Is GhostSec finished with cybercrime?

I remember the day I tried to hang up my black hat for good.

I was in a state of dichotomous thinking, you see. It’s challenging to be a black hat cybercriminal while also working as a hacktivist on the frontline of a moral fight against corruption and injustice. Sebastian Dante Alexander, the leader of GhostSec, has done just that, marking his withdrawal from The Five Families.

When you’re fighting against corruption and injustice, all too often we see good hackers become corrupted by their quest for more power, control, and influence. What started in secret is now a public spectacle. Among mainstream hacktivist groups, the allure of attention often overshadows the quality of the attacks they carry out.

In the end, such groups ultimately mirror the very corruption of governments and corporations they were once fighting against. They become their own enemy. Just as the allure of the Dark Side has the power to seduce even good Jedi who lose sight of their noble plight, there is a Dark Side to hacktivism, which is cybercrime, and it beckons to us all.

However, the Dark Side of hacktivism only defines us if we are committed to that ideology.

Therefore, what happens when the cornerstone of The Five Families decides to quit and return to the frontline of the good fight in cyberspace?

GhostSec, a brief overview

Without fleshing out an entire origin story, GhostSec is prominently known for its unusual crowning achievements in the world of hacktivism, which has given the group distinction among its many peers.

In 2015, GhostSec’s counter-terrorism operation thwarted two ISIS terrorist attacks planned to be executed in Tunisia and New York. Their ability to find and interpret secret code words used by online ISIS recruitment posts on social media is unparalleled.

In April 2022, the hacktivist group seized control of Russia’s Metrospetstekhnika’s IT system, immobilizing every train in the transit system in support of Ukraine. The act of sabotage prevented the Russian movement of military supplies through Belarus to Ukraine.

In protest of the Israeli war against Palestine, the hacktivist group broke into Israel’s Industrial infrastructure and disrupted 11 Global Navigation Satellite System (GNSS) devices, whereby they deleted the data collected by each satellite.

During these years, GhostSec used ransomware in their hacktivism campaigns as a means to frustrate their geopolitical targets, taking from the rich and giving to poor hackers, and a percentage to charity.

On August 28, 2023, The Five Families was formed - an alliance consisting of GhostSec, ThreatSec, Stormous, Blackforums, and SiegedSec. Two months later, GhostSec launched GhostLocker, a Ransomware-as-a-Service (Raas). GhostLocker 2.0 is described as a new strain of ransomware. The malware, developed using Golang, infiltrates a target system, encrypts its files, and demands a ransom for the decryption key needed to restore access to the compromised data.

On May 15, 2024, The Five Families forwarded a message from the GhostSec Telegram channel, announcing their withdrawal from the alliance, cybercrime, and subsequent return to hacktivism.

The Five Families

Reclaiming the moral high ground

Black hats and hacktivism are usually driven by a difference in conscience. During an interview with Sebastian Dante Alexander, the founder of GhostSec, I asked if he agreed that trying to continue hacktivism operations under a black hat flag causes a moral struggle.

“To an extent, I felt I was conflicted often, especially around the time before we decided to quit from financial hacking to shift our focus back purely into Hacktivism,” Sebastian said.

I wanted to unpack the conflicted feelings and try to understand where he was coming from. With their hand deep in a cybercriminal enterprise, I wondered if GhostSec was afraid of losing their identity as leading hacktivists.

“Far from that, like I stated earlier, sure, there are moments where I felt conflicted. But we never crossed our moral code or ethics that we had in place even when doing financially motivated hacking, and we understood that this time period was purely to raise enough so that we as GS could continue to operate for years to come.”

This is something I can attest to. The cost of purchasing Virtual Private Servers, Virtual Private Network subscriptions, and Virtual Remote Desktops alone can run you a good hundred dollars a month. The alternative is to hack remote computers to host our toolkits that could be discovered and removed, which disrupts the workflow of hacktivist operations.

In times past, GhostSec has painstakingly adhered to a strict code of ethics, whereas most copycat groups have taken little to no thought about taking such precautions. That is how I knew he was telling the truth and not just telling me what I wanted to hear.

There was no thrill ride. No allure and no seduction by the Dark Side. It was but a means to an end. Everything I knew, and everything I thought I knew about GhostSec, was finally coming full circle. Having been the cornerstone of the Five Families and at the helm, I wondered if it was difficult to disengage from it.

For Sebastian and GhostSec, it was never about the money.

