Cyber Incident Victim: WestPark Capital
Date:
Sep 2016
Location:
United States of America
Summary
Hackers known as The Dark Overlord breached a Los Angeles investment bank by exploiting a vulnerability in Microsoft Remote Desktop Protocol, stealing sensitive internal documents including presentations, contracts, and non-disclosure agreements. After the institution's CEO rejected their ransom demand, the attackers leaked approximately 20 files online as retaliation, with one document's authenticity verified by the affected firm. The group employed business-like language characteristic of Eastern European or Russian cybercriminal operations, framing their extortion as a legitimate transaction while threatening further data exposure unless negotiations resumed. This incident mirrored the hackers' prior healthcare sector attacks involving stolen patient records and dark web sales.
| CIA Posture | Motives | Tactics, Techniques & Procedures |
|---|---|---|
| Available to members | 1 motive | 2 techniques |
| Threat Actor | Type | Location |
|---|---|---|
| 1 actor | Available to members | Available to members |
Description
On or around September 27, 2016, Los Angeles-based investment bank WestPark Capital suffered a data breach perpetrated by the hacker group known as The Dark Overlord. The attackers exploited a vulnerability in Microsoft's Remote Desktop Protocol to infiltrate the bank's network, bypassing common phishing or malware-based intrusion methods. After gaining unauthorized access, the group exfiltrated sensitive internal documents including corporate presentations, non-disclosure agreements, internal reports, and client contracts. The hackers then contacted WestPark Capital CEO Richard Rappaport with a ransom demand, which he rejected. In retaliation, The Dark Overlord leaked approximately 20 stolen files publicly, including one signed client agreement whose legitimacy was confirmed by the unnamed contracting firm. This confirmation validated the authenticity of the breach. The group announced their actions via a Pastebin post, criticizing Rappaport for dismissing their "handsome business proposal" and threatening further leaks unless negotiations resumed.
The incident reflected The Dark Overlord's established pattern of extortion-focused cyberattacks, previously observed in their targeting of U.S. healthcare organizations earlier that year. Security consultant Jamie Moles analyzed the group's communications, noting their use of business terminology like "quiet business opportunity" to frame criminal extortion attempts—a tactic he associated with Eastern European or Russian cybercriminal groups. Prior to the WestPark attack, the hackers had listed stolen healthcare records containing personally identifiable information on dark web marketplace The Real Deal. Their compromise of WestPark Capital did not involve monetization through dark web sales initially, instead relying on direct ransom demands to prevent data exposure. The leaked corporate documents created reputational and operational risks for the bank, though specific financial impacts or remediation efforts by the institution were not disclosed in available reports. The Dark Overlord maintained public pressure through their Pastebin channel, leaving open the possibility of additional data releases while inviting renewed contact from Rappaport.