Cyble, the US-based Cyber Threat Intelligence Service (1), is a global premium firm that offers tools and capabilities to provide near real-time cyber threats. It has operations in India, Australia, and Singapore.
With global pandemic, trade wars, and geopolitical tensions, India’s cyber threat landscape has turned more complicated than ever (2). Companies are under the imminent threat of being attacked by nefarious groups like ransomware operators. Moreover, the organization’s exposure to the deep web and dark web is also a growing concern for boards and executives globally.
Cyble provides an enterprise-grade solution, Cyble Vision, powered by human analysis and machine learning, which gives organizations critical insights into cybercrime partners, groups, and suppliers’ threats. It processes billions of records and events daily from the open Internet and dark web and uses its proprietary risk models to convert these data points into actionable insights.
Its mission is to offer organizations a real-time view of their supply chain cyber threats and risks. Its SaaS-based solution offers firms’ insights into cyber threats of suppliers. It then enables firms to quickly and efficiently respond to them.
Within two years of its inception, Cyble has built a redoubtable reputation as a cyber threat intelligence firm. It has been the first company to flag data breaches of unicorns like Bigbasket (3) and RedDoorz.
“In the course of our routine Dark web monitoring, the Research team at Cyble found the database of Big Basket for sale in a cyber-crime market, being sold for over $40,000. The leak contains a database portion; with the table name ‘member_member.’ The SQL file size is ~ 15 GB, containing close to 20 Million user data. More specifically, this includes full names, email IDs, password hashes (potentially hashed OTPs), pin, contact numbers (mobile + phone), complete addresses, date of birth, location, and IP addresses of login among many others,”
– Cyble, Blog Post (4).
However, many times, victims of these breaches are not always appreciative. Many organizations have accused Cyble of using these hacks to give a push to its services.
It is worth highlighting that Cyble has publicly blogged about some firms’ data breaches that refused its services. Several firms even took legal action against it.
Cyble and Data Breaches
On 14 October, the database breach of Bigbasket, an online grocer, set off a chain of events that other startups have become too familiar with over the past year.
In the cases of platforms like Dunzo (5), and Unacademy, an edtech unicorn (6), government agencies or established private cybersecurity organizations did not bring it to light. Instead, a two-year-old cyber threat intelligence company, Cyble, gave the news.
Georgia, USA, headquartered company, has a simple modus Operandi. Initially, it informs the victim. In the case of Bigbasket, it also offered to resolve the matter for 40,000 USD ransom on the dark web. And if the victim does not subscribe to its services, the consequences would be public shaming, in simple terms.
Notably, Cyble went public with the breach details when Bigbasket declined its offer and chose to file a First Information Report with the cybercrime cell.
RedDoorz (7), a Southeast Asian hotel aggregator, was well aware of the playbook since its hack occurred over a month before Bigbasket’s breach.
On 19 September, Cyble had informed its hack platform and claimed that hackers are on the dark web and were willing to trade massively for its customer data. The initial move of Cyble was straightforward. It would help the company retrieve the stolen data, albeit if the victim subscribe to its services for 140,000 USD, as per sources.
Like Bigbasket, RedDooez had also declined the offer. Yet, Cyble persisted and stated that the hackers would put their data on sale on the dark web in the next 72 hours, claims sources. However, after verifying the breach, RedDoorz chose to go public with hacking details and informed users and police officials about the hack.
Sources added that despite the movements of RedDoorz, Cyble took one last crack at the company. It told the firm that it had brought the data, nearly 5.7 million records, and asked RedDoorz for a final time if they would like to subscribe to Cyble’s services, but Reddoorz refused to play the ball.
The Red Flags
There are two red flags observed after complied reports of the startup to law enforcement agencies following the event; Cyble had refused to disclose any details of the dark web source regarding the availability of RedDoorz’ data. They were also not willing to share any details without subscribing to its services.
Cyble, in response, claimed that it is willing to share the “how,” “what,” and “who” of hacks. However, it expects firms to search the Internet or the dark web to know the “where.” It also claimed that they provide all relevant information for free and denied that it only helps companies subscribe to their services. It added that it only charges if customers seek specific services and assistance to cover costs.
While RedDoorz and Bigbasket refused to enlist Cyble’s services, its approaches have brought it business. Reportedly, Dunzo agreed to pay the ransom and subscribed to its services after discovering the data breach.
According to sources, Juspay, a fintech startup, which has not publicly announced any data breach, has also paid the ransom and subscribed to its services.
There is no confirmation of denying about the hack or subscription of Juspay to Cyble. The cybersecurity firm had refused to comment. However, a close source at Juspay had confirmed that the company had hired Cyble after it informed about their attention to a non-sensitive and non-financial data breach. The source further claims that there was no ransom involved and the firm had advised all its merchants of the event.
It is worth noting that Indian cybersecurity researchers have confirmed that the same hackers have breached Bigbasket and RedDoorz.
