Author: DarkOwl Analyst Team

Ransomware RoundUp: 2022

Written by DarkOwl Analyst Team on . Posted in Blog.

March 30, 2023

Ransomware groups continued to be a major threat over the past year, causing significant financial and reputational damage to their victims. Their evolving tactics and strategies make it increasingly difficult for organizations to defend against their attacks. However, with increased awareness and investment in cybersecurity, governments and businesses can work together to protect themselves from this growing threat.

Despite the number of reported ransomware complaints decreasing in 2022, the victim payouts have increased. The IC3 estimates that from 800,944 complaints the potential loss is around $10.2 billion. Ransomware continues to run rampant with around 33% of organizations globally being a victim of ransomware, indicating that the groups are becoming more confident and targeted.

Figure 1: Source: 2022 IC3 Report

The overall increase in victim payouts could be partly due to the ways ransomware gangs have changed their operations. In 2022, ransomware groups deployed more backdoors – which allow for remote access. They also began to favor extortion, typically through ransomware or business email compromise. Europe saw 44% of these extortion cases.

According to IBM’s X-Force Threat Intelligence Index, the manufacturing industry was the most extorted in 2022. The FBI’s IC3 (Internet Crime Complaint Center) received the most ransomware attack complaints from Health Care and the Public Health sector; a trend DarkOwl has seen reflected in the victims of the groups detailed below.

Figure 2: Source: 2022 IC3 Report

In this roundup, DarkOwl analysts take a look at the some of the largest ransomware and ransomware-as-a-service (RaaS) gang activity from 2022, and introduce several new and emerging groups that DarkOwl has observed actively operating on the darknet today.

Review of Active Ransomware Groups in 2022

LockBit

LockBit has been one of the most active ransomware groups this year, claiming to have targeted 436 organizations in just the later half of 2022. The group released LockBit 3.0 with new capabilities making it harder to identify in June 2022 and notably started their own bug bounty program. After a LockBit attack on SickKids hospital, LockBit blamed one of their affiliates, released a decryption key for free, and apologized saying the attack went against their policy.

Black Basta

A newcomer that rose to prominence in April 2022 with their attack on the American Dental Association is Black Basta. This group also has possible ties to other ransomware gangs such as Conti, REvil, and Carabank (Fin7). They specialize in double extortion and have been seen outsourcing tools with the use of initial access brokers, Qakbot, and Cobalt strike.

Black Pasta has been observed using the darknet to request login credentials for initial access. Their malware and victim selection suggests they are sophisticated Ransomware actors.

Figure 3: User Black Basta posts in a Darknet forum for corporate access; Source: DarkOwl Vision

Hive

Hive ransomware was first observed in June 2021 and uses an affiliate RaaS model. Unlike some other groups who claim a moral code, Hive has repeatedly targeted healthcare organizations and threatened to leak patient information. As of March 2022, 125 healthcare organizations had been targeted by Hive.

Hive’s original ransomware was written in GoLang – but, in 2022, they switched to Rust. The switch improved their method of encryption, among other advantages.

In January 2023, the Hive operation appeared to have been shut down with a seizure banner appearing on their site detailing a multi-country law enforcement operation. Law enforcement had access to Hive’s computer networks ahead of the takedown and were able to help those who would have been victims.

Figure 4: Hive Ransomware seizure banner; Source: Malwarebytes

Conti

The Conti Ransomware group going into 2022 was one of the most active and prolific RaaS groups. At the outset of the Russian invasion of Ukraine, Conti was one of the first to announce its support for the Russian government after which their ransomware source code and other sensitive data including PII and private communications between actors was leaked. In late May 2022 Conti shut down their official Tor website, Conti News, and the service site for their negotiations went offline. However, reporting indicates that the group has dispersed and not disappeared with some members joining other ransomware groups such as BlackBasta, BlackByte, and Karakurt. However, it is possible that Conti may reappear under a different name in the future.

BlackCat

The BlackCat Ransomware group (AlphaV) who first appeared in later 2021, is thought to have infected more than 60 victims in its first 6 months of operation. The groups are reported to be connected to BlackMatter/DarkSide, with the FBI reporting that many of the developers and money launderers in the group originated from Darkside. BlackCat were the first group to use Rust in their attacks before it was adopted by Hive. BlackCat were one of the first groups to create a public data leaks site and in 2022 they created a search feature for their indexed stolen data to put more pressure on organizations to pay their ransom. LockBit later followed suite. They continue to be active in 2023.

New or Emerging Ransomware Groups

DarkOwl has identified several emerging ransomware groups that are presently active on the dark web. Each of the new ransomware gangs below rose to prominence in 2022 and continue to be active into 2023.

0mega

The 0mega Ransomware group was first identified in May 2022, targeting organizations worldwide with double-extortion techniques. At the time of writing no sample has been identified and analyzed for the 0mega ransomware variant. The ransomware demands are customized to the victim, and victims are required to upload the demand to access the TOR payment negotiation site. The 0mega leak site on TOR currently has 3 victim companies listed with links to download the data. The site was last updated 2023/02/11.

0mega’s operation appears to be organized and is a group to look out for this year. 

Figure 5: 0mega Data Leak Site; Source: Tor Anonymous Browser

BianLian

BianLian has had infrastructure since December of 2021 and tripled their infrastructure in August of 2022. Their victims include health services, information technology services, education, and construction companies. They have created their own toolkit with their ransomware written in Go, and have been seen using living off the land techniques and can establish a backdoor for persistence. BianLian currently offers an I2P mirror complete with instructions for how to install.

Avast recently released a free decryptor for the currently known BianLian ransomware strain. This could explain why recently BianLian has not been encrypting victim’s data, instead focusing on extortion. The group will need to stay ahead of researchers’ decryptors this year to continue targeting victims successfully.

Figure 6: BianLian Data Leak Site; Source: Tor Anonymous Browser

Daixin

The Daixin ransomware group is known for targeting the health sector, leading CISA to issue a cybersecurity advisory to this sector in October 2022. The group have been active since June 2022 and built their ransomware from leaked source code attributed to Babuk Locker. In early 2023, their Tor leak site had 8 victims listed with details of what documents have been obtained by the group.

The Daixin Team encrypt the servers relied on by healthcare organization, which means they can halt key services increasing the likelihood of a payout and can also exfiltrate PII, creating a further revenue stream as this data achieves higher prices on dark web marketplaces. However, consistently attacking healthcare organizations has drawn the attention of law enforcement which could mean they are on the verge of disruption. Nevertheless, due to its profitability, the Daixin team will likely continue targeting this sector. The health sector should be wary of Daixin.

Figure 7: Daixin Team Tor Site; Source: Tor Anonymous Browser

Royal

Royal first materialized in January of 2022 and is believed to be made up of actors previously associated with Conti, TrickBot, and Roy/Zeon malware (the group was originally named Zeon). Unlike some other groups, Royal does not provide its ransomware as a service and they do not make their code available to affiliate actors. Recently they have released a malware variant which preys on Linux systems. The group is known for using call-back phishing tactics impersonating food delivery or software providers.

Royal’s Tor page begins with a contact form, requiring the user to submit an email address. It also has search bar functionality to identify victims. Royal currently has around 58 victims for 2023 listed on their site, the highest of any group reviewed in this article. Royal will upload samples of data to this site to prove their legitimacy to their victims. If the victim refuses payment, 100% of the stolen data will then be uploaded to the site. Some ransomware gangs will remove victims’ information from their site if they pay the ransom. Therefore, the number of victims shown does not always reflect the true number of victims targeted.

Figure 8: Royal Ransomware Tor Site; Source: Tor Anonymous Browser

Although Royal ransomware has emerged recently, researchers believe the actors running the group are sophisticated and experienced. DarkOwl analysts assess Royal will continue to grow into an even greater threat in 2023.

Final Thoughts

Ransomware is an ever-evolving threat ecosystem. Some groups are driven by political motivations, but most attacks are for financial gain. Ransomware groups use the darknet and darknet-adjacent sites to negotiate with victims, spread their personal brand, and develop or purchase new, sophisticated technology to thwart cyber defense teams. Advances in cyber defenses have prompted some groups to focus on data extortion, pressuring companies with the valuable private data they have stolen rather than encrypting networks.

Despite the successes of cyber defense teams in 2022, ransomware gangs will be keen to develop different tools and tactics to better evade security measures. Additionally, ransomware attacks are underreported – around 75% are never reported. Even when law enforcement successfully shuts down a ransomware operation, the group is likely to rebrand or the members will simply disband and work for other ransom groups. Given some entities are still willing to pay, ransomware will remain a threat because of potentially massive financial rewards.

DarkOwl Vision allows organizations to monitor these ransomware groups on the darknet, to identify more information about their tactics, techniques, and procedures and the sectors they are targeting. DarkOwl analysts continuously monitor the darknet to identify emerging new groups and who the most recent victims are to best track and predict potential attacks.

Interested in learning more? Contact us to learn about our Ransomware API.

