Europol, with the help of London Metropolitan Police, the French National Police and Royal Thai Police have arrested eight suspects believed to be part of a well-known hacker group known as Rex Mundi.
Rex Mundi is a group of hackers that have been known to compromise companies’ databases, stealing private information and threatening to release the data to the public unless a ransom was paid.
The group is known to have been active since 2012, although the exact date it formed is unknown.
According to a post on January 2015 by Rex Mundi on Pastebin, they described themselves as “a collective of hackers who hack for fun, thrills and most importantly for profit.”
The post contained a shared Bitcoin address accepting donations supporting their activities.
Rex Mundi’s Activities
Rex Mundi left a series of victims of their cyberattacks. They often leaked stolen company data on the internet for any companies that refused to pay their ransom.
In June 2014 when Domino’s Pizza was breached, Rex Mundi quickly claimed responsibility for the attack.
They claimed to have infringed their servers and downloaded over 600,000 customer records, which included data such as full names, addresses, phone numbers, e-mail addresses and passwords.
After the data breach, they sent emails to Domino’s Pizza in France and Belgium to alert them of their attack.
They also used the contact forms on their websites to say they would release the data in exchange for a fee of 30,000 Euros which was payable up to 8 p.m. CET on June 16.
If their demands were not met, Rex Mundi would post all the data they had stolen on the internet.
To minimize damage, the company contacted the customers affected and invited them to change their passwords to Domino’s Pizza websites to avoid any risk of phishing and fraudulent use of their personal information.
Domino’s Pizza issued a complaint to the authorities and declined to comment further on the ransom.
The hacker group also claimed to have breached the servers of AmeriCash Advance and stolen the names, email addresses and phone numbers of their loan applicants, together with the amounts requested for the loans and the intended purpose of the loans.
The hackers demanded $20,000 so as not to publish the data online. They went ahead to release the compromised information after the company refused to pay up.
In December 2014, the group opened an online portal (reachable via Tor) to host data from organizations that had failed to pay their ransom.
This was an attempt to pressure the firms into paying their ransom demand.
In January 2015, Rex Mundi also attacked Banque Cantonale de Geneve and just as they did with the other firms, they stole online data and initially demanded a ransom of thousands of dollars.
After the bank officials refused to pay the ransom, the hackers proceeded to leak 30,000 private emails sent by both Swiss and foreign customers.
In a statement offered by the bank’s spokesperson, they said that they chose transparency over giving into blackmail.
The group continued their attacks and extortions until last year, around May.
According to a statement from Europol, the end of the line for the group was when they tried to extort an undisclosed British company and the authorities began investigating them.
The group claimed credit for stealing a significant amount of customer information from the British organization.
A few days later, the company received a phone call from a French-speaking person who identified himself as a member of Rex Mundi.
They shared login details to the company to prove that they had access to the data.
The caller then demanded a ransom of 580,000 Euros for non-disclosure of the information or over 825,000 Euros for details on the data breach and how to handle it.
The hackers also included a penalty for not paying the money quickly. For every day the company failed to meet the ransom demand, there would be an added ransom of 210,000 Euros.
The company reported the incident to London Metropolitan Police who then informed the French National Police and Europol, and an international investigation began.
After London Metropolitan Police shared the information with Europol, the authorities were able to tie the data to a French individual in just one hour.
The investigation led to the arrest of five people in France in June 2017. The primary suspect was among the five.
He admitted to his involvement in the blackmail, but he had hired hacker on the dark web to carry out the cyberattacks.
Two more suspects were arrested by French National Police in October 2017.
And in May of this year, the last suspect of the Rex Mundi hacker group, a French national with coding skills, was arrested in Thailand by the Royal Thai Police on a French arrest warrant.
This was after a year-long investigation into shutting down the notorious Rex Mundi group.