Tracking the World's Dumbest Cyber Mercenaries
Cooper Quintin, Eva Galperin
BSidesSF 2025 — Here Be Dragons · Day 1 · Main
EFF researchers Cooper Quintin and Eva Galperin have spent nearly a decade tracking Dark Caracal — a cyber mercenary operation linked to Lebanon's General Directorate of General Security that managed to be both surprisingly effective and spectacularly incompetent. The case study is a masterclass in how open command-and-control servers, sloppy operational security, and a willingness to register malware infrastructure under real names can give defenders extraordinary access to an adversary's entire campaign. ---
AI review
Quintin and Galperin tracked a cyber mercenary operation across nearly a decade, physically geolocated the C2 operators to a specific building in Beirut using Wi-Fi SSIDs from malware-infected test devices, and sinkholed an unregistered plugin domain to get months of infection telemetry. This is what threat intelligence research looks like when it's done with craft.