Dark Web Exposure of Popular E-Learning Companies

Written by DarkOwl Analyst Team on . Posted in Blog.

March 21, 2023

The darknet is home to a complex economy that is largely built off of the illicit exchange of digital goods such as MTV (Malware Toolkits and Viruses) and compromised credentials. Threat actors exploit these assets for a variety of reasons, many of which take some form of fraud. While many threat actor tactics seem to be purely for financial gain, dark web adjacent sites such as Telegram contain multitudes of other listings that may serve a more unexpected user group – including those looking to continue their education with illicitly obtained accounts for E-Learning tools.

Sites such as Codeacademy have long established themselves as having a successful model that many other E-Learning companies follow today. Most offer a “freemium” model, meaning select courses or certificates can be gained for free, with more advanced or specialized certificates priced on a tiered scale. After seeing a number of postings on the darknet from users soliciting hacks or compromised credentials for various E-Learning accounts, our analysts took a look at the exposure of several popular companies in this industry using our industry leading darknet data platform, DarkOwl Vision.

Coursera

DarkOwl Vision has indexed a high quantity of email addresses with the domain coursera.org in recent years – likely as the result of a data breach. At the time of writing, DarkOwl Vision contains 2,058 total coursera emails, and 811 unique emails. However, only 9 of these emails have been associated with plain text passwords.

While Coursera does offer free learning tracks, their more premium offerings range anywhere from 39$-59$ per month, with more specialized certificates typically costing on the higher end. The most common type of offering being exchanged on darknet forums is for methods to obtain these pricier certificates for free.

Figure 1: Advertisements an I2P site for methods to scam Coursera and obtain free certificates, Source: DarkOwl Vision

In the following example, stealer log for coursera.org is being sold for as little as $10 US dollars. The listing also contains ISP (internet service provider) information – potentially to indicate to the purchaser that they should use a VPN when logging into the stolen E-Learning account so as not to have their IP blocked.

Figure 2: Raccoon Stealer logs for coursera.org being sold for $10 USD on Russian Market, Source: DarkOwl Vision

Other offerings include a python script that allows users to download Coursera courses and obtain valuable certificates for paid tracks free of charge.

Figure 3: Advertisement on a Russian paste site for a python script that allows users to obtain certificates on Coursera for free, Source: DarkOwl Vision

SkillShare

While Skillshare has a relatively smaller darknet footprint to Coursera by way of quantity, their results in DarkOwl Vision return a higher number of passwords associated with leaked emails with a Skillshare domain. In this case, these credentials are unlikely to be used for account takeover, as they more likely belong to Skillshare employees. These credentials pose a higher risk because they could potentially be exploited and used to access Skillshare’s corporate networks. In total, of the 202 unique emails detected, 18 of them came with a plain text password.

Figure 4: Premium Skillshare accounts being sold on Telegram, Source: DarkOwl Vision

The below listing was indexed from 2easy shop, a popular dark web marketplace that has a large Russian language user base. In this case, credentials for the mentioned URLs were harvested using the stealer malware Redline. For 10$, the purchaser can gain access to the Skillshare account of the compromised target that the Redline malware was used on. Thus, with these types of listings, there is no guarantee of the value of the E-Learning account itself.

Figure 5: Redline stealer logs of Skillshare on 2easy shop, Source: DarkOwl Vision

LinkedIn Learning

The size and scope of LinkedIn reaches well beyond E-Learning, so it is no surprise that their exposure exceeds other in this category by means of market coverage alone. Clocking in at over one thousand unique email address and nearly as many plaintext passwords exposed in DarkOwl Vision, their risk for internal network exploitation is significant.

Premium LinkedIn accounts are also rather expensive, so the market for access to premium LinkedIn accounts (including to LinkedIn Recruiter) has remained active. In the example below, a recent result from Telegram advertises to have a variety of premium LinkedIn accounts for sale, including LinkedIn Learning premium. These are being offered $10 a month in individual quantities, or for as low as $5 a month when bought in bulk quantities of 100 or more.

Figure 6: Premium Linkedin Learning accounts offered on a Telegram forum, Source: DarkOwl Vision

Udacity

Search results for udacity.com email domain mentions in DarkOwl Vision returned over 700 unique email addresses, which is considerably more than its peers. However, only one of these was associated with a plain text password. Thus, their dark web exposure from an internal threat perspective is on the relatively low side compared to other E-Learning companies.

On the account takeover and fraud end, our analysts found numerous results similar to the listing below. As pictured, the post contains plain text email addresses and passwords that can be easily checked and verified by those willing to put in a bit of extra work to obtain free Udacity accounts. Published to Telegram, the post also solicits screenshots from those who are able to successfully log in to any of these accounts. This is likely so that they can use those screenshots as a means of validating their services and gaining reputation status as a legitimate vendor.

Figure 7: Telegram listing containing plain text credentials for Udacity accounts, Source: DarkOwl Vision

Codeacademy

From a credentials perspective, Codeacademy’s footprint within DarkOwl Vision fell in par to other E-Learning companies. Overall, results for their domain amounted to 508 total email addresses, of which 167 were unique and 8 were associated with plain text passwords.

There were numerous advertisements on Tor that advertised a variety of Codecademy accounts and hacking tools that could help exploit them. This includes listings for the E-Learning accounts themselves, as well as “crackers,” or “checkers” which are scripts that cross reference credentials against a service to see A. if the credentials are able to successfully log in, and B. what type of account the credentials now have access to.

In the result below, detected by DarkOwl Vision in January this year, a listing for one of these “checkers” advertises that “It captures premium status and the number of enrolled courses and also saves free and premium accounts.” Using this type of tool, a threat actor could run credentials in vast quantities against the Codecademy log in portal and potentially uncover many successful log in combinations for valuable Codecademy accounts.

Figure 8: A Variety of Codecademy account-cracking resources, including credentials and “checker” tools, listed on Tor, Source: DarkOwl Vision

This listing also contains listings for Codecademy Pro accounts, as well as some the ensure both emails access “+ HQ”. Each of these listings directed to a separate vendor and were amongst dozen of similar advertisements.

Final Thoughts

Interestingly, during the course of this research, our analysts observed a disproportionate number of discussions from sources in DarkOwl Vision , including IRC channels, Telegram, and darknet forums – discussing Codecademy in the context of genuine further education. This included discourse around the value of various courses, advice for professional development, further learning recommendations, and so on. This could signal that those seeking and purchasing E-Learning assets may find Codecademy more applicable to the coding skillset needed amongst users who operate on the darknet and deep web.

Having insight into darknet activity means staying one step ahead of potential risks and costly threats to your company. To learn more about how DarkOwl’s data products can assist your threat intelligence initiatives, contact us.

One Year Later: A Look Back at the Ukraine Conflict and its Impact on the Global Criminal Digital Ecosystem

Written by DarkOwl Analyst Team on . Posted in Whitepapers.

March 13, 2023

Exactly 365 days after Russia invaded Ukraine in 2022, the Ukraine-Russia conflict shows no sign of ending and an adjacent global cyberwar continues to wage in underground corners of the internet. However, its effects are substantial with impacts felt across numerous sectors of our society and western economies. While cruise missiles and artillery shells rain on villages across Ukraine, the digital underground has experienced its own mix of chaos and drama, impulsive and unpredictable shifts with criminal communities that have had to quickly adapt to an ever-dynamic global geopolitical climate. 

In this research, we’ll look at how ransomware shifted from an affiliate-driven extortion-based crime model – purely motivated by financial gain – to a quite effectual digital weapon deployed to disrupt key supply chains and carry out cyber espionage operations. 

To learn more about how having visibility into darknet can combat commercial and national security threats, contact us.

Romance Scams on the Darknet

Written by DarkOwl Analyst Team on . Posted in Blog.

February 14, 2023

In light of this year’s Valentine’s Day, our analysts put together a piece to shed light on romance scams – one of the fastest growing schemes across the globe. For a quick reference guide to terms we use throughout the piece, scroll to the end of the blog or go their directly here.

Romance Scams Have Been Quietly Gaining in Popularity

In the last decade, dating apps and websites have skyrocketed in popularity. As a result, nefarious actors have similarly sought to capitalize off of this booming industry by exploiting and scamming its users. In fact, according to the Federal Trade Commission (FTC), the number of reported romance scams tripled in size from 2017 to 2021.

Public education around this costly scheme appears to have helped temper some of its detrimental effects. In 2022, there was a 10% drop in the number of people who fell victim to romance scams. However, in the same year, reported monetary losses surpassed $1 billion USD.

This data could indicate that while scammers are scamming fewer people, they are using targeted methods to scam more money from fewer victims. If scammers are able to make $100 a day, or $2,000 per month – as advertised on darknet marketplaces and forums – romance scamming will likely continue because it is clearly a profitable practice. For context, the average salaried worker on a $40k per year salary makes approximately $153.84 per day before taxes. As long as the romance scam industry is profitable, the darknet will continue to innovate.

