Cyber Incident Victim: Lloyd's of London
Date:
Dec 2018
Location:
United States of America
Summary
A hacker group known as The Dark Overlord breached a U.S. law firm handling litigation related to the September 11 attacks, compromising sensitive documents involving insurers including Lloyd's of London. The attackers threatened to release approximately 18,000 files—leveraging conspiracy theories around the attacks—unless paid an undisclosed Bitcoin ransom, while also attempting to blackmail individuals and entities referenced in the stolen data for separate payments. Though the insurers' own systems remained unaffected, policyholder information was exposed during the law firm's breach, prompting notifications to affected parties and collaboration with law enforcement. The group escalated pressure by selectively leaking decryption keys to portions of the encrypted data cache and marketing the stolen information on dark web forums.
| CIA Posture | Motives | Tactics, Techniques & Procedures |
|---|---|---|
| Available to members | 2 motives | 2 techniques |
| Threat Actor | Type | Location |
|---|---|---|
| 1 actor | Available to members | Available to members |
Description
On December 31, 2018, the hacker group The Dark Overlord publicly announced it had breached a US-based law firm handling litigation related to the September 11 attacks. The group threatened to release approximately 18,000 internal documents unless ransom demands were met, specifically naming Hiscox Syndicates Ltd, Lloyds of London, and Silverstein Properties as impacted entities. The Dark Overlord described these insurers as key underwriters for major global policies, including those covering the World Trade Center. The hackers published their extortion notice on Pastebin, accompanied by a small sample of stolen emails, letters, and documents referencing law firms, the TSA, and FAA. They also distributed a 10GB encrypted file archive to media outlets like Motherboard, threatening to release decryption keys incrementally unless victims paid an undisclosed Bitcoin ransom. The group escalated pressure by tweeting about exposing "9.11 conspiracies" through the leak and offering to withhold specific documents from public release if individuals or organizations paid separate blackmail fees.
The breach originated from the law firm’s systems, which were not connected to Hiscox’s own IT infrastructure. Hiscox confirmed the incident involved data related to 9/11 liability insurance claims for approximately 1,500 US policyholders, noting the firm had initially disclosed the breach in April 2018 without naming the attackers. Hiscox stated it notified affected policyholders and collaborated with UK and US law enforcement. Lloyds of London did not publicly acknowledge or comment on the incident. The Dark Overlord’s tactics included selling the data on dark web forums and targeting individuals mentioned in the documents, such as attorneys, politicians, and law enforcement personnel. While the initially released documents appeared routine, the group claimed the full cache contained sensitive materials that could trigger legal liabilities. No confirmation emerged regarding ransom payments or further data releases beyond the initial sample. The incident highlighted The Dark Overlord’s shift toward leveraging media attention and staged decryption key releases to pressure multiple stakeholders simultaneously.