The Somali reporter Abdalle Ahmed Mumin was doubly distressed when he heard that masked gunmen had abducted a colleague at the University of Mogadishu on the morning of Aug. 17. A fellow journalist was missing. Mumin – the chairman of the Somali Journalists Syndicate – had little way of getting the word out. Digital sabotage had knocked his syndicate’s website and email accounts offline a few days earlier.
The hackers used a Wyoming shell company to hide their activity. That, experts say, is not unusual. Wyoming is one of many states that allow companies to register as limited liability companies, or LLCs, and shield the identity of their owners from public view. Reuters found that these firms are a popular tool for cybercriminals trying to skirt detection.
A Wyoming-registered LLC called “HostCram” was the source of the sabotage against the Somali journalists’ syndicate and dozens of other victims. The company could not be reached for comment. Reuters left a message through the contact form on its website but has yet to receive a reply. Company records show it dissolved on Oct. 9, though the website still promises to respond within 48 hours.
Reuters has identified dozens of cyberattacks that use LLCs, most in the United States. The attacks have exposed millions of customer data points and tens of billions of dollars in value, including some of the world’s most significant cryptocurrency holdings. In some cases, cybercriminals have hacked their LLCs to cover their tracks.
For example, in the fall of 2017, a credit reporting agency revealed that attackers accessed the personal data of more than 150 million customers. That same month, it was reported that more than 90,000 Canadian bank customers had their account information stolen in a hack. A few months later, South African firm ViewFines was hit with a cyberattack that exposed the contact details of 934,000 drivers.
These kinds of attacks typically target servers that process large amounts of data. A hacker will try to overload a server with traffic to make it crash or slow down. This is called a denial of service attack.
Some DDoS attacks are more sophisticated than others. Last year, a British criminal was jailed for using his LLC to launch a massive DDoS attack on Liberia’s Internet. Prosecutor Robin Sellers told Blackfriars Crown Court that Daniel Kaye had built a botnet, or network of computers infected with malware, to launch the DDoS attack.
The attack worked by secretly hijacking thousands of Chinese-made Dahua webcams, flooding them with data to overwhelm them and halt operations. The prosecutor said Kaye used a server in the Netherlands registered to an LLC in Wyoming.
How often cybercriminals use LLCs for their ends is still being determined, but researchers say they are a popular choice because they can be set up quickly and easily. They provide criminals with anonymity in some parts of the world. They are also helpful because they don’t raise flags at international border crossings like the Panamanian entities and can be repurposed for other nefarious purposes.