Cyble’s Ways Under Question
Many in the cybersecurity industry question cyble’s way since the efficacy of its approach is notwithstanding. Brian Krebs, an American cybersecurity blogger and former journalist of Washington Post, linked Cyble’s blog while criticizing the practice of ransomware incidents blogging (8).
Several cybersecurity researchers in India and Southeast Asia believes that the firm may have ties with hackers even though the evidence is circumstantial.
According to a top executive of a cyber threat intelligence firm based in Singapore, that’s not who this business functions. They don’t make a living out of someone else’s misery, especially by having suspicious connections with hackers.
In theory, Cyble is similar to others in the cyber threat intelligence business.
Fundamental Ethics in Cybercrime Business
Such companies monitor several web forums where criminals and hackers sell breached databases, vulnerabilities, records and look for assignments. These forums mainly exist on the dark web and allow users to maintain their anonymity. Over time, these portals have grown to be a breeding ground of illegal activity that facilitates everything from cybercrime, sex-trafficking to drugs (9).
These cyber threat intelligence firms embed themselves in such forums similarly to how police go undercover to gather information (10). Their agents monitor the activities and conversations and raise an alert when they gather intelligence concerning their clients, possible vulnerabilities, hacks, and more.
When they come across the information of companies they do not work with, they offer them the data and help if possible. These firms also make a sales pitch with the company once the situation is resolved. Sometimes organizations sign up, and often they don’t.
Most overseas and local cyber threat intelligence firms made clear that their sales pitches are never based on their flagged incidents, and help is not conditional on a commercial deal.
According to the top executive of a Singapore-based firm, the business’s most fundamental ethics is to assist the victim firm, regardless if they are your customers.
Notably, Cyble’s conduct in the case of the RedDoorz event doesn’t orient with these principles.
RedDoorz Data Breach
According to an executive close with RedDoorz, Beenu Arora, CEO of Cyble (11), said to RedDoorz’s executives over a Zoom call that they can negotiate with hackers to retrieve the stolen data if RedDoorz pays for its subscription. Arora states a six-figure USD subscription fee in addition to the ransom, which ranges from 10,000 to 15,000 USD.
RedDoorz executive had asked Arora to guarantee that the hackers won’t disappear with the money and still trade the data. In response, Arora clarified that Cyble has dealt with these hackers in similar incidents previously. He added that these hackers are known and have a reputation, according to the executive, who works closely with RedDoorz.
Arora further claimed that this connection has allowed the firm to retrieve 32 stolen data for RedDoorz for verification. Notably, RedDoorz was able to pinpoint the breach source after two days of forensic investigations. The breach was in storing and managing data on the cloud credentials.
The executive stated the Beenu was visibly delighted during the video call. It received a proposal from Cyble within a few hours after the talk, as if they had already prepared. They received periodic reminders from Cyble and cautioned the team of possible leaks on the dark web.
However, as per the executive, Cyble insisted that it couldn’t communicate with the hackers unless there is a commercial deal. According to Cyble, other firms also offer “negotiations-related” services. Moreover, it also acknowledged that there is no guarantee on misuse of the company’s data even after paying ransoms. It stressed that paying a ransom is a prey’s prerogative.
Despite this, Cyble contacted RedDoorz that it had brought back the dark web data after the victim went public with hack details and even reported it to PDPC, Personal Data Protection Commission (12) of Singapore. However, the team told the cybersecurity firm that their authorities had instructed them to maintain the status quo, stated the executive.
According to a top executive at a cyber threat intelligence firm based in Singapore, after RedDoorz, Cyble had also knocked on Tokopedia’s door after discovering a breach in May. However, the e-commerce firm based in Indonesia (13) refused to subscribe to its services.
Cyble had claimed that buying these data as part of its verification. However, it was flagged as odd as per the report for law enforcement agencies. On 11 November, 5.8 million RedDoorz’ customer records were on sale on a dark web forum even after all this (14).
“The RedDoorz data breach is particularly nasty as the hackers have gained access and stolen the ‘holy grail’ of information — all the essentials to perform some pretty nasty and targeted identity fraud on its customers,”
– Dan Panesar, Director of Securonix Inc (15).
One can call Cyble’s approach to RedDoorz blackmail as it persistently pushed RedDoorz to subscribe to its services. When a business denies subscribing to its services, the course puts the cyber threat firm squarely in the unsavory domain.
Cyble had blogged about the data breach incident and disclosed it on clean net and dark web portals via cropped chats, screenshots, and sample data before companies like Bigbasket finds out. However, RedDoorz’s decision to full public disclosure spared it such public shaming. One can argue that Cyble blogged about such incidents because the company was not transparent with its users. Previously, Cyble had stated that it was “flabbergasted” with the way specific organizations handled hacks.
Such practice is absolutely what the cybersecurity blogger Krebs criticized. He wrote that what these blogs write about cybercrime victims instead of offering aid offers comfort to the enemy that does not require it and neither deserve it.
