Europol has announced the arrests over the past year of eight French nationals who are suspected of being involved in a long-running hacking ring called Rex Mundi.
The latest in a string of arrests was made by Thai police, which acted on a French international arrest warrant and apprehended “a French national with coding skills” on May 18 of this year. This operation capped a year-long effort that also resulted in the arrests of another seven people believed to be the gang’s members, who were nabbed by French police in June and October 2017.
Rex Mundi (Latin for "King of the World") made a name for itself with multiple hack-and-extort campaigns that mainly victimized companies in Europe. As we also reported in 2014, the gang typically hacked into corporate networks and ransacked them for sensitive information before demanding ransom payments on pain of dumping the data online. On a number of occasions, the group delivered on its threats.
As per Bleeping Computer, the earliest reports of the crew’s activities date back to the summer of 2012. The gang would initially take to Twitter to brag about its shenanigans, only to opt for a more low-key profile later on.
How the crew’s undoing unfolded
Law enforcement began to turn the tables on the gang in May 2017, shortly after the group claimed credit for stealing troves of customer data from an unnamed UK-based firm. A member of the gang then phoned the company and demanded either €580,000 for not going public with the data or over €825,000 (both in bitcoin) for also sharing details about how the intrusion had been carried out. For each day the company failed to pay, the criminals demanded a ransom of €210,000, according to Europol.
The company refused to pay up and contacted the UK Metropolitan Police, which gathered and then relayed information about the attack to French police and Europol. “Within an hour, Europol’s 24/7 Operational Centre was able to link the available information to a French national,” said the European Union’s law enforcement agency.
French police then moved to nab a total of five suspected members of the group in June 2017 and another two in October. The primary suspect admitted to his role in the latest extortion campaign, but said that the breach itself had been perpetrated by a hacker whom he had hired on the dark web.