Considering the surge in identity theft and fraud worldwide, it is critical to monitor the darknet for strategic awareness of the methods and deception techniques used on victims, especially as they evolve. Romance scams can have multiple layers of victimization, both financially and emotionally. While financial losses have obvious repercussions, many victims report the heartbreak and shame to be even more traumatizing.  

“But even though I lost all of my money, everything that I had, the worst part was losing the love and the life that I thought I was going to have with him and the kids.” – WMar2 News

What is a Romance Scam?

The FBI’s Internet Crime Complaint Center asserts that romance scams are also known as confidence fraud or online dating scams.

In a romance scam the victim is tricked by an online scammer into believing that they are in very real, serious, romantic relationship. The scammer’s goal is to defraud the victim and take as much money as they can coerce them to give. Scammers use fake identities and win over their victims’ trust and hearts. Scammers persuade or blackmail victims for money or attempt identity theft with the victim’s personal information. This type of scam is referred to the ‘long game’ and can take place over several years.

Romance scams have very specific characteristics. Scammers often approach their target on a traditional online dating platform and will try to move the conversation quickly from the dating site to a direct one-to-one chatting platform. Things often move very fast; they are quick to declare their love, propose, and use other love bombing tactics. Usually, their profile picture and their story will seem too good to be true – they live far away (e.g. from another country or deployed), and will not video chat in person.

Typically, a romance scammer will start out by asking for small amounts of money. They will continue asking for money by inventing stories with urgency – such as claiming that a catastrophe has struck, or that their small child is in the hospital. Ultimately, the scammer will find the victim’s vulnerabilities and emotional weaknesses and exploit them as much as possible.  

Romance scams occur across multiple apps and online sites and are not limited to online dating applications. However, online dating sites are a popular platform targeted by romance scammers. Victims could be baited by a romance scammer on social media such as Facebook, Instagram, Snapchat, TikTok, or gaming apps like Words With Friends.

Romance Scams Live at the Intersection of Multiple Deceitful Environments

Identity Theft

Romance scams live at the intersection of multiple forms of exploitation – though they more often lead to fraud than love affairs. One example of fraud resulting from romance scams is identity theft, where the scammer steals the victim’s personal information and uses the victim’s social security number, mailing address or other PII to impersonate them. This can lead to the actor opening lines of credit in their name, or even file false tax returns using the victim’s identity.

The scammer could also exploit the identity of a different innocent person by imitating them and using their photos and information to pose as the fictious online partner. Such is the case of Bryan Denny, a retired US army colonel whose likeness and image have been stolen thousands of times and used to create fake Facebook and social media accounts to scam victims. He is regularly contacted by women to see if he is the ‘lover’ they have been in a relationship with and who they sent money to. Today he is retired and a founding member of the group: Advocating Against Romance Scammers (AARS).

There is significant risk for the victims whose pictures and identities have been stolen for use in scams. They themselves could targeted by the upset victims of the actual scammer and threatened or harmed in retaliation.

Like identity theft, catfishing and eWhoring are prevalent in the romance scam space. Both practices involve stealing personal information from a victim to assume their identity and using that fake profile to scam and exploit others. eWhoring and catfishing with romance scams combine scams, identity theft (a type of fraud), and exploitation.

Money Laundering

Romance scams are sometimes leveraged to trick victims into unknowingly becoming money mules. Money mule schemes advertised as legitimate job opportunities are often scams. This can include opening bank accounts and processing wire transfers on behalf of another. These measures hide the criminal organization and make it more difficult for law enforcement to track them down. Despite their unawareness that they are a money mule, these victims are not protected by anti-fraud laws and can be prosecuted by law enforcement and imprisoned.

In a recent document collected in DarkOwl Vision,  a threat actor describes how they target grandmothers via romance scams to “clean” or launder their illegally earned money. They described convincing an elderly woman who is a victim of a romance scam to take illegally earned money to a Bitcoin ATM so that it will go into the criminals Bitcoin wallet. According to the FBI and other cyber-specific law enforcement teams, money mules complicate tracing virtual and physical financial transactions.

Figure 1: Using romance scams for money laundering, Source: DarkOwl Vision

Trafficking and Illicit Markets

Romance scams sometimes use recruitment mechanism to coerce victims into other illicit markets and exploitation, including human trafficking, sex trafficking, and other illegal markets. The example pictured below, gathered from a DarkOwl Vision document, details such an an advertisement.

Figure 2: “beautiful scam white Caucasian girls…They can do Nudes, pics, videos, if you have certain things you like she will preform.” Source: DarkOwl Vision

Further searches in DarkOwl Vision found a user using this same name posting that they are “searching for young good looking women over eighteen who wants to earn a little extra for pleasures and pocket money,” and advertising free child pornography content and other pornography videos. While there is not definitive evidence this user is associated with sex trafficking, it is highly probably the potential overlap in exploitative markets exists.  

There has been additional open source reporting to support this claim. Late last year, ProPublica reported human trafficking overlaps with romance scams, and that many romance scammers are victims of human trafficking forced into being romance scammers against their will. Per their research, the perpetrators of this type of scam are in some way recruited as victims themselves. Demographically, they are typically nationals from Southeast Asian countries who have been lured by promises of lucrative new jobs in a different country. Then, after traveling to the country for their new job opportunity, they are taken to areas of the country where corruption is rampant, gangs run human trafficking, and the government authorities are largely complacent.

These individuals are then usually trained and forced to be romance scammers – under strict surveillance and threats of violence. The workers are told that they must continue these operations to buy their freedom; however, buying their freedom is nearly impossible since many are already poor and the scamming jobs are designed so that they will never earn enough to leave.

Build a Relationship; Stick to the Script

During the course of this research, we generally found that romance scammers typically use pre-built scripts to carry out their schemes. The scripts instruct scammers how to befriend a victim, develop a believable romantic relationship, and earn money. As many romance scammers are often overseas and most of the victims are native English-speakers, the scripts try to account for all types of questions that could come up in conversation. 

Figure 3: Example of a Script, Source: Social Catfish

Scams on Darknet and Darknet-Adjacent Sites

Discussion around romance scams and the communities involved, including both victims and scammers, can be found on the darknet as well as darknet-adjacent sites. Per the examples pictured below, DarkOwl analysts discovered multiple Telegram channels where users are seeking advice on romance scams from others in the community.

Figure 4: Source: Telegram, Channel Redacted
Figure 5: Source: Telegram, Channel Redacted

Over the course of their research, DarkOwl analysts observed that romance scams are rarely called ‘romance scams’ directly, but are often advertised and discussed as “catfishing” or “eWhoring”.

Most people are familiar with Catfishing – i.e. issuing stolen or fictitious information to create a fake identity and utilize that fake identity to trick others. On the other hand, eWhoring entails the theft or leaking of intimate photos, usually of women, which are sold on the darknet in “packs” and used to catfish victims. eWhoring is “revenge porn mixed with catfishing,” per Jess Davies, who added that “it’s happening thousands of women every single day, all around the world. They’re being traded like a card game, either for new packs, or money.”

Figure 6: e-Whoring packs available, Source: Tor Anonymous Browser

DarkOwl analysts found eWhoring methods, guides, and related materials posted in social engineering forums, general discussions sections, and listed as products for sale, on numerous darknet marketplaces and forums.

Hundreds of “packs” of women’s photos from OnlyFans are available for sale as well as what are advertised as leaked private photos. eWhoring guides can be purchased on the darknet although some of them are offered for free.  

Figure 7: Free eWhoring guide, Source: Tor Anonymous Browser

DarkOwl analysts have also observed other products to assist with romance scams and eWhoring for sale on the darknet. This includes a “voice verification chat pack” offering to create custom voice messages. 

Figure 8: Voice Verification Pack, Source: Breached Forums

Listings from darknet sites and DarkOwl Vision promise $8000 with eWhoring, or “PRIVATE EWHORING STRATEGIES | AT LEAST $100 A DAY” and a guide on a darknet site claimed users could make $2,000 a month.  

Darknet and darknet-adjacent sites also serve as platforms for victims to ask if they have been a victim of a romance scam, get advice on what they should do, and share their stories to warn others.  

In one DarkOwl Vision search result, a user on a darknet site writes a post about their realization they have been victimized by a romance scam. This user describes how the scammer gained their trust, and how they pushed them to take out investments. I an attempt to extricate themselves from this situation, the user reports trying to withdraw the crypto they had deposited without letting the scammer’s knowledge.

While this individual tried their best to convince the scammer to let them withdraw their money by promising bigger investments, the scammer staged a situation where the trading didn’t work and all the victims money was lost.

Figure 9: Source: DarkOwl Vision
Figure 10: Source: DarkOwl Vision

Final Thoughts on Romance Scams

Romance scams are part of a complex criminal enterprise that exploits unassuming individuals on both an emotional and sometimes devastatingly catastrophic monetary basis.

Per our analysts research, there is an overlap in the demographic of people who engage in these types of scams on the surface web and who also actively use the darknet. The darknet and darknet-adjacent sites are where victims can go to get help and where a scammer can buy tools and guides to scam more effectively.

