 

In a phone call with Motherboard, Chris Hadnagy, founder, executive director, and board member of the ILF declined to specify what sort of tool the NITs were, nor whether the charity developed the NITs itself or sourced them from another party.

At one point a company that sources zero-day exploits and then sells them to governments offered $80,000 for an attack targeting Firefox, which the Tor Browser is based on. That company, Exodus Intelligence, later provided a Firefox exploit to an offensive customer; a law enforcement agency deployed it to visitors of a dark web child abuse site, Motherboard previously reported.

Law enforcement agencies have used NITs to investigate financially-motivated crime, bomb threats, and hackers. Most prolifically, the FBI has deployed NITs in child abuse investigations, particularly on the dark web. Among other large scale cases, in 2015 the FBI hacked over 8,000 computers in 120 countries based on one warrant. Some judges threw out evidence in subsequent cases as they ruled that the judge who signed the warrant did not have the authority to do so. The campaign, dubbed Operation Pacifier, led to the arrest of 55 hands-on-abusers and 26 producers of child pornography, as well as recovering 351 children, according to a report from the Department of Justice Office of the Inspector General. 

The report also mentioned how between 2012 and 2017 the FBI’s Remote Operations Unit, which is part of the OTD, was largely responsible for the development and deployment of dark web solutions. 

"However, over the past 2 years, its dark web role has eroded due to budget decreases and an increased prioritization on tools for national security investigations. This has resulted in the operational units seeking tools useful to dark web investigations independently without a mechanism to share the product of their efforts," the report added.

The FBI declined to comment.

Update: This piece has been updated with a response from the FBI.

Subscribe to our cybersecurity podcast CYBER, here.