“If you put a key under the mat for the cops, a burglar can find it, too. Criminals are using every technology tool at their disposal to hack into people’s accounts. If they know there’s a key hidden somewhere, they won’t stop until they find it”
– Tim Cook (16)
Notably, Bigbasket is not the only firm that is fighting back against Cyble’s public shaming. On 30 August, a similar incident had occurred with Paytm Mall. In that event, Paytm Mall (17) had denied such a data breach and even sent a legal notice to Cyble after it blogged about the hack. After that, Cyble had added clarification and stated that their matter is settled amicably and mutually, and it would not comment further on the issue.
Notably, John Wick, a hacker collective that Cyble had claimed was responsible for the Paytm Mall hack, denied its involvement. Consequently, it hacked India’s honorable Prime Minister Narendra Modi’s Twitter handle to underline it (18).
Cyble Halting Cheap publicity Stunts
Cyble has claimed that it does not believe that Kreb’s blog post targeted the firm. However, it says that it agrees with the message. Accordingly, the firm also made changes to its internal processes that had slowed down its ransomware blogging.
It has also removed blogs of Indian Prime Minister’s website breaches along with BharatMatrimony, India’s leading matrimonial website. Cyble had indicated in a response that the move was on account of deprioritizing ransomware blogging.
The noise the ransomware blogging was creating has only been a good thing for Cyble since it serves as a cheap publicity stunt, according to the multiple cybersecurity professionals of India and Singpore.
According to a cybersecurity professional based in Pune, once a firm has enough media coverage, it can pitch developed markets’ customers with more complex data protection regulations. Cyble claims that it has been selected as a part of Y Combinator’s, an acclaimed startup accelerator, Winter 2021 cohort due to its exploits of the previous year. However, Y Combinator has neither confirmed nor denied the claim.
Rapid Rise of Cyble
The two-year-old cyber threat intelligence firm, Cyble, has observed a rapid rise. Even though the firm is registered in Atlanta, Georgia, USA, it has teams in India, Singpore, and Australia. The company was initially focused on offering supply chain rather than cyber threat intelligence.
It changed its focus at the beginning of 2020, as its initial offerings were not working well. However, the firm claims that it has not pivoted so much expansion of its scope. It added that risk management is still one of the critical cases it offers to its clients. It provided dark web and deep web monitoring to complete its product suite.
Even though the new focus areas brought the firm into the limelight, it has also placed Cyble’s CEO and Co-founder, Arora, under scrutiny. Beenu Arora had worked for nearly eight years at professional services firm, PwC, PricewaterhouseCoopers India (19), and Australia, and held a senior postion in BHP, an Australian natural resources major cybersecurity team (20), before setting up Cyble in 2019.
According to the two organizations’ former colleagues, Arora is hands-on with tech, especially with malware analysis. He is ambitious and aspirations. When he joined PwC in Gurgaon in 2019, he was soon selected for Australia’s internal position and quickly moved up in ranks.
He received the responsibility to set up a fusion center at BHP. There is no clarification whether Arora delivered this. Eventually, he left BHP in January 2019 and started Cyble in July of that same year.
Arora’s Connections on the Dark Web
There are no doubts about the qualifications of Arora (21), considering all accounts. Apart from professional qualifications, he also holds a double MBA from London School of Business and Columbia University.
However, today he is under discussion for not his Ivy League credentials but his dark web ones. A cohort of anonymous dark web and hacker forums researchers found a handle from Arora’s early days, dark code which endorses a bad actor on the dark web known as ‘d3hydr8.’
While Arora has changed his aliases multiple times since then, the group claimed that they had found another link with a user called ‘Ki3veir02.’ The handle also had posted details about Paytm Mall data breach on RaidForums (22), a portal dedicated to sharing hacked databases and cyberattack tools.
Cyble had quickly contacted an Indian dark web monitoring company after it tweeted about the anonymous report and requested to take it down. Several companies in India and Singpore that monitor the dark web have confirmed the report findings, reportedly.
Cyble effectively denied the findings when asking about Arora’s alleged connections to bad actors on the dark web. It argued that security researchers and cybercriminals use several handles on various forums since they can use the same handles. It added that there is no verification in these forums to ascertain users.
“Finally, we’re seeing that nearly everyone understands security is a business risk issue at the end of the day. I joke with my clients, ‘the board gets it, so they want to do something about cybersecurity; that’s the good news.’ But the bad news is, ‘the board gets i,t and they want to do something about cybersecurity.’ But of course, it is good news.”
– Bruno Haring (23)
Cyble was vociferous when asked about whether the firm made attempts to remove this report. It stated that the firm is aware of some security community competitors having trouble with its efficacy in finding out threats and has spread rumors against its management. If competitors are plotting to slander Cyble, perhaps the firm would do well to reflect on its practices to avoid offering them projectiles against them.