TheDarkOverlord leaks upcoming episode of Orange is the New Black after Netflix doesn’t pay extortion demand (Updated)

After a two-month hiatus, and with pixels to spare, TheDarkOverlord let it be known today that they are still hacking and attempting to extort their victims:

And so let it be read that the loathsome giants do too fall. Hello Netflix, we’ve arrived: https://t.co/Fmb1gsZf4a — thedarkoverlord (@tdohack3r) April 28, 2017

“And so let it be read that the loathsome giants do too fall. Hello Netflix, we’ve arrived.”

NBC, ABC, CBS, Fox, Netflix, IFC, E!…. with a well-placed attack last year, the hacker or hackers known as TheDarkOverlord (TDO) managed to acquire a lot of intellectual property: upcoming episodes of popular TV shows and movies. Right now they want Netflix to pay them not to release their intellectual property on torrent sites. Eventually, the other networks will likely receive similar demands.

[Note: Because DataBreaches.net cannot confirm whether TDO is actually one individual or a collective, TDO will be described as “they” in this report.]

As TDO has often commented to this blogger, they love going after third-party vendors. On December 26, in an encrypted chat, TheDarkOverlord (TDO) informed DataBreaches.net that they had recently come across what they described as hundreds of GBs of unreleased and non-public media from a studio located in Hollywood. They anticipated announcing the hack shortly after the new year.

TDO provided this site with a preview of some of the material, which included XXX: Return of Xanger Cage (2017), Bill Nye Saves The World (Season 1), and Orange Is The New Black (Season 5).

With a little sleuthing, DataBreaches.net was able to determine that the victim studio was Larson Studios, Inc., an award-winning audio post-production studio in Hollywood. TDO would later confirm their identity.

TDO would not reveal the attack method nor how much the ransom demand was, but DataBreaches.net was able to obtain a copy of a contract both TDO and a representative of Larson allegedly signed. The contract, signed December 27, indicated that the studio would pay TDO 50 BTC by January 31. TDO signed the contract as “Adolf Hitler.” The signature of the company representative was indecipherable, but TDO claimed that it was the CFO of the firm who signed.

Further investigation revealed that the 37 titles TDO obtained included a number of films and series that would first premiere in 2017. For existing shows, the entries below indicate that 2017 episodes were acquired by TDO:

A Midsummers Nightmare – TV Movie

Above Suspicion – Film

Bill Nye Saves The World – TV Series

Breakthrough – TV Series

Brockmire – TV Series

Bunkd – TV Series

Celebrity Apprentice (The Apprentice) – TV Series

Food Fact or Fiction – TV Series

Handsome – Film

Hopefuls – TV Series

Hum – Short

Its Always Sunny in Philadelphia – TV Series

Jason Alexander Project – TV Series

Liza Koshy Special – YoutubeRed

Lucha Underground – TV Series

Lucky Roll – TV Series

Making History ) – TV Series

Man Seeking Woman – TV Series

Max and Shred – TV Series

Mega Park – TV Series

NCIS Los Angeles – TV Series

New Girl – TV Series

Orange Is The New Black – TV Series

Portlandia – TV Series

Rebel In The Rye – Film

Steve Harveys Funderdome – TV Series

Story of God with Morgan Freeman – TV Series

Superhuman – TV Series

The Arrangement – TV Series

The Catch – TV Series

The Middle – TV Series

The Stanley Dynamic – TV Series

The Thundermans – TV Series

Undeniable with Joe Buck – TV Series

Win It All – Film

X Company – TV Series

XXX Return of Xander Cage – Film

The new year came and went and there was no public announcement from TDO. In encrypted chat, TDO indicated that although the studio had previously agreed to pay, they had stopped responding to TDO.

DataBreaches.net reached out to the owners of Larson Studios in February, after the January 31 deadline had passed, to ask for a statement, but they did not respond to email requests.

In response to subsequent inquiries, TDO claimed that they were having some server difficulties setting up the torrent. But after more time went by, they informed this blogger that with some regret but also some relief, they had decided not to go forward with their plan, telling this site that no one really seemed interested in TV shows and movies.

Sometime between then and now, TDO changed their strategy, switching from attempting to extort Larson Studios to attempting to extort Netflix.

Today, TDO uploaded what they claim is the first episode of the new season of Orange is the New Black. In a statement originally posted on GitHub and then re-posted on Pastebin, they wrote that Netflix’s failure to respond offended them and forced their hands:

…. Armed with this information, we naturally approached Netflix and the others in an attempt to devise a mutually-beneficial arrangement where we are paid and Netflix and friends don’t wake up to find their hard work plastered on the internet. Our proposals went unanswered so our hands have been forced. We were quite offended by our targets’ responses (or lack thereof).

DataBreaches.net was unable to authenticate the episode, but notes that Netflix has not issued any statement denying its authenticity.

Whether TDO will actually attempt to extort any other company remains to be seen, although later today they tweeted that they would be contacting others:

Who is next on the list? FOX, IFC, NAT GEO, and ABC. Oh, what fun we’re all going to have. We’re not playing any games anymore. — thedarkoverlord (@tdohack3r) April 29, 2017

“Who is next on the list? FOX, IFC, NAT GEO, and ABC. Oh, what fun we’re all going to have. We’re not playing any games anymore.”

Netflix has been asked for a statement and this post will be updated if and when one is received.

Update: TDO appears to have leaked the remainder of Season 5 of Orange is the New Black with a statement on Pastebin noting that episodes 2-10 have been released as torrents. TDO also appears to have been busy giving media outlets more details on the incident, suggesting that playing/trying to use the media to increase pressure on targets remains part of TDO’s methods.

Update 2: Netflix sent this site the stock statement that they are sending to all media/news sites:

We are aware of the situation. A production vendor used by several major TV studios had its security compromised and the appropriate law enforcement authorities are involved.

Netflix presumably knew about the hack since December or whenever Larson notified them. The FBI was involved by February, and probably much earlier. So what did Netflix actually do once it learned their IP was in the hands of TDO? Even cursory research on TDO would reveal that they had established a reputation for vindictively dumping data from entities that they felt had not shown them proper respect as “professionals” and/or who had ignored their demands. The dumping of data (episodes) was predictable if Netflix had no plans to pay any extortion demand. So what did Netflix actually do? And will the other networks stand firm, too, and refuse to pay extortion? If even one victim pays extortion, that only encourages more attacks and extortion demands.

For those who are first learning about TheDarkOverlord, just search this site for “thedarkoverlord.” You’ll find dozens of articles on previous hacks, most of which targeted medical clinics and patient data, but some of which targeted businesses, including a Navy contractor.

Update 3: May 1: TDO tweets that it’s “nearly time to play another round.” Thousands of people have followed the @tdohack3r Twitter account since the start of the Netflix dumps, many cheering the hacker(s) on. Before you encourage a blackhat, take a few minutes to find out what else they’ve done. Do you really want to encourage people who hack sensitive patient information and then try to extort clinics so that the patient data isn’t revealed publicly? Are these really your heroes?

And if you’re a journalist new to covering TheDarkOverlord or hacks like these, note that making an extortion demand as they have done is NOT the same thing as using “ransomware.” I’ve blogged about that before, and now Steve Ragan of Salted Hash has also tried to hammer that point home for reporters.