In June 2020, Internet watchdog group Citizen Lab released a report on a hack-for-hire group known as Dark Basin. Companies would often hire the cyber mercenary group looking to gain an unfair advantage in legal proceedings, advocacy issues, or business dealings. Over their multi-year investigation, Citizen Lab researchers uncovered Dark Basin used highly sophisticated phishing techniques to target thousands of individuals and hundreds of organizations worldwide, including Greenpeace, M+R Strategic Services, and the Rockefeller Family Fund.
One of those targeted by Dark Basin’s operations was the managing partner of ShadowFall Capital & Research, Matthew Earl. After Matthew scrutinized German payment processor Wirecard for their questionable business practices, Dark Basin flipped his cyber world upside down. Matthew was caught in their digital crosshairs until an Israeli private detective was detained in 2019 for his involvement in the hacking scheme. The private detective pleaded guilty to the related charges in April 2022. To highlight the human impact of hacker-for-hire operations, we spoke with Matthew, who found himself targeted by cyber mercenaries.
(Edited for brevity and clarity)
DPN: Tell us about yourself.
ME: I’m Matthew Earl—managing partner and CIO of ShadowFall Capital Research. I’m a mathematician by degree. So, as you might expect, I’m very analytical in my approach to life. After graduating, I went to work at various investment banks and founded ShadowFall in 2017.
What is ShadowFall?
ShadowFall is a short-focused hedge fund. Essentially, we seek to identify listed companies that are generally up to no good whether that be through them using aggressive corporate accounting, flawed business models, or unethical practices, and then we short their stock. Some of the companies we have identified have turned out to be outright frauds. So, although there is a profit motive, our work can have a significant, positive social impact component to it too.
In late 2015, I identified a questionable German company called Wirecard. I discovered the organization was not just involved in accounting fraud but also in money laundering. It was quite a significant amount of money laundering. I wrote three pieces about Wirecard on my personal blog, then decided to write an anonymous article about Wirecard through the research outlet Zatarra Investigations. Seeing as Wirecard was perpetrating Germany’s largest fraud at the time, they took it upon themselves to identify who was behind this piece. They wanted to put a stop to it.
How did Wirecard try to stop it?
Wirecard used three approaches: hacking, legal threats, and surveillance. I became aware of their targeted cyber campaign in December 2016, when their surveillance efforts began to intensify. I started receiving very targeted emails to my personal account. I say targeted because it was clear the hackers specifically crafted them based on my interests, profession, and personal life. For example, an email could read like a Bloomberg article featuring a fake news story on Wirecard management filing a lawsuit against me. These emails even had information regarding my friends and family. There was a time when they pretended to be my sister. They clearly had a lot of information about my sister and knew how she drafted emails. They were desperately trying to get me to open these emails so they could gain access to my system and my device. I received about 3,000 targeted emails. It became quite problematic
Describe how it felt being targeted by this campaign?
Well, it was very menacing. You are left wondering about the intentions of these people. Do they just want to monitor you, or is it something more sinister? The emails were a constant threat. I became paranoid about clicking on the wrong link. What would happen? Would my email be compromised? What does that entail? There was no relief from it. Sometimes I would get 8 to 10 per day, and they kept coming for three years. I wondered how they got this information and what they planned to do with it. So, there was that aspect.
The other aspect is that I consider myself a private individual. Outside of Twitter, I don’t have a social media presence. However, I have a large family, and as most families do, we share many photos of our children. Knowing someone is surveilling you, you don’t want to use your connected device and share photos with others. You avoid sending messages to family or friends because you know someone else is reading it. You don’t want to drag them into this mess. So, you withdraw from life and close up. I found that difficult to deal with because I am very social with my close-knit family and friends. These aspects significantly impacted my way of life.
You were targeted for three years?
Yeah. The hackers fought hard to get into my email account. I imagine they weren’t ultimately successful, which is why they persisted for so long. There is also the more menacing aspect that these hackers wanted to make sure I was aware that they still considered me a person of interest. They would constantly watch me and keep me under observation. They would not go away.
How did this situation unfold?
I did try to raise this with the Metropolitan Police in London. I gave about three hours of evidence to the police to show the severity of my situation. They were interested but didn’t have the resources to investigate it. Obviously, I tried to report Wirecard to the German regulators, but that went nowhere.
After three months of these targeted emails, I connected with a journalist from Reuters. He said he had been speaking to an organization called Citizen Lab that investigates these cases. He put me in touch with them, and, to my surprise, Citizen Lab told me they already knew I had been receiving these highly targeted emails. Don’t ask me how, but they already knew I was on the list. They asked for those targeted emails, so I sent every single email to Citizen Lab. By all accounts, this helped them track and trace the origins of these emails. They determined the emails were from an organization in India called BellTroX. Citizen Lab would later publicly link Dark Basin to BellTroX, claiming BellTrox was the public front of the hack-for-hire group.
The same hacker group was also attempting to infiltrate financial companies in the US, so the FBI and Department of Justice got involved. In July 2018, the Department of Justice invited me to give evidence, so I went to New York and gave them four hours of evidence. To their credit, they were very determined to find out who was responsible. They apprehended an individual that pleaded guilty in the US court for his involvement in this operation. He’s awaiting his sentence.
Did you discuss this experience with your friends and family?
It was very difficult to tell friends and family. How do you exactly explain this situation to people? How do you tell your sister I haven’t opened a message to look at my nephew’s photo because a hack-for-hire group is monitoring me? Doesn’t sound very realistic, does it? They will think you are either making it up, a complete conspiracy theorist, or a criminal to some degree. It caused isolation. Even though I was a whistleblower of an organization’s crime, I was very concerned that my family and friends would not properly understand the context of this situation.
What was the most concerning aspect of this cyber campaign?
Over the last five years or so, private companies have gained access to the same digital tools that nation-states use to target private individuals. Yet, there is no accountability. There are either no regulations to monitor this, or if there are there is no significant enforcement. There needs to be an approach taken by regulators and governments to work out this big problem. Make sure there are laws to prosecute the perpetrators of this criminal activity. If laws in place are insufficient, it’s time to better improve those laws. No private individual should ever be on the receiving end of such a traumatic invasion of privacy.
How much did you know about cyberattacks and/or cyberwarfare before this occurred?
Very little. I am not a technophile by any means. My forte is not information systems or digital technology. My forte is investigating bad companies and financial analysis.
Has the experience made you change your online habits?
Very much so. First of all, anything I use has two-factor authentication. That’s a must. Secondly, I change passwords very regularly. I currently have nine employees, so I make sure they know the risks associated with digital technology. To this day, I am very reluctant to let my children use any of my devices. I still have a fear they will click on the wrong link. It’s a shame, but I don’t want anything to happen.
What would you tell people unaware of the threat of cyberattacks and cyberwarfare?
My general advice to anyone is to implement as much cybersecurity as possible. Some people may say, “Come on. What’s the worst that can happen?” Well, if anyone says that, then let them go through it. Let them experience it, and let’s see if they change their minds.
What message would you like to provide for others targeted by cyberattacks?
You have my upmost sympathy. I understand it’s a very stressful and traumatic experience to go through. I am grateful I had closure on this. The company was discovered to be the fraud it was. So, I have tremendous sympathy for those without closure or those who continue to experience this type of abuse.
Thank you so much for your time.
Have you been personally affected by a cyberattack? If so, we want to hear from you. Let us know by DMing our Twitter account @DigitalPeaceNow.