For these reasons, the darknet is a potential source to monitor her activity to help combat romance scams and help slimy the current pace with which they’re currently proliferating. Or, said differently, the darknet can teach the next generation of scammers to be even more sophisticated while educating the next potential victims what to look out for and how to protect themselves. 

Wondering how darknet data applies to your business? We want to show you! Contact us.

Quick Definitions: 

Fraud: an umbrella term, legally referring to various types of chargeable criminal offenses. Fraud is serious criminal business, while scams are considered more minor offenses in comparison. Fraud can be thought of as a felony. Scams can be thought of as a misdemeanor.  

Scams: particular segment of fraud. Scams are theft of funds with your permission or knowledge while fraud is financial theft without your permission or knowledge.  

Romance scam: social deception designed for financial gain; however, because the victim willingly gives money, romance scams are not tagged as fraud; fall under social media scams.      

Catfishing: using stolen or false information to create a fake identity trick someone into giving them information or money.       

eWhoring: specific type of social engineering where the offender imitates a virtual partner in a romance scam or virtual sexual encounter. Victims are asked for money in exchange for more image content or are duped into a romance scam. eWhoring packs are sold on darknet marketplaces and forums consisting of leaked or stolen intimate pictures or stolen content resold from adult sites such as OnlyFans.      

Social Engineering: process of psychologically manipulating people to get them to do things or share secret information.  

For a full list of darknet terms, check out our Glossary

Super Bowl Security and the Darknet

Written by DarkOwl Analyst Team on . Posted in Blog.

February 08, 2023

Events that bring masses of people together are inherently attractive to cyber threat actors. For one, the physical gathering of such a large crowd of people offers the opportunity for close-proximity hacking. However, the cyber threats surrounding large-scale events like this are much more complex. Well before fans, performers, media teams and vendors arrive at the stadium that Sunday, there will have been numerous betting transactions made, sponsorship payments delivered, and accounts for fantasy apps created. All of these digital touch points offer threat actors with the opportunity for exploitation and theft.  

In taking a closer look at what the cyber threat landscape looks like around Super Bowl LVII, our analysts turned to the darknet and found examples of key game-day vendors with darknet exposure. This includes exposed credentials, chatter around malware that can allow hackers access to key vendor technologies, such as ticket payment systems.  

The Super Bowl as a Target for Hackers 

Cyber incidents impacting large scale events such as the Super Bowl have ranged from “hacktivists” making political statements to DDoS attacks that have taken down entire stadium, as witnessed in the 2018 Winter Olympics  

While an attack on that catastrophic level has not been successfully carried out during the Super Bowl to-date, experts agree that it remains a highly attractive target for hackers. Further supporting this notion is a recent example from the 2019 Super Bowl, when – just before the big game – cyber crime group OurMine took over teams’ Twitter accounts, as well as the official account of the National Football League. Per reporting, 15 teams had their Twitter or Instagram accounts compromised, as well as accounts for ESPN and the UFC.

Darknet Risks to the Super Bowl: Key Vendors Pose Supply Chain Risk

This following findings from our analysts present these examples using screenshots from the darknet (and dark web adjacent sources such as Telegram), as well as from DarkOwl Vision, our darknet threat intelligence tool.  

Gambling & Online Sports Betting Apps 

This year, gambling and sports betting apps are a highly attractive target for hackers for a number of reasons. After legislation legalized sport betting around the nation, these types of apps are now available and being used by a vastly higher degree of population than in previous years.  

These types of services are also typically connected to a payment system, allowing users to make bets and access their transaction with minimal effort. From a threat actor perspective, that makes digital sports gambling apps one of the most likely targets for phishing campaigns and potential account takeover.  

DraftKings 

Below is an example of a threat actor selling stealer logs for DraftKings on the darknet site Russian Market. These logs include stolen browser session cookies, which are used to crack accounts and bypass multi-factor authentication for logins. In this case, the vendor is offering “premium” stealer logs for just $10 US dollars.   

Stealer logs are typically harvested by threat actors using a form of malware known categorized as “info stealers,” such as Raccoon and Redline. 

Figure 1: DraftKing Stealer Logs for sale on a darknet marketplace, Screenshot: DarkOwl Vision, Original Source: Tor, Russian Market

Hackers also gain access to existing DraftKing accounts using more traditional methods like credential stuffing and exchanging combolists to exploit exposed account login information.  

In the screenshot below, a user on Telegram lists DraftKings as one of the services they have cracked (likely stolen) credential logins for.   

Figure 2: DraftKings accounts among the many listed under compromised credential combolists, Screenshot & Original Source: Telegram 

Other listings for stolen DraftKing accounts on Telegram are more explicit, with some offering accounts that come with pre-existing balances, as well as methods to bypass multi-factor authentication.   

As demosntrated in the screenshots below from Radiant’s Market, the listing for “DraftKing + bal (New method instant cash)” accounts appears alongside similar listings for other services popular with NFL fans, including Fanduel and Superdraft.  

Figure 3: Listing on Telegram for compromised accounts including popular NFL affiliated vendors, Screenshot & Original Source: Telegram, Raidiant Market

BetMGM

The below screenshot from DarkOwl Vision shows multiple listings for BetMGM accounts (in the preview window on the left), as well as a noteworthy result from the darknet carding forum, WWH Club. The post is from a russian-speaking threat actor looking to buy “betmgm.com and fanduel accounts”. 

The fact that this solicitation was posted on a carding forum indicates that this actor is actively targeting sell BetMGM – even linking their Telegram handle for potential sellers. This, combined with the numerous listings for already-cracked BetMGM accounts, demonstrate that they are a desirable target for hackers.  

Figure 4: Post on a darknet marketplace soliciting for BetMgM (and Fanduel) accounts, Screenshot: DarkOwl Vision, Original Source: Tor,  WWH Club 
Figure 5: Post on a darknet marketplace soliciting for BetMgM (and Fanduel) accounts, Screenshot: & Original Source: Tor, WWH Club 

Banking Systems

Truist

In January 2021, the bank Truist signed a multi-year deal to be the official retail bank of the NFL. As a result of this agreement, Truist is now the exclusive financial service provider for all facets and personnel within the NFL, including player contracts. Per their website, the services Truist offers include:  

  • Banking products and services, including loans and deposit accounts
  • Investment management services  
  • Securities, brokerage accounts and /or insurance (including annuities)  
  • Investment advisory services  
  • Life insurance products 

The partnership between the NFL and Truist also contains a heavy branding component, with the Tuist logo now featured on all official NFL materials and marketing campaigns. The combination of Truist’s role in the NFLs financial security, in tandem with their brand’s newly formed partnership tying them together so closely, make Truist a critical asset for the football league – and an attractive target to threat actors.  

Below are several examples of actors on the darknet and deep web actively targeting Truist Bank. 

Figure 6: Post on the forum Cracking X offering a Truist bank account for sale, Screenshot: DarkOwl Vision, Original Source: Telegram, Cracking X 

In the screencapture from DarkOwl Vision above, a user on the site Cracking X offers access to cracked Truist bank accounts for as little as $60 US dollars.  

Figure 7: Another offer for Truist.com accounts on the Cracking X channel, Screenshot & Original Source: Telegram, Cracking X 

Below, two different vendors offer Truist bank accounts with Debit Logs. Both listings advertise that they come with associated Personally Identifiable Information including login credentials, SSN, Date of Birth, and Email Access for bypassing multi-factor authentication.  

The first example pictured contains several listings for stolen or fraudulent Truist bank accounts. One of these advertised listings allegedly contains a balance of $122,000 and is listed for only $1,200 US dollars.  

In the second screenshot, taken directly from Telegram, a more modest listing offers a Truist account with an alleged $14,000 balance for $250 US dollars.  

Figure 8: Hacked Truist Accounts with Debit Logs and PII on offer for sale, Screenshot: DarkOwl Vision, Original Source: Telegram 
Figure 9: Hacked Truist Accounts with Debit Logs and PII on offer for sale, Screenshot & Original Source: Telegram 

Ticket Payment Systems

StubHub

As the official ticket payment system of the Super Bowl, DarkOwl analysts found numerous instances of official Super Bowl ticket vendor StubHub data on the darknet. 

Figure 10: Source DarkOwl Vision

Above is a listing to a stealer log marketplace called 2easy Shop that has a large Russian language userbase. In this instance, a threat actor is selling access to stealer logs for someone’s accounts to StubHub and all the other domains mentioned. Price for bulk purchase of these logs typically sell for around $10-$20 US dollars.  

Below, users on Telegram offer access to cracked Stubhub accounts, including some that have access to order history and payment methods. 

Figure 11: Users on Telegram sell stolen StubHub accounts, Screenshot: DarkOwl Vision, Original Source: Telegram 
Figure 12: Users on Telegram sell stolen StubHub accounts, Screenshot & Original Source: Telegram 

Streaming Services 

Sunday Ticket  

NFL Sunday Ticket is a streaming package provided by exclusively by DirectTV. While unlikely to pose a direct threat to the NFL directly, hackers defraud the streaming service frequently by cracking, selling, and trading stolen accounts. 

