Federal authorities say they have taken custody of a UK man who was a member of The Dark Overlord, a group that has taken credit for hacking into more than a dozen companies, stolen valuable data, and then demanded ransoms for its return. Stolen material included then-unreleased episodes of popular television shows and millions of patient records.
Nathan Wyatt, 39, was extradited from the United Kingdom to St. Louis, Missouri, after losing a year-long legal fight to block the transfer. Wyatt was arraigned in US District Court for the Eastern District of Missouri on Wednesday. He pleaded not guilty.
An indictment unsealed in the case alleged Wyatt participated in hacks on three healthcare providers, a medical records company, and an accounting firm. The indictment said Wyatt conspired with other members of The Dark Overlord to hack into the companies, steal their valuable data, and threaten to publish it unless they received payments in bitcoin.
The hackers allegedly contacted executives of the hacked companies by email and SMS text messages. When hacked companies were slow to pay the ransoms, the messages often contained threats or taunts. In July 2017, a member of the group sent a text to the daughter of an owner of one of the healthcare providers. One text read: “Hi… you look peaceful… by the way did your daddy tell you he refused to pay us when we stole his company files in 4 days we will be releasing for sale thousands of patient info. Including yours…”
Prosecutors said that Wyatt registered two phone numbers used in the crimes. One number registered a VPN account and Twitter account used in the scheme. The other number sent threatening and extortionate messages to hacked parties.
The indictment made no mention of more than a dozen other hacks that matched the same mode of operation and for which the group took credit. Among them was the release of nine episodes of in April 2017. At the time, the episodes were unavailable on Netflix. According to DataBreaches.net, which has extensively covered The Dark Overlord hacks, the group managed to breach Larson Studios, a post-production facility, and make off with the following TV shows or movies:
DataBreaches.net reported that The Dark Overlord was behind hacks on more than a dozen other companies, including ABC Networks, an insurance firm, a plastic surgery clinic, the maker of Gorilla Glue, a real estate company, and a human resources firm, to name just a few.
The Daily Beast reported in late 2017 that members of The Dark Overlord sent texts to parents in Iowa threatening to kill their kids. The Courier Journal reported death threats made to middle and high schools in the name of The Dark Overlord.
Last year, according to Bleeping Computer, authorities in Serbia arrested another alleged member of The Dark Overlord. The suspect was identified only by initials, making it hard to track the outcome of the arrest.
Wyatt was reportedly arrested in 2016 in connection to the theft of intimate and nude photos from the iCloud account of Pippa Middleton, sister of Kate Middleton, the Duchess of Cambridge. He was eventually released with no charges filed. In 2017, according to DataBreaches.net, Wyatt pleaded guilty to 20 counts of fraud by false representation, two counts of blackmail, and one count of possession of an identity document with intent to deceive (a false passport).
In January, while in custody in the UK, prosecutors unearthed evidence that Wyatt was involved in extortions carried out by The Dark Overlord. He has been fighting extradition ever since.