Security researcher Dominic Alvieri has uncovered striking similarities between parts of DarkVault’s site and LockBit’s branding, suggesting a potential link between the two gangs. DarkVault’s mirror sites closely resemble LockBit’s dark leak site, including similarities in font, colors, and even the ransom demand countdown clock.
However, after Alvieri shared his findings on X, any traces of LockBit on DarkVault’s blog mysteriously disappeared, indicating a swift correction by the gang.
Despite completing DarkVault’s ransomware blog layout, it remains devoid of any victims. DarkVault presents itself as an exclusive online community dedicated to exploring technology, privacy, and security. Its founders, ‘Neroces’ and ‘criminaldo.’, are listed on the contact page.
The blog hints at DarkVault’s potential expansion into new services, including ‘Doxes, BlackHat Services, and Pwned Sites.’ While most pages are empty, the BlackHat Services category lists various illegal activities and financial frauds, such as defacing websites, bank check templates, cookie logins, and spamming. It also includes more sinister actions like bomb threats, drug recipes, account brute-forcing, and malware creation. Ironically, the blog’s artwork features a cat atop a vault amidst ongoing tensions between LockBit and rival ransomware gang ALPHV/BlackCat.
Both LockBit and ALPHV hold prominent positions in the ransomware crime hierarchy, with strong ties to Russia’s cyber underworld. Together, they have carried out over 1,400 attacks globally. According to Cybernews’ Ransomlooker, LockBit accounted for 47% of all publicly announced ransomware victims in the past year.