YouTube TV 

While not officially associated with the NFL yet, in 2024, YouTube is slated to pay around $2 billion dollars a year for the rights to the “Sunday Ticket” package, taking it over from DirectTV. While the deal presently does not include commercial rights or give YouTube TV stake in NFL Media, negotiations are ongoing and that is expected to change. So, while YouTube and its parent company Google are presently a low-risk asset for this year’s Super Bowl – that is something to keep an eye on for next year’s season.  

Cyber Risks to the Super Bowl: The Bigger Picture 

While the dispersed and perhaps seemingly small-scale nature of these vendors’ darknet footprints may make them seem inconsequential, it is important to consider the bigger picture. There is a good likelihood that threat actors will continue to ramp up attacks surrounding this event in tandem, which beyond the financial consequences can have a significant effect on corporate brand reputation.  

With threat attack vectors becoming ever more sophisticated, large events like the Super Bowl –which bring together humans and technology at such a high magnitude during such a concentrated period of time – offer a unique opportunity to threat actors. By maintaining visibility into threat actor activity on the darknet, NFL fans, vendors, and corporate decision makers can position themselves in the best way possible to be ahead of and respond to cyber incidents.

Interested in learning how darknet data applies to your use case? Contact us.

Darknet Marketplace Snapshot Series: OMG!OMG! Market

Written by DarkOwl Analyst Team on . Posted in Blog.

November 22, 2022

In DarkOwl’s Darknet Marketplace Snapshot blog series, our researchers provide short-form insight into a variety of darknet marketplaces: looking for trends, exploring new marketplaces, examining admin and vendor activities, and offering a host of insights into this transient and often criminal corner of the internet. This edition features OMG!OMG! market.

Don’t forget to subscribe to our blog at the bottom of this page to be notified as new blogs are published.

OMG!OMG! Market: An Intro

OMG!OMG! market is a large Russian-based decentralized darknet marketplace that this year has been elevated as a ‘Premium Darknet Drug Market’ following Hydra’s seizure in April of 2022. Recently, DarkOwl has observed the market being mentioned more frequently in drug-trade related discussions and advertisements on Russian forums. Many of the vendors on OMG!OMG! were active for years on Hydra, once again showing that although a marketplace is seized, the illicit trade shifts elsewhere and continues. 

To access the marketplace on the Tor network and view vendor’s offerings, market visitors must solve a number and text-based captcha. 

Figure 1 OMG!OMG! Marketplace Landing Page (pre-authentication) Source: Tor Anonymous Browser

The landing page for the marketplace lists the daily exchange rates for Bitcoin and offers the site in both English and Russian. Users can also change the language of the site by clicking on the corresponding flag icons. The look and feel of OMG!OMG! market is very similar to Hydra, with the market’s logo on the top left, search bar in the center, and image-linked vendor shops arranged in a table on the main page. 

Figure 2 OMG!OMG! Marketplace Landing Page Source: Tor Anonymous Browser

Unique Characteristics of OMG!OMG! Marketplace

OMG!OMG! market shares characteristics that many other darknet marketplaces have; however, there are additional unique qualities that make this marketplace stand out. 

Like most other marketplaces, Bitcoin is the only currency accepted and an ESCROW payment system is utilized. Users must have an account and money deposited in their Bitcoin wallets on the market to contact the administrators. The site claims it updates the conversion rate between Bitcoin and Rubles every 15 minutes. The marketplace does not list the number of vendors or sellers. However, DarkOwl analysts noted that there are over 3,400 vendors advertising on the marketplace, but, not all of those shops may be active. Like some other darknet marketplaces, OMG!OMG! market has a forum connected to the market. However, this part of the site gives the translated error message: “This section is under reconstruction.” 

For security and anonymity purposes the marketplace encourages all users to install a PGP key and to use two-factor authentication for accounts.  

Each vendor selling within the marketplace displays the number of deals they have completed. Some vendors have a blue checkmark next to their shop nameas well, to indicate that they have been verified by the market’s administration. A selectable heart button is accessible in each vendor shop so that customers may “favorite” certain products. 

What really sets OMG!OMG! marketplace apart is its unique ordering and delivery mechanisms. Once a user places an order, the delivery is primarily set by location. A user is prompted to select their location immediately when accessing the site’s landing page – which is as odd for a darknet market that is designed to promote anonymity. This location data allows for corresponding products and vendors with the same location as the customer’s the option of “instant transactions.” After a customer sets their location in the marketplace, they can look for products in the search bar that are able to be delivered to them by sellers nearby.

After customers pay, the vendors, or potentially their hired couriers, will physically hide the purchase like a drop (referred by vendors as “treasure”) around the customer’s geographic location. Finally, the customer will receive coordinates and photographs to find and collect their purchases.

Figure 3 Regional Vendor Mapping from OMG!OMG! Market Source: Tor Anonymous Browser

There are three order options: instant, pre-order, and mail. An instant order, as described above, can be collected by the customer around their location right after they pay online. For a pre-order, the customer waits for confirmation from the seller until they transfer the item to a specified drop location. This takes more time but is customized and more secure than instant. Mail orders need to be confirmed by the seller and shipped by the seller via post or courier.

Figure 4 Regional Delivery Selection OMG!OMG! Market Source: Tor Anonymous Browser

There are also three different ways that instant delivery packages will be hidden to avoid possible interception or theft. DarkOwl extracted the excerpt below from the OMG!OMG!’s FAQ page; the original content was in Russian. 

Editors note: We determined “bookmark” as translated by Google Translate means “delivery.”


[TRANSLATED IMAGE]
“There are 3 types of bookmarks – prikop, cache, magnet.
Prikop – the packed goods will be buried shallowly in the ground (possibly in the snow in winter). This type of bookmark provides sufficient reliability from the discovery of a treasure by an outsider, but it happens that it can be difficult to find such a treasure yourself. 
 
Cache – a packaged item is disguised as a third-party item and left in a secluded place or just on the street. Such treasures are often quite easy to remove, the reliability of detection by strangers can be different and depends on the masking. 
 
Magnet – the packaged product is attached to a metal surface in a place inaccessible to a direct view. Usually such treasures are very easy to shoot, but there are not very many reliable places for them.”

OMG!OMG! marketplace’s instant delivery features are built for those customers only residing in Russia, but vendors also deliver internationally such as to the United States and Europe. The marketplace advertises they support customers in and recruits dealers from the nearby Commonwealth of Independent States (CIS) countries:

“We invite dealers from Kazakhstan and Belarus – we have a significant increase in customers from these countries.”

OMG!OMG! Market: The Products

Drugs are by-far the most common good offered for sale on OMG!OMG! market. The categories of drugs advertised include: cannabinoids, stimulants, euphoretics, psychedelics, dissociates, opioids, and pharmaceuticals.

In addition to drugs, other common illicit goods, such as fraudulent documents, e.g. University diplomas, Russian passports, residence permits, driver’s licenses, letters from the internal Ministry of Affairs, etc., are available on the market. There does not appear to be products such as weapons or listings that are human-related. The “rules” portion of the market explains that shops including human trafficking or “renting” shops are not allowed on the site.

DarkOwl analysts observed digital goods like bank accounts, Qiwi wallets, and SIMs for sale in addition to source code and software, such as Telegram bots.

Figure 5 a fraudulent university diploma from OMG!OMG! source: Tor Anonymous Browser
[TRANSLATED IMAGE]
“Diplomas and certificates original workmanship, all degrees of protection. Data for the layout: 
1. Name 
2. Date of birth and place of birth 
3. Last place of study (what and in what year was completed, before “entering” a university, technical school, college or vocational school) 
4. Full name of the educational institution (which needs to be made) 
5. Specialty 
6. Years of study 
7. Form of study
8. Approximate estimates (possible as a percentage) 
9. Degree for universities (specialist, master or bachelor) 
10. Full name, address, and phone number of the recipient (Required, this information is needed for the courier service to make delivery) 
11. if there are any samples, then attach them too 
Strictly on the points on the layout, check all the points carefully. After its coordination and approval, the document goes into production, where it will be impossible to correct errors! Manufactured and shipped within 3 working days 
 
More than 5 years on the market! Over 150,000 trades on Hydra.”

The translated advertisement above includes the volume of trades the seller had on Hydra market to establish reputation on OMG!OMG! The OMG!OMG! market administrator added a light blue banner by the seller’s name to indicate the number of deals completed on OMG!OMG! for additional creditability. In this case, the vendor DARKOTIK has had amassed several thousand transactions (3,480 total).  Many of the drug listings offer detailed information about the products.

Some include direct quotes of buyers’ experiences:

[TRANSLATED IMAGE]
Ecstasy users describe their internal state usually as euphoria, intimacy and closeness to other people – “all people are my friends”; a feeling of “flying, endless happiness, high sensitivity.”

