Ben Bergersen

Cyber Gangs in a Concrete World

The original URL is now 404, but the page can still be seen on Fred Cohen's site, Despite mailing this information on August 29, 2000, Mr. Cohen and Bergersen have not made any edits or apologies.

Mr. Bergersen's article is poorly written, heavily uses material from other parties without proper citation and shows a gross misunderstanding of the topic he writes about.

On the paper "Cyber Gangs in a Concrete World" by Ben Bergersen, there are considerable errors, incorrect assumptions and liberal use of material without proper citation. Text in blockquotes is from the paper.

Cult of the Dead Cow

The Cult of the Dead Cow, aka cDc, is one of the top two famous cyber gangs. Along with the Legions of the Underground, cDc is the oldest group. They programmed the backdoor Trojan horse BackOrfice and

The wording here makes it unclear. Legions of the Underground may arguably be one of the top two famouse cyber gangs (I would disagree there), but they are certainly not one of the oldest. Later in this paper he clarifies that he believes Legions IS one of the oldest groups.

.. created by Sir Dystic, who also provided input to DildoG when BackOrfice2000 was created. cDc is unique in that several members are also a part of the legitimate security consulting businesses, Boston based L0PHT Heavy Industries. L0PHT was bought out in January

At the time of the paper, two members of the l0pht were in cDc, versus "several" as said above.

[98.08.21] [[51]HFG] K [52]Motorola Nipon ([53]

[98.08.17] [[54]HFG] K [55]Elite Hackers (down:****ht)

On both the HFG and Global Hell lists, Bergersen directly rips the material from and blatantly disregards their copyright and fails to provide citation. Further, he provide dozens of links that result in 404's because of typos and extraneous characters in the URLs.

"Mosthated" was detained by the FBI related to this incident, but no arrest was made. The F.B.I. did however confiscate the 18 year old male's equipment.

Several members of Global Hell were raided and questioned. One member (Erik Burns I believe, aka Zyklon) later confessed to his involvement in the defacement.

Actions Taken

The F.B.I has the following cyber gangs under investigation as of May 27, 1999. Section 5 of their directive to Internet Service Providers (ISPs) requests information on several groups. Directories, files, programs, logs, or data concerning the Names of hacker groups:
world domination

This list seems to be an uncredited rip from material posted to This "directive" has yet to be validated by a legitimate party. The original list posted to the site (which included all of the names above) had several discrepancies leading many to believe the news was fabricated. Among the list of 'suspects' were names of IRC bots, pieces of software that ran automatically. One such bot is well known to the FBI. A special agent that handles computer crime verified to me that they were well aware of 'mal_vu', and knew that it was nothing more than an IRC bot. This gave more validation to the idea that the original 'news' was fictitious.

Law enforcement has so far in the twentieth century been unable to disband or eradicate cyber gangs. The Cult of the Dead Co (cDc) , and Legions of the Underground (LOU) are two of the oldest cyber gangs, and yet they are still in existence with little law enforcement

Legions of the Underground are NOT one of the oldest 'gangs' around. They are extremely new compared to cDc, who dates back 15+ years.

Summary, Conclusions, and Further Work

Cyber Gangs are groups of crackers that cause damage for fun and profit. They learn their trade from each other, in academia, and in legitimate computer security consulting firms. There are entrance

This paper does not support this conclusion. While some people are affiliated with a group, this does not mean their professional life had anything to do with their associations. To say that Mudge belongs to a "cyber gang" and "learned his trade from legitimate computer security consulting firms" is ludicrous.

.. pirate FTP sites crop up. Even supposedly secure sites such as RSA Security are hacked. The good news is companies and law

RSA's site was not hacked. If you examine the 'mirror' of the defaced site, it explicitly states the site was not hacked, rather the victim of a DNS redirect. While the end result may be the same, the logistics and failure of security are totally different.


Trying to censor the URLs to the defacement mirrors serves no purpose. At the time of this article, they were all public and indexed by Google. All this does is lead to countless 404s as people try to visit the pages.

main page ATTRITION feedback