INSIGHT-How cybercriminals are using Wyoming shell companies for global hacks

Somali reporter Abdalle Ahmed Mumin was doubly distressed when he heard that a colleague had been abducted by masked gunmen at the University of Mogadishu on the morning of Aug. 17.

A fellow journalist was missing and Mumin – the chairman of the Somali Journalists Syndicate – had little way of getting the word out. Digital sabotage had knocked his syndicate’s website and email accounts offline a few days earlier.

“I can still feel the frustration,” Mumin told Reuters. “Our link to the outside world, to the international media, is our website.”

It was only after getting help from Qurium, a Swedish nonprofit that does digital defense work for news organizations and nonprofits, that Mumin was able to get his site back on its feet and properly raise the alarm about the missing reporter.

When Qurium investigated, it eventually traced a source of the outage to a surprising place: Wyoming.

Although Qurium said it wasn’t able to get to a lock on who pulled the trigger on the cyberattack, it did discover that the sabotage was carried out with the help of a limited liability company, or LLC, based out of the vast western state.

Reuters has found it was one of at least three instances in the past four months in which digital defenders have implicated Wyoming LLCs in high-profile hacking activity. Interviews with half a dozen tech and compliance experts and hacking victims like Mumin suggest that the state once known as the rugged refuge for 19th century bandits is now catering to 21st century outlaws.

“It’s the virtual Wild, Wild West,” said Sarah Beth Felix, who runs Palmera Consulting, an anti-money laundering advisory firm. She said the state made registering anonymous shell companies so easy that foreign crooks “don’t have to be physically in Wyoming to hide out in Wyoming.”

Joe Rubino, the general counsel for the Wyoming Secretary of State’s Office, which is responsible for registering the state’s business entities, said his colleagues were taking the information flagged by Reuters “for further review and investigation.”

He added that Wyoming’s Secretary of State, Chuck Gray, supports the idea of new laws “to prevent abuses of Wyoming’s corporate filing system by foreign entities” but that the state legislature had yet to take the matter up.

Reuters was unable to determine how often cybercriminals use Wyoming LLCs, but Tord Lundstrom, Qurium’s technical director, said they were finding favor with cybercriminals who used them to help pass their internet traffic off as coming from inside the United States, a valuable trick for hackers seeking to bypass digital defenses that tend to flag or block web traffic coming from less trusted locations, such as Russia or Iran.

LLCs, like corporations, shield their owners from certain forms of liability but tend to be easier to set up. Because Wyoming allows registered agents – in-state representatives – to serve as the public point of contact for LLCs, their ownership can be kept secret from the wider public.

Wyoming isn’t alone in allowing anonymous shell companies – Delaware and Nevada have similar offerings – but Lundstrom said hackers particularly favored Wyoming LLCs because they were advertised as cost effective and user friendly.

‘BRAZEN AND DIRECT ATTACK’

The act of cyber sabotage that knocked the Somali Journalists Syndicate offline in August is known as a distributed denial of service, or DDoS, which clobbers targeted sites with a firehose of malicious traffic.

Qurium found that one stream of rogue data ran through an IP address block registered to Aliat, an LLC domiciled in Sheridan, a small Wyoming city at the foot of the Bighorn Mountains.

Reuters’ attempts to reach Aliat were unsuccessful. A message left via the contact form on the company’s website on Oct. 9 was met with an automated message promising a response “within 48 hours.” Corporate records show that the LLC was dissolved the same day, although it was later reinstated.

No response was ever provided.

In September, a DDoS operation knocked the Vienna-based International Press Institute offline. The organization had just published a report on how DDoS operations were bedeviling Hungarian independent media outlets when they too were slammed with a tidal wave of junk traffic – something the group later described as “the most brazen and direct attack on IPI’s online infrastructure in our history.”

It took the IPI about 10 days to fully restore the site’s functionality. Qurium was once again able to trace some of the rogue data back to a Wyoming LLC – a web hosting company called HostCram.

Run by a 23-year-old Bangladeshi named Shakib Khan, the firm is registered in Buffalo, a tiny city which was once a hangout for the infamous train robbers Butch Cassidy and the Sundance Kid.

Qurium said that Khan told them he was terminating a client following the incident but provided no further detail. Khan told Reuters he would only share his client’s identity with law enforcement.

As to why he’d registered a company in Buffalo, he said, “Wyoming is great for online businesses.”

‘THEY SHOULD BE ASHAMED’

Experts say a single shell company can serve as the springboard for widespread abuse.

In 2017 a pair of cybersecurity researchers traced waves of digital break-ins and spam targeting a host of organizations to an online proxy service run by Russian IT entrepreneur Ilia Trusov.

Despite the public exposure – and a subsequent report by Qurium also tying him to DDoS operations – Trusov registered two Wyoming LLCs, Security Servers and Traffictransitsolution, in 2019.

In video calls with Reuters, Trusov said the allegations were unfair. He said he had no tolerance for cybercrime and often worked with police agencies to fight it. He flashed his passport and U.S. and European visas as proof that he wasn’t trying to mask his identity and had never been in trouble with the law.

Trusov did acknowledge setting up shell companies in Wyoming so that his clients’ web traffic would look American. He said having a U.S. shell company was also helpful in terms of fielding legal requests. Another bonus: Anonymity.

“In Wyoming, you can’t go and check owners,” he said.

Trusov’s LLCs have since been dissolved, but another Wyoming shell company has faced scrutiny more recently.

In August of this year the anti-ransomware firm Halcyon accused an Iran-linked internet company called Cloudzy of providing services to “a rogue’s gallery” of digital spies and cybercriminals, in part through Sheridan-based RouterHosting LLC.

Cloudzy chief executive Hannan Nozari denied turning a blind eye to malicious activity, which he said was “a serious problem all of us face.” He told Reuters he was based in Dubai and registered RouterHosting under the mistaken assumption that he needed it to buy internet infrastructure in North America. He said he had recently enhanced his service’s security and had the Wyoming company dissolved.

As foreigners living abroad, neither Nozari nor Trusov nor Khan would have been able to set up Wyoming LLCs were it not for registered agents.

RouterHosting was set up with the help of a Sheridan-based registered agent called Cloud Peak Law Group. Aliat, HostCram and Trusov’s LLCs were represented by a firm called Registered Agents Inc, which also lists a Sheridan address.

Cloud Peak didn’t respond to questions. Registered Agents Inc said in a statement that, while the company didn’t comment on specific client relationships, it followed relevant state rules and due diligence requirements.

“Commercial registered agents are not policing agencies,” the company added.

Mumin, the head of the Somali journalists’ syndicate, said no one had been held accountable for the cyber sabotage that crippled his organization in August. He had no sympathy with the notion that Wyoming’s registered agents weren’t required to police their clients.

“They should be ashamed, these companies in Wyoming, that they haven’t been able to – or they don’t care to – check who their customers are,” Mumin said.

(Reuters)