Users who purchase products can provide feedback ratings on quality, delivery, and service on a scale from 1-5 to further establish vendor credibility. The veracity of the information posted is unclear and could easily be falsified.

Figure 6: Diamond product review OMG!OMG! Market source: Tor Anonymous Browser

Some vendors with drug listings have an additional information button next to the product listing. Following this link provides in-depth information for estimated dosage, preparation methods, and description and duration of the product’s effects.

Another category not common with other darknet decentralized marketplaces is job opportunities. This section includes options to apply for commercialized drug distribution supporting roles such as: Pawnbroker, Stock, Carrier, Manager, Chemist, and Grower.

Figure 7: work opportunity listings on OMG!OMG! Market Source: Tor Anonymous Browser

Below is a translated description for a job listing advertised on OMG!OMG market:

[TRANSLATED IMAGE]
We are glad to welcome you to “Black Star Mafia”, the fastest growing shop on the site! Due to recent events, many of us have lost our jobs and, consequently, our means of subsistence. 
Experience is not required, we teach from A to Z all the subtleties of conducting shadow activities for your successful and safe development, a manager is assigned to you, someone who will guide you by the hand to the result throughout the entire journey, and will help you at a difficult moment to lighten your burden, reduce all the difficulties are gone. 
 
For communication, write to us in the PM of the store, we answer around the clock!”

These work advertisements are likely to keep up with the premise of the marketplace that they will deliver directly to you if you are in Moscow.

OMG!OMG! Market: Across the Darknet

OMG!OMG! has been advertised extensively on other popular Russian darknet forums and markets, like Rutor. Many of the vendors active on the marketplace transact across multiple darknet markets including Alphabay, Nemesis, and Narnia.

Figure 8: OMG!OMG! Market on Rutor Source: DarkOwl Vision

DarkOwl has not identified any functional mirrors of the site. The site itself claims that “any other sites, projects, mirrors, etc. have nothing to do with us and are scammers.” Some of the vendors present on OMG!OMG! marketplace have built out their professional operations across the darknet.

One vendor, known as Black Star Mafia, appears to have been involved in drug sales on the darknet for years. They have also been mentioned on Wayaway. A post crawled by DarkOwl Vision in 2018 identified Black Star Mafia in a forum advertising amphetamines in a discussion thread also mentioning coordinates, similar to how instant transactions work on OMG!OMG!

Another post, crawled by Vision in 2019 from an onion site, also identifies Black Star Mafia as a drug dealer and promotes the professionalism and experience of their hoarders. In this instance they are responding to a dispute over a product order and are outlining the requirements necessary for the dispute.

The administration of OMG!OMG! market is designed to moderate and intervene if there is a dispute between vendors and customers. The rules section of the site details that the names of Administration accounts are highlighted in red.

The use of PGP keys and 2FA mentioned earlier may at some point may have caused difficulties for the vendors. Posts crawled by DarkOwl Vision detail vendors having issues with enrollment, having funds correctly credited to accounts, and 2FA. A string of posts in a discussion thread sees multiple vendors on OMG!OMG! market describing issues they are having on the market, with some of them commenting at “WD” to intervene. After multiple vendors discussed issues they were having with 2FA and enrollment on OMG!OMG! one commenter wrote:

“WD Don’t you think it’s a seam project and nothing more? Solve the issue in coordination with this site. How many people will suffer before you make the right decision?”

There was also some doubt cast on whether the admin of OMG!OMG! still had control over their account and access to the PGP key. Someone repeatedly brought up issues with 2FA and the market admin responded that it was temporarily out of order and would be fixed soon. After issues were not resolved, vendors questioned if they still had access to their accounts. A self-identifying OMG!OMG! admin responded that they were still in control of their PGP key and promised to update the canary within 60 days and provided the latest Bitcoin hash. Later, another user in the thread pointed out that the admin was very behind with their promised updates.

“With this message, the site admin confirms that everything is fine with him, he did not fuck up his PGP key, and undertakes to update this message within 60 days. Only the date in the message 2021-07-13 is July 13, 2021, that is, this message was left 9 months ago, and already overdue by 7 months.
Either the admin is no longer an admin, or he blew the key, or simply forgot – in any case, these are serious arguments against the site – and in my opinion an official comment is necessary.
Are you pretending not to notice again?”

While researching and writing this piece DarkOwl analysts observed multiple days where the site was unavailable, which is likely a continuation of the general trend of widespread DDoS attacks against the Tor network. With Hydra out of the way, OMG!OMG! market could be poised for success or targeted to law enforcement intervention. Some of Hydra’s previous vendors appear to have made the migration to OMG!OMG!. However, the more successful a darknet marketplace grows, the larger of a target it can become to law enforcement efforts.

Additionally, prolonged issues with market access, vendors’ ability to access accounts, and discrepancies in money transferred and credited to accounts could all limit the use and retention of the marketplace by vendors and customers alike.

Subscribe to email to receive the latest research directly into your inbox every Thursday and don’t miss our next Darknet Marketplace Snapshot.

.

Arms, Drugs, and Human Trafficking on the Darknet

Written by DarkOwl Analyst Team on . Posted in Blog.

November 09, 2022

After reporting on their discovery of multiple marketplaces on the darknet claiming to be affiliated with various organized crime organizations, our analysts decided to take a closer look to identify potential connections and overlap between the spheres of arms, drugs, and human trafficking on the darknet. 

To further examine this topic, our analysts conducted an extensive survey of vendors trading on the darknet in weapons, drugs, and human trafficking. In doing so, DarkOwl analysts uncovered a confluence between the three economies, indicating a possible interrelationship between the supply routes moving drugs, weapons, and people around the world.

Weapons for Sale

Using the darknet, deep web, and high-risk surface web data, DarkOwl analysts discovered multiple arms-centric marketplaces, vendor shops, and other classified-style advertisements for the sale of illegal firearms on the darknet.

DarkOwl discovered arms for sale on darknet onion services hosted on the Tor anonymous network in English, Russian, German, and Chinese Mandarin. A few sites offer mostly similar weapons found in gun stores or gun re-sellers found around the United States. Other sites advertise military-grade weapons that are typically not available to civilians, including anti-tank guided munitions (ATGMs), e.g. Javelins, AT-4s, and NLAWs, and rocket propelled grenades (RPGs).

Darknet weapons dealers from BMG (Black Market Guns) advertise that the weapons have not been used, arrive in the original manufacturer’s factory condition, and originate from NATO stockpiles. Some of the photos of the weapons on offer include visible serial numbers and others are stock photos sourced online. Most darknet services offer worldwide shipping with some exceptions to Russia due to their strict import controls.  

Figures 1 and 2: Screenshots from Black Market Guns (Source: Tor Browser Anonymous Network)

A study by Rand Corporation found that weapons sold on the darknet are typically weapons that were already in the black market or weapons that were legally owned and then redirected to the darknet. According to the same study, the US was the most common country supplying markets. Europe was cited as the largest market for darknet-purchased firearms.

Figure 3: Cache of Weapons Seized by US Department of Justice (Source)
Figure 4: Weapons for sale on Empire (Source: Tor Browser Anonymous Network)
Figure 5: Weapons for sale on FREEGUN (Source: Tor Browser Anonymous Network)

Our analysts also found listings small arms for sale on darknet and deep web services similar to those seized by law enforcement from individuals charged with conspiring to traffic narcotics and firearms.

On average, DarkOwl analysts found that the prices of firearms for sale on the darknet were the same or lower than what the same products cost on surface web sites. However, in most cases darknet traded weapons were not significantly lower than prices advertised in the surface web.

For example, a “Bushmaster AR15 Tactical Package Semi Auto Rifle” from Empire Market costs $769 USD compared to $1,800 USD on a surface website.

A “Springfield 1911 Ronin Caliber 10 mm” handgun goes for $800 USD on FREEGUN darknet marketplace and for slightly more ($899 USD) on a surface web commerce website.

Figure 6: Springfield 1911 Ronin Offer (Source: FREEGUN, Tor Anonymous Network)

Purchasing a gun online in the United States is not illegal. However, laws and regulations vary from state to state with most requiring a background check as well as other licenses to purchase more deadly weapons, especially fully automatic and semi-automatic rifles like AR-15s. Gun regulations in other parts of the world, such as the European Union, are stricter, resulting in limited access. Therefore, depending on where you are, who you are, and what legal processes you have gone through it is quite possible to purchase a weapon legally on the darknet. However, it is rational to assume that weapons are sold on the darknet for the purpose of circumventing the processes required for legal purchase. 

For example, FREEGUN advertises that they work directly with smugglers and offers worldwide shipping with the exceptions of North Korea, Sudan, Tunisia, Algeria, Egypt, Iran, Iraq, Syria, and Paraguay. 

“We work with smugglers from Europe, Asia and USA. They will deliver firearms to your house or drop the package at specific place.”

They also mention their stealth practices to avoid detection, including that pistols are taken apart and hidden in power tools. 

