[BreachExchange] Besa Mafia: Dark Web Hitman For Hire Site Takes A Hit

[Audrey McNeil]

https://www.riskbasedsecurity.com/2016/05/besa-mafia-dark-web-hitman-for-hire-site-takes-a-hit/

News reports of websites being hacked and data being leaked has become an
all too common occurrence. Most of the press focuses on popular or well
known sites, rarely touching on leaks from sites that reside in the
recesses of the “deep web” or “dark web”, accessible only by means such as
TOR network software. While such breaches may happen frequently, they
rarely see the light of day.

A few weeks ago, one such dark web site going by the name “Besa Mafia”
became victim of a hacker using the handle “bRpsd”, who breached the site’s
database and posted the information online where it was accessible to
anyone. The information posted is a potential serious concern as the Besa
Mafia site has a reputation as being an actual hitman-for-hire service with
links to the Albanian mafia.

Leaked Files

Data leaked in this breach contains user accounts, user personal messages,
‘hit’ orders posted to the site, and a folder named ‘victims’ that contains
additional documents within it. The leak was uploaded to the files.fm site
in a compressed archive format. When extracted, the archive contained two
CSV files and one additional ZIP file which contains photos of victims from
the ‘hit’ orders on the site. The original leak post also contained 250
accounts with usernames, email addresses, and passwords however this data
was not included in the download.

The two CSV files from the leak are named orders.csv and msg.csv that
contain 38 ‘hit’ orders and 2,682 personal messages to and from site
administrators.

Besa Recruitment

Besa has a unique way of putting users who apply to be a hitman-for-hire to
the test by asking them to perform a criminal task. That task generally
involves activity such as stealing and crashing a car, setting it on fire
along with a unique personal message – all while being filmed for evidence.
An actual message from the site administrator to hitman applicants goes
like this: (Note – message text sent to applicants varies. The formatting
of the below message has been modified for readability, all spelling and
wording is as-is from the original message)

127762,11,30651,admin,besa at sigaint.org,”test order”,active,”2016-04-01
12:03:11″,”

Hello,

 Ok, the test order:

 You need to get some hooded jacked, and set fire to a car.

 Select a car from any place you want, make sure is somehow in a place to
avoid the fire extent to other places, we don’t want to burn the hole city
down.

Write down on a A4 paper ‘

Gang member for Besa Mafia,

dedication to Pinochet and FOX,

2th April 2016

with big letters and marker, to be visible.

Use a smart phone to make a video of 1 minute, first show the paper to the
camera, spill gas on the car and video record while doing so, then get
back, throu the cotton thing with fire on it to the car, and video record
it, while holding the paper or cartoon up so the car is visible burning
behind it

Video it for like 5-6 seconds then run away and hide

throw the fire to it from a 2-3 meters, make sure you don’t burn yourself
when doing this.   Is very important that you know what you are doing,
gasoline burns quickly if you are not able to set a car on fire while being
safe don’t do it.

We don’t want our members to be hurt.

Select a car into some remote place from where you can run away and hide
after setting fire to it. It is very important that you send us the video
as proof after that. The video should clearly see the a4 paper in the frame
and with the burning car bihind it, and see while you spill the gas and
light up the car
Do it profesionally
Let me know

After you do this, make a fake name youtube account and upload the video
there and give us the link. We will download it and consider your test
order done, and we will give you orders from customers

Please make sure you don’t speak in the video, as voice can be used to
recognize by police, and that no one can recognize you from the video

And is very important that you have the message on the paper seen in the
video, you can record the burning car from 3-4-5 meters or more, stay safe
and make it look good, spil like 5 or 10 liters of gasoline all over the
car to make a good fire

After doing additional research, we discovered a video on YouTube named
“Besa mafia burning car” that was uploaded on the 20th of April that
included the unique message within the bulk of personal messages leaked.

We discovered there had been an actual task set by Besa administrators on
the 1st of April (was this just a joke? Unfortunately, probably not!).

Additional videos of cars burning along with the Besa message can be found
here and here.

The Personal Messages

The personal messages exchanged offer amazing insight into the life behind
a Deep Web hitman-for-hire. Of specific interest are the type of messages
where the administrators express a willingness to help law enforcement and
others seeking information on behalf of authorities. In one such example,
the administrator was contacted by someone investigating a possible hit
order on Texas woman. After a very few short messages, the site
administrator handed over all information that had been provided by the
individual ordering the hit.  The admin also included their information
stating they were willing to work with the FBI if needed and granting
permission for this person to contact them again should they need
additional information about contracted hits within Texas.

Other messages include talk about money transfers, transfers not being
completed, checking in on order status, and individuals asking if their
targets can just be “really hurt” as they would prefer something sort of
actual death. Even more interesting is the talk about fake hitmen!

A fake hitman is mentioned a few times throughout the messages. When
reading through them in context it suggests that the site has no real
hitmen and its aim is to alert law enforcement around the world to possible
hit attempts, people seeking to hire hitmen, or individuals seeking to
become hitmen and have found their way to the Besa site. One such example
is:

> Hello,

> Yes, that is correct.

>  We receive orders

> to kill people from all over the world, however our site is

> fake and we don’t have any hitmen.

  We forward the orders

> to police departments where the targets are located.

  > janeblondiesexy at gmail.com is one of our emails on google, we

> use it to send notifications of hit orders to police.

Looking into the history of Besa, it is interesting to see posts by users
on totally unrelated forums – dating back in December 2015 – making
comments about Besa. One user claims that someone was making threats to
hire a hitman to kill them from Besa Mafia. There is also a website
dedicated to exposing Besa Mafia’s service called hire-a-hitman.com that
claims to be figthing to expose sites like Besa.

Despite the administrator writing that the site is fake, the jury is out as
to whether Besa is real or something else entirely. There have been posts
claiming that a news report of a man found dead in his car was the result
of a hired hitman contracted to take out an individual that allegedly
sexually abused his girlfriend.  Another blog post on an unrelated site has
a very similar story of a 27-year old woman who was sexually abused and
wanted revenge. Shewrites in this blog post:

“At late in the night, I received an message on my Besa Mafia account, the
job has been done. I received picture as proof, but they also recommended
me to go back in my city and check in the neigberhood, I will hear from
people that two guys were shot.”

If you are curious what other people think about the legitimacy of the Besa
service, there is a reddit post that offers some interesting insight.
What we can tell you is that at the end of the day, as we continue to track
data breaches, even deepweb sites that offer some apparently shocking
services are not immune to their own security issues.
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.riskbasedsecurity.com/pipermail/breachexchange/attachments/20160512/90444062/attachment.html>