Author: DarkOwl Analyst Team

Darknet Threat Actor Report: LAPSUS$

In order to curate interesting darknet data collection from sources across the deep web, Tor, I2P and other “darknets” our analysts regularly follow “darknet threat actors” that openly discuss and disseminate stolen critical corporate and personal data.

In December 2021, DarkOwl witnessed increased activity on the darknet regarding the cybercriminal gang known as LAPSUS$. The group appears to have preference for attacking Portuguese-speaking organizations using data extortion-style campaigns and leverage compromised AWS servers where possible. Thus far, LAPSUS$’s attacks seem to have little critical impact to the victim’s organizational operations, with seasoned darknet community members stating the group is “amateur.”

DarkOwl believes the cybercriminal group has potential to become a formidable darknet threat actor with the increasing frequency of attacks in recent weeks. The lethality and economic impact of the attacks against their victims have yet to be determined.

Vodafone Telecommunications in Portugal

Since last December, the darknet threat actor group known as LAPSUS$ has been actively targeting Portuguese speaking services across Latin America and Portugal including prominent media and telecommunications companies on both continents.

Most recently, between 7 and 8 February, Vodafone Portugal – a subsidiary of Vodafone Group in the UK – stated in a press release the company was subject to a “deliberate and malicious cyberattack with the aim of causing damage and disruption.” Open-source reports indicate the attack impacted Vodafone’s 4G/5G voice and SMS service as well as its television services, but no ransom was demanded. While there is limited information about the attack in the press, Vodafone persists no subscriber or sensitive customer data was accessed or stolen.

On the LAPSUS$ Telegram channel, the group posted Vodafone with the eyes emoji without directly claiming credit for the attack. When someone directly asked if they were responsible for the Vodafone outage affecting millions of mobile phone subscribers, they stated:

“we don’t confirm or deny this yet.”

LAPSUS$’s Flurry of Activity Since December 2021

DarkOwl analysts began closely following LAPSUS$ across the darknet, deep web, and adjunct communication platforms since they claimed responsibility for a major cyberattack against the Brazilian Ministry of Health in mid-December. The cyberattack, allegedly “ransomware in nature” compromised Brazil’s Ministry of Health COVID vaccination records database, deleting the entire database contents, and defacing its website with the following message:

[TRANSLATED]

“The internal data of the systems were copied and deleted. 50 Tb of data is in our hands. Contact us if you want the data back”

The Brazilian government acknowledged their web services were offline and inaccessible to users for a short period of time without directly admitting it was LAPSUS$ who carried out the attack. The attack was like other ransomware/extortion-based attacks in the reported deletion of data; however, there was never a monetary ransom demand stated nor evidence of the group possessing the data or sharing compromised records on the darknet – despite cheers from their online supporters to release information on President Bolsarno’s vaccination status.

The group posted a statement on Telegram indicating that they had gained access to the Ministry of Health’s Amazon Web Services (AWS) and claimed they did not want to post evidence of their access because they still had access to the system despite the Ministry of Health restoring their services.

On Christmas Eve, the LAPSUS$ group attacked Claro and Embratel Telecommunications companies in Brazil reportedly stole over 10 PB (10,000 TB) of sensitive corporate information and SIM details for Claro customers across mass data storage systems such as: AWS, 2x Gitlab, SVN, x5 vCenter (MCK, CPQCLOUD, EOS, ODIN), Dell EMC storage, and Telecom/SS7.

The group shared screenshots detailing their level of access to the Claro network infrastructure and data on the dark web. We are still investigating how the group originally gained access to Embratel and Claro’s infrastructure. The group emphasized the extent of their access in the companies, highlighting they had access to over 1,500 virtual machines in use by Embratel and 23 unique hosts (IP addresses). From the screenshots, DarkOwl confirmed they used Windows Remote Desktop application to connect to many of the compromised computers within the Claro Network on their web browser. The screenshots included network management utilities for the network and their SIM network.

They also shared screenshots from a Powerpoint presentation they found on Claro’s network that detailed how law enforcement intercepts phone calls, SMS messages, and Claro customer network activity. 

(Note: the images below have been blurred intentionally so as not to reveal PII)

It is unclear from the screenshots shared whether members of the LAPSUS$ group used their local machines or a virtual environment to carry out the attacks. Nevertheless, the desktop of the browser screenshot suggests the OS was Windows and the temperature was 4 degrees Celsius at 21:56 on December 25, 2021.

Applying some simple OSINT analysis using historical weather databases, we discovered São Paulo, Brazil did not have weather conditions at that date/timestamp, but London, United Kingdom experienced similar weather patterns. This either means that the LAPSUS$ Group includes members from around the world or their computing environments are set to the UK/GMT time zone.

Regardless of their physical location, the LAPSUS$ group has preference for attacking Portuguese-speaking organizations on both the South American and European continents. Representatives of the group speak English on their Telegram channel.

In early January, the group conducted similar defacements to the Ministry of Health in Brazil for Impresa, a major media outlet, parent to SIC and Expresso in Portugal.  The group’s access to Expresso’s direct digital resources was extensive. During the attack LAPSUS$ members sent phishing SMS texts to Expresso’s subscribers, posted tweets from the news media’s verified Twitter account, and defaced its Twitter account, pasting to the top of the page the phrase:

 “Lapsus$ is officially the new president of Portugal.” (Source)

Information security researchers have noted that the text on the defacement is ‘Brazilian’ Portuguese – instead of Portuguese from the European continent – increasingly the likelihood the threat actors are based out of Brazil. LAPSUS$ claimed in their defacement they had access to their cloud services at AWS.