Figure 7: Screenshot from FREEGUN FAQ (Source: Tor Anonymous Network)

Countries geographically close to the United States likely do not need to purchase firearms on the darknet and can rely on direct smuggling across the border. For example, it is estimated between 70% and 90% of guns recovered at crime scenes in Mexico can be followed back to the US drug cartels who smuggle them across the border. Annually about half a million weapons from the US illegally enter Mexico. Many of them are military-grade weapons and land in the hands of drug cartels.

In other areas of the world, like Europe, there is more reliance on weapons purchases via the darknet; one underground marketplace advertised itself specifically as a provider of guns to the European Union. 

The legitimacy of arms for sale on the darknet is widely debated by darknet communities. As is typical on the darknet, many state that any listings of weapons for sale on Tor are scams. 

Drug Trafficking

Arguably, the most well-known source of revenue for organized crime is drug trafficking. DarkOwl analysts have previously released a report detailing the presence of alleged cartel-affiliated marketplaces on the darknet and detailed some of their product offerings including sophisticated concealed shipping.  

Drug trafficking is exclusive to the darknet. The marketing and sale of illicit substances occurs on the surface web, encrypted and non-encrypted chat platforms, via social media direct messages, in addition to the darknet. Online purchases of drugs are often delivered to a mailbox or a “dead drop” location, or sellers utilize mail services or international trade networks.

Encrypted communications networks can serve as a work-around to traditional darknet marketplaces and facilitate single-vendor trade or “direct deals” by interfacing with users directly. Utilizing direct deals via encrypted chats give both buyer and seller more privacy, especially from law enforcement which has become more adept at infiltrating and shutting down darknet marketplaces dedicated to illicit drugs.  

According to UNODC, most of the drugs sold in the darknet ship from North America and Europe. The most common country of origin or country of shipment from greatest to least were listed as the United States, the United Kingdom, Germany, the Netherlands, Australia, and Canada.

Darknet Vendors’ Trafficking Methods  

It is common for darknet vendors to talk about their delivery and stealth methods to reassure customers that their purchases will be delivered as advertised and not seized by the authorities. However, vendors and marketplaces must balance revealing enough information about their concealment techniques to gain their customers’ trust while not exposing their methods and routes resulting in law enforcement interdiction.

Some sites will simply sate that their stealth precautions are robust and therefore good for the buyers but – but do not publicly more details. Others promise that they use the “best equipment” for the “highest stealth and security possible” – or reassure customers that they are experts in some other manner.

A weapons vendor on the darknet commerce site Empire Market advertises that all items are sent with a tracking code, and offer major shipping providers like DHL, UPS, FEDEX, and postal mail as shipping options the buyer can choose from. The market suggests that small orders are shipped inside of magazines or binders, while large orders are shipped in boxes with labels made to look like eBay or Amazon packages. Rifles are often disassembled and then are shipped inside larger appliances, and customers will receive instructions separately detailing how to assemble their weapon.

Another listing from a drug vendor found on DarkOwl Vision claims that the packages they send are “untraceable” and “the most discreet.” This vendor claims to take precautions such as vacuum sealing the package, that they are all alcohol cleaned, dog proof, and x ray proof.

Human Trafficking

Some of the darker illicit goods and services able to flourish on the darknet due to its anonymity and privacy-centric nature include pornography, such as child sexual abuse material (CSAM), human trafficking, and the exploitation of humans both online and in the physical world. Criminals and traffickers have increasingly turned to the online cybersphere to exploit victims. Social media platforms can be used to identify possible victims, target them, recruit them, and then to advertise their exploitation services. The internet and darknet can be used to broadcast live acts of exploitation for distribution to a wider audience. While distributing CSAM material is not human trafficking, the production of CSAM is usually the result of trafficking children for exploitation. CSAM material is available on the darknet and in darknet-adjacent platforms.  

Using the internet, traffickers can physically exploit the victim in one location but operate in multiple places at once and across borders. These are labeled as “cyber flows” and “are often characterized by victims held and coerced into video performances, allowing the perpetrators to connect with potential clients living abroad. This type of trafficking has been identified in several countries and typically relies on the availability of video equipment and digital recording devices to broadcast victims’ exploitation.”

This is the type of exploitation and human trafficking commonly seen on the darknet. For example, many times listings for human trafficking victims on the darknet will be advertised as “escort services,” “child escort services,” “rentals,” “kid rentals,” and more.

Figure 8: Screenshot from a dark web site (Source: DarkOwl Vision)

Drug Trafficking and Weapons – Connections to Organized Crime and the Darknet

Connections between drug trafficking and arms trafficking are well documented. The relationship between drugs and weapons is corroborated by both research from the government and other non-profit organizations. This same relationship is also seen on the darknet.

A darknet marketplace claiming to be affiliated with CJNG discovered by DarkOwl analysts offers drugs for sale. CJNG is one of the strongest cartels currently operating in Mexico, and would require weapons to maintain their drug trafficking routes and control. 

In January of 2022 the Justice Department arrested four defendants in connection with an investigation targeting a domestic firearm trafficking organization that supplied weapons and ammunition to the Cártel Jalisco Nueva Generación.

Furthermore, the indictment alleges that a “Whittier man led the gun trafficking organization that used narcotics proceeds to purchase assault rifles, hundreds of thousands of rounds of assault rifle ammunition, and numerous machine gun parts and accessories – some of which were smuggled into Mexico, mostly since the beginning of the COVID-19 pandemic.” There is evidence suggesting that organized crime groups such as the CJNG are trading high-powered weapons for drugs with other organized crime groups operating in Colombia.

The flow of weapons from the United States to organized crime groups (as the indictment above indicates) such as CJNG can then be leveraged by criminal groups to trade for drugs in Colombia, which will travel to Mexico and the United States. Thus, weapons from the United States typically end up in Mexico and Colombia and Colombian drugs find their way back to the United States.

The Relationship Between Drugs, Weapons, and Human Trafficking on the Darknet  

While there is a long history of connections between drugs and weapons, DarkOwl analysts were curious if a similar relationship could be observed between weapons and human trafficking, and drugs and human trafficking.  By performing a keyword and language correlation analysis across drugs, weapons, and human trafficking related advertisements in DarkOwl Vision, our analysts discovered at least 7 unique vendors who are involved in human trafficking are also involved in drug trafficking activities.  

Running a similar correlative analysis with 78 aggregated terms for weapons, analysts found that although it is common for weapons and human trafficking to be advertised in the same posts or forums, but not as many vendors dealt in both weapons and humans.

Nevertheless, vendors were identified that offered human trafficking services and other darknet services, such as hitman and hacking for hire. While the content is intentionally redacted for public distribution, the Telegram channels offering the services are the same. DarkOwl analysts also considered the very real probability that the threat actor offering these services is a scammer.

Figures 9 and 10: Screenshots from dark web sites (Source: DarkOwl Vision)

During our analysis, a rare case stood out where one vendor was identified as associated with all three: human, weapons, and drugs trafficking. Although the contact is redacted for this publication, the Wickr ID is the same.

Figures 11 and 12: Screenshots from dark web sites (Source: DarkOwl Vision)
Figure 13: Screenshot from dark web sites (Source: DarkOwl Vision)

Final Thoughts

The darknet cannot show the full extent of the complicated relationship between arms, drugs, and human trafficking. However, using DarkOwl Vision to explore these relationships offers a snapshot into both the physical and digital realms of illicit goods and exploitation that often accompany each other. Looking at arms, drugs, and human trafficking online ties into the very real-world implications of these practices.

Regardless, if some of the darknet marketplaces or vendors mentioned above are scams or law enforcement “honey pots,” the fact that many vendors who advertise arms, drugs, and human trafficking show up in at least two out of the three demonstrates the intertwined markets and perhaps victims and economies, and that the illicit markets of the darknet in many ways mirrors the real world.

Curious how darknet data can be applied to your use case? Contact us.

Tensions Between China & Taiwan Realized on the Darknet

Written by DarkOwl Analyst Team on . Posted in Blog, Whitepapers.

October 05, 2022

DarkOwl analysts took note of an increased amount of darknet activity surrounding the current geopolitical tensions between China and Taiwan.

Using darknet, deep web, and high-risk surface web data, this report endeavors to shed light on the digital underground’s reaction to the countries’ political tensions stemming from China’s “One-China Principle” and its refusal to recognize Taiwan’s independence.

This report will also demonstrate how recent cyberattacks in August augment political criticism of Taiwan. Of particular note is the on-going barrage of leaks surfacing as a result of attacks against key organizations in both countries, and discusses the general darknet sentiment regarding China’s global reputation and their potential invasion of Taiwan.

Questions? Curious to learn how darknet data applies to your use case specifically? Contact us.

DarkOwl Data Sources

Written by DarkOwl Analyst Team on . Posted in Products and Use Cases.

DarkOwl is an open-source intelligence (OSINT) platform that aggregates information from various underground sources to discern actionable and meaningful intelligence that can be utilized across multiple industry sectors including commercial applications, law enforcement, and national security initiatives. 