“I have been in the hacking scene since 2014 and love every aspect of hacking. Hacking is an art and something I and everyone else in GhostSec loves. Everything done was to keep funding our operations as GhostSec,” he said.

Sebastian explained that upon exiting The Five Families, he handed over the keys to the kingdom to “Stormous,” believing that they would at least follow GhostSec’s morals and ethical code. He simply said that it was time to move on and put financially motivated hacking in the past so GhostSec could focus on the overarching objective, which never ceased being hacktivism.

This begged the question about the continued enterprises of The Five Families. If GhostSec divorced itself from The Five Families, would they prefer they follow their same example and return to a pure path of hacktivism? I wanted to know what Sebastian thought.

“I do hope that becomes the case, or at least the bare minimum for not just the five families but for hackers who are genuinely passionate about hacking - to do what they do because they appreciate the art, the curiosity, [and the] adventure that comes with it instead of doing it purely for the money.”

This is true. As the old saying goes, “The love of money is the root of all evil,” and so is the leveraging of hacker skills motivated by financial gain. It’s a plague that is burning out of control.

“I have noticed … hacking has shifted more towards crime and being purely about the money. People have begun to forget the hacker culture, the art, and the passion that goes into hacking.”

Hacktivism, unethical sabotage, and governance

As a former black hat, I was interested in understanding how Sebastian governed other hackers when it came to the unethical sabotage of systems being targeted for no good reason. After all, I made it my life practice to attack targets indiscriminately, but it’s hard to claim to be a hacktivist if you attack innocent victims.

“Of course, in some operations, there are some cases where someone suggests attacking targets that are out of scope or prohibited, and after talking to them, they back down from doing it,” Sebastian explained, using a real-life example where during an operation, members asked about attacking educational or medical institutions.

He discussed with them how these are non-targets and should never be used as collateral. “Eventually, they realized how wrong it was to pull an attack against Educational centers or Medical institutes.”

I wanted to know who was considered “fair game.” Determining who or what is or is not a target is a topic that seems rarely discussed in hacking circles these days. I never asked myself this in my youth. I could attack anything or anyone and sleep well at night.

“[It] depends on the operation. But for the sake of simplicity, let's say an operation is run against a certain country. We then decide what would affect the country the most. Example: Economy, Military, Ministries, Etc. After that point, we write up a target list consisting of the 3 most damaging factors. From there, we organize the targets from priority to least prioritized based on importance,” he said.

Since we were on the topic of ethics, I wanted to know more about their ethical decision-making.

“We believe in unity and helping not just each other grow but everyone around us to also grow and see them rise. We believe in curiosity, freedom, adventure, and standing firmly with what we believe in – fighting for it and passing it on to the future.”

I felt he side-stepped the direct question in favor of a more generalized response. But this is common, especially when Sebastian is known for protecting tradecraft and letting outsiders think whatever they want to think.

It’s a value-driven response, and a lot can be gleaned from it. Sebastian values community, collaboration, and mutual support while at the same time fostering an environment where everyone has the opportunity to improve and succeed.

As idealistic as that may sound at first glance, it is an embraced idealism that GhostSec practices, poised at cultivating a culture of exploration and independence. GhostSec has a strong dedication to certain principles, which is clearly seen in what it does, the precautions it’s taken in the preservation of human life, the cessation of criminal ransomware, and the subsequent removal from the whole financial criminal dynamic.

I suppose if anyone wanted to know GhostSec’s purpose, it would be relevant to follow the progress of its activities to truly understand what the group is fighting for.

The problems with hacktivism today

Clout. Fame-farming. Clashing egos. Recognition. These all are synonymous terms. This is what plagues mainstream hacktivism today. Sebastian recognizes this and offers the following explanation, saying, “Hacktivists who don’t want to learn, and understand what they’re doing before they get into hacktivism.”

He elaborated, saying that hacktivists nowadays are doing it for fame, or even worse, are the so-called “hacktivists” claiming they are hacktivists and in it for the people, but are only interested in financial gain. Sebastian makes this distinction throughout the interview, emphasizing that it was never about the money for GhostSec.

“I wish that hacktivists could enjoy the learning journey, understand what they’re doing and the importance of OpSec. I wish that hacktivists could appreciate the art of hacking and pursue what they believe in without the facade that some groups may put on. Overall, a deeper appreciation and understanding of what they want, what they will do, and how to go about it in general.”