Somalia cyberattack traced to Wyoming
• Cybercriminals set up shop in US state using legal registered agents
LLCS SHIELD THEIR OWNERS FROM CERTAIN FORMS OF LIABILITY AND THEIR OWNERSHIP CAN BE KEPT SECRET
Somali reporter Abdalle Ahmed Mumin was doubly distressed when he heard that a colleague had been abducted by masked gunmen at the University of Mogadishu on August 17.
A fellow journalist was missing and Mumin — the chair of the Somali Journalists Syndicate — had little way of getting the word out. Digital sabotage had knocked his syndicate’s website and email accounts offline a few days earlier.
“I can still feel the frustration,” Mumin said. “Our link to the outside world, to the international media, is our website.”
It was only after getting help from Qurium, a Swedish nonprofit organisation that does digital defence work for news organisations and nonprofits, that Mumin was able to get his site back on its feet and properly raise the alarm about the missing reporter.
When Qurium investigated, it eventually traced a source of the outage to a surprising place: Wyoming.
Though Qurium said it was unable to get to a lock on who pulled the trigger on the cyberattack, it did discover that the sabotage was carried out with the help of a limited liability company (LLC), based out of the vast western US state.
Reuters has found it was one of at least three instances in the past four months in which digital defenders have implicated Wyoming LLCs in high-profile hacking activity. Interviews with half a dozen tech and compliance experts and hacking victims such as Mumin suggest that the state once known as the rugged refuge for 19th-century bandits is now catering to 21stcentury outlaws.
“It’s the virtual wild, Wild West,” said Sarah Beth Felix, who runs Palmera Consulting, an anti-money-laundering advisory firm. She said the state has made registering anonymous shell companies so easy that foreign crooks “don’t have to be physically in Wyoming to hide out in Wyoming”.
Joe Rubino, the general counsel for the Wyoming secretary of state’s office, which is responsible for registering the state’s business entities, said his colleagues are taking the information flagged by Reuters “for further review and investigation”.
He added that Wyoming’s secretary of state, Chuck Gray, supports the idea of new laws “to prevent abuses of Wyoming’s corporate filing system by foreign entities”, but that the state legislature has yet to take the matter up.
Reuters was unable to determine how often cybercriminals use Wyoming LLCs, but Tord Lundstrom, Qurium’s technical director, said they are finding favour with cybercriminals who use them to help pass their internet traffic off as coming from inside the US, a valuable trick for hackers seeking to bypass digital defences that tend to flag or block web traffic coming from less trusted locations, such as Russia or Iran.
LLCs, like corporations, shield their owners from certain forms of liability but tend to be easier to set up. Because Wyoming allows registered agents — in-state representatives — to serve as the public point of contact for LLCs, their ownership can be kept secret from the wider public.
Wyoming is not alone in allowing anonymous shell companies — Delaware and Nevada have similar offerings — but Lundstrom said hackers particularly favour Wyoming LLCs because they are advertised as cost-effective and user-friendly.
BRAZEN ATTACK
The act of cyber sabotage that knocked the Somali Journalists Syndicate offline in August is known as a distributed denial of service, or DDoS, which clobbers targeted sites with a fire hose of malicious traffic.
Qurium found that one stream of rogue data ran through an IP address block registered to Aliat, an LLC domiciled in Sheridan, a small Wyoming city at the foot of the Bighorn Mountains.
Reuters’ attempts to reach Aliat were unsuccessful. A message left via the contact form on the company’s website on October 9 was met with an automated message promising a response “within 48 hours”. Corporate records show that the LLC was dissolved the same day, though it was later reinstated.
No response was ever provided.
In September, a DDoS operation knocked the Vienna-based International Press Institute (IPI) offline. The organisation had just published a report on how DDoS operations were bedevilling Hungarian independent media outlets when they too were slammed with a tidal wave of junk traffic — something the group later described as “the most brazen and direct attack on IPI’s online infrastructure in our history”.
It took the IPI about 10 days to fully restore the site’s functionality. Qurium was once again able to trace some of the rogue data back to a Wyoming LLC — a web hosting company called HostCram.
Run by a 23-year-old Bangladeshi named Shakib Khan, the firm is registered in Buffalo, a tiny city that was once a hangout for the infamous train robbers Butch Cassidy and the Sundance Kid.
Qurium said that Khan told them he is terminating a client following the incident but provided no further detail. Khan said he will share his client’s identity only with law enforcement.
As to why he had registered a company in Buffalo, he said: “Wyoming is great for online businesses.”
WIDESPREAD ABUSE
Experts say a single shell company can serve as the springboard for widespread abuse.
In 2017 a pair of cybersecurity researchers traced waves of digital break-ins and spam targeting a host of organisations to an online proxy service run by Russian IT entrepreneur Ilia Trusov.
Despite the public exposure — and a subsequent report by Qurium also tying him to DDoS operations — Trusov registered two Wyoming LLCs, Security Servers and Traffictransitsolution, in 2019.
Trusov said the allegations are unfair. He said he has no tolerance for cybercrime and often worked with police agencies to fight it. He flashed his passport and US and European visas as proof that he is not trying to mask his identity and has never been in trouble with the law.
Trusov did acknowledge setting up shell companies in Wyoming so that his clients’ web traffic would look American. He said having a US shell company was also helpful in terms of fielding legal requests. Another bonus: anonymity. “In Wyoming, you can’t go and check owners,” he said.
Trusov’s LLCs have since been dissolved, but another Wyoming shell company has faced scrutiny more recently.
In August 2023 the anti-ransomware firm Halcyon accused an Iran-linked internet company called Cloudzy of providing services to “a rogue’s gallery” of digital spies and cybercriminals, in part through Sheridan-based RouterHosting LLC.
Cloudzy CEO Hannan Nozari denied turning a blind eye to malicious activity, which he said is “a serious problem all of us face”.
He said he was based in Dubai and registered RouterHosting under the mistaken assumption that he needed it to buy internet infrastructure in North America.
He said he has recently enhanced his service’s security and had the Wyoming company dissolved.
As foreigners living abroad, neither Nozari nor Trusov nor Khan would have been able to set up Wyoming LLCs were it not for registered agents.
RouterHosting was set up with the help of a Sheridanbased registered agent called Cloud Peak Law Group.
Aliat, HostCram and Trusov’s LLCs were represented by a firm called Registered Agents, which also lists a Sheridan address.
Cloud Peak did not respond to questions. Registered Agents said in a statement that, while the company does not comment on specific client relationships, it follows relevant state rules and due diligence requirements.
“Commercial registered agents are not policing agencies,” the company added.
Mumin, the head of the Somali journalists’ syndicate, said no-one has been held accountable for the cyber sabotage that crippled his organisation in August. He has no sympathy with the notion that Wyoming’s registered agents are not required to police their clients.
“They should be ashamed, these companies in Wyoming, that they haven’t been able to — or they don’t care to — check who their customers are,” Mumin said.