How cybercriminals are using Wyoming shell companies for global hacks
Send a link to a friend
[December 12, 2023]
By Raphael Satter
WASHINGTON (Reuters) - Somali reporter Abdalle Ahmed Mumin was doubly
distressed when he heard that a colleague had been abducted by masked
gunmen at the University of Mogadishu on the morning of Aug. 17.
A fellow journalist was missing and Mumin - the chairman of the Somali
Journalists Syndicate - had little way of getting the word out. Digital
sabotage had knocked his syndicate's website and email accounts offline
a few days earlier.
"I can still feel the frustration," Mumin told Reuters. “Our link to the
outside world, to the international media, is our website."
It was only after getting help from Qurium, a Swedish nonprofit that
does digital defense work for news organizations and nonprofits, that
Mumin was able to get his site back on its feet and properly raise the
alarm about the missing reporter.
When Qurium investigated, it eventually traced a source of the outage to
a surprising place: Wyoming.
Although Qurium said it wasn't able to get to a lock on who pulled the
trigger on the cyberattack, it did discover that the sabotage was
carried out with the help of a limited liability company, or LLC, based
out of the vast western state.
Reuters has found it was one of at least three instances in the past
four months in which digital defenders have implicated Wyoming LLCs in
high-profile hacking activity. Interviews with half a dozen tech and
compliance experts and hacking victims like Mumin suggest that the state
once known as the rugged refuge for 19th century bandits is now catering
to 21st century outlaws.
"It's the virtual Wild, Wild West," said Sarah Beth Felix, who runs
Palmera Consulting, an anti-money laundering advisory firm. She said the
state made registering anonymous shell companies so easy that foreign
crooks "don't have to be physically in Wyoming to hide out in Wyoming."
Joe Rubino, the general counsel for the Wyoming Secretary of State's
Office, which is responsible for registering the state's business
entities, said his colleagues were taking the information flagged by
Reuters "for further review and investigation."
He added that Wyoming's Secretary of State, Chuck Gray, supports the
idea of new laws "to prevent abuses of Wyoming's corporate filing system
by foreign entities" but that the state legislature had yet to take the
matter up.
Reuters was unable to determine how often cybercriminals use Wyoming
LLCs, but Tord Lundstrom, Qurium's technical director, said they were
finding favor with cybercriminals who used them to help pass their
internet traffic off as coming from inside the United States, a valuable
trick for hackers seeking to bypass digital defenses that tend to flag
or block web traffic coming from less trusted locations, such as Russia
or Iran.
LLCs, like corporations, shield their owners from certain forms of
liability but tend to be easier to set up. Because Wyoming allows
registered agents – in-state representatives – to serve as the public
point of contact for LLCs, their ownership can be kept secret from the
wider public.
Wyoming isn't alone in allowing anonymous shell companies – Delaware and
Nevada have similar offerings – but Lundstrom said hackers particularly
favored Wyoming LLCs because they were advertised as cost effective and
user friendly.
'BRAZEN AND DIRECT ATTACK'
The act of cyber sabotage that knocked the Somali Journalists Syndicate
offline in August is known as a distributed denial of service, or DDoS,
which clobbers targeted sites with a firehose of malicious traffic.
Qurium found that one stream of rogue data ran through an IP address
block registered to Aliat, an LLC domiciled in Sheridan, a small Wyoming
city at the foot of the Bighorn Mountains.
Reuters' attempts to reach Aliat were unsuccessful. A message left via
the contact form on the company's website on Oct. 9 was met with an
automated message promising a response "within 48 hours." Corporate
records show that the LLC was dissolved the same day, although it was
later reinstated.
No response was ever provided.
In September, a DDoS operation knocked the Vienna-based International
Press Institute offline. The organization had just published a report on
how DDoS operations were bedeviling Hungarian independent media outlets
when they too were slammed with a tidal wave of junk traffic – something
the group later described as "the most brazen and direct attack on IPI's
online infrastructure in our history."
[to top of second column]
|
30 North Gould Street is pictured in Sheridan, Wyoming, U.S.,
November 30, 2023. REUTERS/Jim Urquhart/File Photo
It took the IPI about 10 days to fully restore the site's
functionality. Qurium was once again able to trace some of the rogue
data back to a Wyoming LLC – a web hosting company called HostCram.
Run by a 23-year-old Bangladeshi named Shakib Khan, the firm is
registered in Buffalo, a tiny city which was once a hangout for the
infamous train robbers Butch Cassidy and the Sundance Kid.
Qurium said that Khan told them he was terminating a client
following the incident but provided no further detail. Khan told
Reuters he would only share his client's identity with law
enforcement.
As to why he'd registered a company in Buffalo, he said, "Wyoming is
great for online businesses."
'THEY SHOULD BE ASHAMED'
Experts say a single shell company can serve as the springboard for
widespread abuse.
In 2017 a pair of cybersecurity researchers traced waves of digital
break-ins and spam targeting a host of organizations to an online
proxy service run by Russian IT entrepreneur Ilia Trusov.
Despite the public exposure – and a subsequent report by Qurium also
tying him to DDoS operations – Trusov registered two Wyoming LLCs,
Security Servers and Traffictransitsolution, in 2019.
In video calls with Reuters, Trusov said the allegations were
unfair. He said he had no tolerance for cybercrime and often worked
with police agencies to fight it. He flashed his passport and U.S.
and European visas as proof that he wasn’t trying to mask his
identity and had never been in trouble with the law.
Trusov did acknowledge setting up shell companies in Wyoming so that
his clients' web traffic would look American. He said having a U.S.
shell company was also helpful in terms of fielding legal requests.
Another bonus: Anonymity.
"In Wyoming, you can't go and check owners," he said.
Trusov's LLCs have since been dissolved, but another Wyoming shell
company has faced scrutiny more recently.
In August of this year the anti-ransomware firm Halcyon accused an
Iran-linked internet company called Cloudzy of providing services to
"a rogue's gallery" of digital spies and cybercriminals, in part
through Sheridan-based RouterHosting LLC.
Cloudzy chief executive Hannan Nozari denied turning a blind eye to
malicious activity, which he said was "a serious problem all of us
face." He told Reuters he was based in Dubai and registered
RouterHosting under the mistaken assumption that he needed it to buy
internet infrastructure in North America. He said he had recently
enhanced his service's security and had the Wyoming company
dissolved.
As foreigners living abroad, neither Nozari nor Trusov nor Khan
would have been able to set up Wyoming LLCs were it not for
registered agents.
RouterHosting was set up with the help of a Sheridan-based
registered agent called Cloud Peak Law Group. Aliat, HostCram and
Trusov's LLCs were represented by a firm called Registered Agents
Inc, which also lists a Sheridan address.
Cloud Peak didn't respond to questions. Registered Agents Inc said
in a statement that, while the company didn't comment on specific
client relationships, it followed relevant state rules and due
diligence requirements.
"Commercial registered agents are not policing agencies," the
company added.
Mumin, the head of the Somali journalists' syndicate, said no one
had been held accountable for the cyber sabotage that crippled his
organization in August. He had no sympathy with the notion that
Wyoming's registered agents weren't required to police their
clients.
"They should be ashamed, these companies in Wyoming, that they
haven't been able to – or they don't care to – check who their
customers are," Mumin said.
(Reporting by Raphael Satter in Washington. Editing by Chris Sanders
and Claudia Parsons)
[© 2023 Thomson Reuters. All rights
reserved.]This material
may not be published, broadcast, rewritten or redistributed.
Thompson Reuters is solely responsible for this content.
|