Full Report
A 21-year-old East London resident tied to a "Com" cybercrime network has been convicted of fraud and making indecent images of children, authorities said.
Analysis Summary
# Incident Report: Blackmail and Fraud Network Operations by "CVLT" Group Member
## Executive Summary
A member of the online group "CVLT," identified as Richard Ehiemere, was successfully prosecuted for fraud and creating indecent images of children. The investigation, initiated by a referral from Discord in 2021, revealed the group's pattern of coercing young victims into sharing intimate media through doxing threats, leveraging stolen credentials ("combo lists") supplied by Ehiemere to enable further fraudulent activity across hundreds of accounts.
## Incident Details
- **Discovery Date:** 2021 (Initial referral from Discord)
- **Incident Date:** Ongoing circa 2021 until arrest in April 2021
- **Affected Organization:** No specific organization was compromised; the victims were private individuals targeted via social media.
- **Sector:** Cyber-enabled Social/Criminal Activity Network
- **Geography:** East London, United Kingdom
## Timeline of Events
### Initial Access
- **Date/Time:** Pre-2021 (Ongoing prior to discovery)
- **Vector:** Social media platforms (specifically Discord) and phishing/coercion techniques.
- **Details:** CVLT members targeted girls on platforms like Discord, using online monikers to persuade or coerce them into sending intimate photos.
### Lateral Movement
- **Details:** The group utilized stolen login credentials ("combo lists") provided by Ehiemere (over 380 separate log-ins traced to him) to potentially access other accounts or platforms associated with victims or targets, aiding in the expansion of their criminal operations and doxing threats.
### Data Exfiltration/Impact
- **Details:** Intimate photos and videos were obtained from victims. This material was then used to blackmail victims into sending increasingly extreme content. In severe cases, victims were forced into group calls involving sexual acts and encouraged to commit self-harm or suicide on camera. Furthermore, *combo lists* (stolen email/password pairs) were shared for fraud.
### Detection & Response
- **How it was discovered:** NCA received a referral from Discord regarding the group CVLT in 2021.
- **Response actions taken:** Ehiemere was arrested in April 2021 at his home address. Law enforcement seized his mobile phone and computer, uncovering evidence including 142 combo lists and related conversations regarding hacking and avoiding detection.
## Attack Methodology
- **Initial Access:** Social engineering/coercion against targets on social media (Discord).
- **Persistence:** Not explicitly detailed for Ehiemere, but the network maintained operations using shared resources.
- **Privilege Escalation:** Not explicitly detailed in terms of traditional local OS privilege escalation; primarily focused on escalation of *coercive power* over victims via doxing threats.
- **Defense Evasion:** Conversations relating to "how to avoid detection" were discovered on seized devices.
- **Credential Access:** Ehiemere provided "combo lists" (stolen email and password pairs) which facilitated access to potentially hundreds of victim accounts.
- **Discovery:** Members used doxing threats to identify and expose victims' real-world identities.
- **Lateral Movement:** Use of disclosed credentials ("combo lists") to gain access across different platforms/accounts.
- **Collection:** Gathering of intimate photos/videos from coerced victims.
- **Exfiltration:** Theft and sharing of intimate victim media and stolen credential lists within the group channels.
- **Impact:** Blackmail, fraud, production and distribution of indecent images of children, psychological harm, and encouragement of self-harm/suicide.
## Impact Assessment
- **Financial:** Fraud was an explicit charge; Ehiemere provided data used to "defraud hundreds of victims." Specific loss amounts are not detailed.
- **Data Breach:** Theft and distribution of intimate media (images/videos) and large volumes of stolen credentials ("combo lists").
- **Operational:** Disruption of social media platforms used by the group.
- **Reputational:** Significant reputational damage to victims; negative association with the criminal activities of "Com" networks.
## Indicators of Compromise
*(As this incident focuses on criminal enterprise operations rather than a network intrusion, indicators are primarily tied to the perpetrator's environment/activities):*
- **Network indicators:** Logs associating network activity (login attempts) with Ehiemere's home address.
- **File indicators:** Presence of 142 "combo lists" and 29 indecent images of children on seized devices.
- **Behavioral indicators:** Sharing of stolen data, detailed conversations regarding hacking, and instructing victims to perform acts under duress via group calls.
## Response Actions
- **Containment measures:** Arrest of key member Richard Ehiemere in April 2021. Cessation of his ability to supply stolen data to the network immediately following arrest.
- **Eradication steps:** Seizure of devices containing 142 combo lists and evidence, interrupting the ability to trade illicit material.
- **Recovery actions:** Law enforcement action leading to conviction and sentencing for fraud and serious image offenses.
## Lessons Learned
- **Key takeaways:** "Com" networks, while often less centralized than established cybercrime groups, pose significant threats through rapid coordination of severe online offenses like blackmail, image-based sexual abuse, and fraud enablement.
- **What could have been done better:** Earlier intervention by platforms (though Discord did refer the case in 2021, the individual was arrested later that year). Increased industry vigilance regarding the sharing of massive credential lists which fuel fraud.
## Recommendations
- Enhanced monitoring and proactive flagging by social media platforms (like Discord) for coordinated activity involving coercion, doxing threats, and the exchange of illicit material.
- Increased collaboration between law enforcement and industry partners to trace and disrupt criminal coordination across decentralized online groups (Com networks).
- Implementation of stronger authentication methods to mitigate the effectiveness of large-scale credential stuffing attacks facilitated by stolen "combo lists."