Curious to learn more? Contact us.

Cyber Insurance and the Darknet: Part II

Written by DarkOwl Analyst Team on . Posted in Blog.

August 24, 2022

Earlier this summer we researched the cyber insurance industry and the darknet and reviewed basic policies, first- and third-party coverage and looked at a sample of the type of data insurers might want to monitor the darknet for. We discovered there is an increasingly complex interrelationship between data from the darknet and the organizations involved in issuing cyber liability insurance policies and managing claims.

Cyber Insurance is not a Substitute for Cyber Defense

Surprisingly, we also discovered that most cybersecurity liability insurance policies exclude incidents caused by human error or negligence and events easily preventable by a stable and secure IT defense posture – proving that security professionals cannot become lackadaisical about their security posture simply because they have procured a comprehensive cyber insurance policy.

Organizations should not be fooled into thinking that cyber insurance is a substitute for robust cybersecurity defense and response.

Some popular exclusions of cyber liability insurance include:

  1. Lack of security processes (or poorly developed): Having detailed security policies and a comprehensive incident response plan is necessary for insurance underwriting;
  2. Prior breaches: Data leaks or incidents that occurred before the organization purchased their policy;
  3. Lost mobile IT devices: Most cyber liability insurance policies do not cover lost or stolen personal mobile devices, for example, company CEO leaves mobile phone on an airplane or in an Uber;
  4. Human error: Any cyberattack triggered by basic human error of an organization’s employee;
  5. Insider attacks: The loss or theft of data due to an ‘insider attack’ –an employee initiating the cyberattack from within the organization or using their authorized organizational access to launch the attack;
  6. Pre-existing vulnerabilities: Like a pre-existing medical condition, if there are documented evidence of previously determined network vulnerabilities and the company fails to remediate, then the resulting cybersecurity incident is not covered;
  7. IT infrastructure security improvements: Any costs related to improving the security of information technology systems, e.g. hardening applications and networks;
  8. Criminal litigation: Claims brought as result of grand-jury proceeding or criminal investigation or action;
  9. Acts of War: Traditional insurance policies do not typically cover property damaged during war-time, often referred to as the ‘hostile act exclusion.’ The same is true for nation-state sponsored cyberattacks against businesses.
Given we are in a time of the first ever global cyberwar as the result of Russia’s invasion of Ukraine and CISA has advised an increased security posture for all critical industry sectors, CISOs and security professionals should never speculate on their coverage and review their cyber insurance policies carefully.

Cyber insurance policies should augment organizational security processes, not replace them. Insurance carriers must carefully analyze all potential policy holders’ security posture and insist on robust security position prior to issuing the policy. Cyber insurance underwriters should carefully consider the security posture of policy applications through thorough pre-policy questionnaires and employee interviews, evidence of robust and regular employee security training, domain network scanning, darknet monitoring and exposure analysis.

Evidence of a policy holder’s prior breaches, organization credential exposures, and and the risk of insider attacks can be evaluated using a robust darknet database, like DarkOwl Vision.

Insider Risk Increasing & Not Covered by Cyber Liability Insurance Policies

DarkOwl has observed numerous darknet threat actors actively recruiting disgruntled employees a.ka. ‘insiders’ to help carry out their attacks and shorten the attack timeline; notably in the ransomware/extortion-as-a-service model of the criminal underground. Banking and financial fraud specialists have advertised they were seeking banking insiders and cyber criminals have offered $500 – $1,000 USD to AT&T and other mobile carrier providers who can assist with sim-swapping. Some recruitment offer payment on swap or a percentage commission on the value of the fraud conducted.

On Telegram, LAPSUS$ openly recruited insiders to help with their attacks calling for employees at telecommunications, software and gaming corporations, call centers, and web/server hosting organizations. They specifically asked for the employees to have remote access via VPN, Citrix or anydesk applications.

Figure 1: LAPSUS$ Criminal Gang’s Recruitment of Insiders to provide VPN or Citrix Network Access

Government, healthcare, and Insurance carriers are also targeted for insider recruitment in a recent deep web post captured by DarkOwl (below).

Figure 2: Source DarkOwl Vision

In early July, in an unusual insider-threat example, a HackerOne employee exploited their internal access to bug reports to duplicate the reports and gain financial payment for the bug bounty program. In this scenario, the fraudulent payments could not be recovered by their cyber liability insurance, unless specifically stated in their policy.

Prior Breaches & Organizational Exposures

In addition to monitoring for mentions of organizational credential data, like email addresses, hashed and cleartext passwords, and authentication data like session tokens and API keys, DarkOwl Vision can also provide indication of prior breaches and leaked data.

Cyber criminals regularly offer to sell or share organizational information they obtained on the darknet. Such data could indicate a potential prior breach occurred at the organization. In August 2020, a post on Telegram indicated a cybercriminal had obtained significant confidential data from the Intel Corporation. The leak allegedly included over 20GB of documents and product roadmaps for multiple technology programs in Intel for only $ 200 USD.

Figure 3: Source DarkOwl Vision

In the middle of an attack or immediately thereafter, threat actors often openly shame the victim and their associated IT security departments for haphazard network security, ‘poor digital hygiene,’ and private information protection. We recently captured a threat actor sharing proofs of exfiltrated victim data – in an apparent ransomware attack – and simultaneously stated this was not the first time they had been targeted and the personal data of clients compromised.

The threat actor even alleged they had tried to reach out to the company and provide recommendations on how to secure their corporate network.

“No matter if this is a medicine company, even they do not respect professional ethics and doesn’t care about private information regarding clients, employees, medicine tests, hospital cards, drug tests and researches and any other sensitive Data. They have a lot of vulnerabilities and absolutely careless IT service. We are trying to reach them to help resolve issue and provide a recommendations about how to fix such a bugs in the corporate network. Moreover it’s not the first time they have an issue with IT security and get a breach in their network, so it’s obviously that XXX is not able to protect own Data and personal Data of clients, so everyone can be convinced soon when we will provide the access to the files from one of their servers – XXX from central office with about 5,7TB of Data (and this is just a minor part of what we were able to download). We never tell lies when we saying that we have something, unlike XXX security team, which are telling in the internal or public reports that nothing is compromised and all is in safe. As a final try we are publishing here just a little piece of proof just in the hope that someone from CEO will notice and take under control this issues.” – Source, DarkOwl Vision

Attacks Against Insurance Industry Persist

Ransomware gangs show no slowdown in targeting the insurance industry with several new attacks independent agents and family-owned insurance-affiliated businesses around the world in recent weeks. REvil’s stated intention to gain additional information about insurance policyholders for the sake of exploiting that information for future gain in negotiations and targeting is apparent. We continue to witness proofs and announcements of attacks against independent agents and family-owned insurance-affiliated businesses around the world regularly posted by some of the most active and successful ransomware gangs in operation.

Figure 4: Source DarkOwl Vision
Figure 5: Insurance Policies, Cyber Risk Assessments, and Certificates of Insurance Shared From Victim Network – Source DarkOwl Vision

Any entity that interacts with insurance companies are also at risk of cybersecurity incident or ransomware attack. We have seen ransomware gangs target business processing companies, insurance brokerage network and underwriting service providers, as well as legal firms that support the insurance industry.

DarkOwl recently observed a legal firm that focuses on representing insurance carriers in disagreements with their policy holders shamed on the LockBit ransomware blog. Earlier the same group shamed the insurance company Risk Strategies – calling their web domain out on another victim’s announcement for not paying a more significant amount for their attack against the policyholder, another legal services company.

Do not use the insurance company risk-strategies.com it will not help you in case of hacker attack, XXX were insured for 1 million dollars, and the fucking faggot insurance agent was able to offer the maximum amount of 45 thousand dollars, this is fraud in the purest form. A full-service law firm delivering consistent, successful results for more than 100 years. Among the fastest growing law firms in the southeastern United States. Our services are customized because each client’s situation is unique. XXX attorneys focus on meeting your current needs, achieving the best possible results, in a cost-effective manner.
– Posted March 2022, Source LockBit Ransomware Blog on Tor
Figure 6: Source DarkOwl Vision

In this piece, we reviewed how cyber liability insurance is not a substitute for solid corporate network security protocols. We reviewed a number of cyber insurance policy exclusions such as war-time, insider threats, and prior breaches, and looked at some examples where the insurance industry itself continues to be targeted by darknet threat actors.

Learn how darknet data available in DarkOwl Vision can help drive better risk decisions in issuing policies and persistent monitoring for on-going security risks to insurance carriers, brokers, and their policy holders. Contact us to learn more.

Products

Services

Use Cases

Company

Copyright © 2024 DarkOwl, LLC All rights reserved.
Privacy Policy
DarkOwl is a Denver-based company that provides the world’s largest index of darknet content and the tools to efficiently find leaked or otherwise compromised sensitive data. We shorten the timeframe to detection of compromised data on the darknet, empowering organizations to swiftly detect security gaps and mitigate damage prior to misuse of their data.