[TRANSLATED]

The data will be leaked if the necessary amount is not paid. We have access to the ‘cloud’ panels (AWS). Among other types of devices, the contact for the ransom is below.

Note from our analysts: When we think of “exposed credentials” we generally think of e-mail or server authentication data, e.g. username, e-mail address and/or password. The darknet is also haven for other types of critical corporate data credentials, including developer AWS cloud account identifiers, such as: Keys and Secrets for S3 buckets and web services.

Image: Example AWS_SECRET credentials shared on the deep web (Source: DarkOwl Vision)

Barely a week after the attacks, LAPSUS$ announced on their Telegram channel their next victim had been Localiza Rent a Car SA. The attack appeared to be a DNS spoofing attack on their website, redirecting Localiza website visitors to a porn site instead.

According to open-source reporting, the company reported a “partial interruption” and there was no evidence any customer data or sensitive information was stolen. No ransom demand was made either. 

Less than two weeks later, LAPSUS$ shared a Twitter post from Portugal-based Francisco Martins speaking of how the Grupo Cofina attack was against the company and not an attack on press freedom and another post referencing a popular Cofina journalist. LAPSUS$ never officially claimed responsibility for attacking the Portuguese media outlet that impacted multiple digital content platforms including: Correio da Manhã (Morning Mail), Sábado (Saturday) magazine, Jornal de Negócios (Business Journal), Diário desportivo Record and CMTV. (Source)

Technical specifics of the attack against Cofina are still murky, with little to no information coming directly from LAPSUS$. Security researchers note similarities in the “no ransom demand” style of ransomware, e.g. file corruption and extortion carried out by LAPSUS$, and the fact the group hit other major Portugal-based media companies merely weeks before.

Portugal’s Judicial Police (PJ) are actively investigating the incident and it is not proven LAPSUS$ carried out the attack. The group could be posting to their Telegram to infer their connection without proof and gain criminal credibility.  

Image: Twitter Post Circulated on LAPSUS$ Telegram channel the day of Cofina attack. (Source)

[TRANSLATED]

“The Lapsus group just wanted to shut up Tânia Laranjo #Respect”

Additional Historical Evidence Surfaces

Using DarkOwl Vision, DarkOwl detected previous activity from the LAPSUS$ on the deep web and darknet including posts in July 2021 on RaidForums and other darknet forums claiming they had compromised networks and stolen data for the FIFA soccer games from EA. On those posts, they shared their PGP Key, signed the posts “LAPSUS$”, and logged into the forums using the pseudonym, 4c3.

Image: (Raid Forums, URL available upon request)

Posts from the group on another darknet forum last summer were shared in the English language detailing to EA that they found a Remote Code Execution (RCE) vulnerability in the “frostbite engine” and they had no intention to target console users. This is a typical approach to trying to extort a company for specific vulnerability, e.g. “malicious bug bounty.”

In August 2021, the LAPSUS$ group ended up leaking the EA/FIFA data they had stolen after their attempt at extorting the company for $28 Million USD had failed to materialize. (Source: Raid Forums)

Users on RaidForums indicated the 4c3 moniker for LAPSUS$ on the forum was also tied to a CryptBB staff member known as Cyberjagu who was also trying to sell the EA source code. 4c3 denied any connection. According to open-source reporting, analysts with Blackberry’s Research and Intelligence Division confirmed Cyberjagu is some sort of “intermediary” for the cybercriminal group behind the EA/FIFA attack.

Drama Between Doxbin & LAPSUS$

In early January, the “dox” of a potential LAPSUS$ member surfaced on the controversial deep web paste site known as “Doxbin” and has received over 7,000 views as of time of writing. The dox – intentionally not included here – suggested the LAPSUS$ member was actually a 16-year-old teenager residing in Kidlington, UK and regularly used the pseudonym(s) SigmA, wh1te, and Breachbase in the underground. The dox may have been leaked in retaliation after LAPSUS$ shared hacked internal docs from Doxbin on their Telegram channel on the 5th of January.

According to the LAPSUS$ Telegram channel and the LAPSUS$ Twitter, SigmA (@sigmaphoned/Alexander) might be a “high-ranking” member of the LAPSUS$ group. Since late January, many of the users on Telegram have been trying to reach SigmA, but he’s not responding to messages. The January dox suggested might be in the process of relocating to Spain with his family. (Source: DarkOwl Vision)

Image: Users in LAPSUS$ Telegram Channel inquire about SigmA’s whereabouts

A Preference for Monero Leads to a Telecommunications Phishing Campaign

Last summer, LAPSUS$ also posted a Monero address on a deep web forum discovered by DarkOwl Vision. The same address was also included in numerous scam/phishing reports from users with British mobile telecom providers, EE and Orange. In July, users from EE reported receiving an ominous message from LAPSUS$ demanding EE pay them “4 millions USD” after making normal iTunes purchases. Perplexing to users, the texts arrived from historical “iTunes messaging” phone numbers.

Image: (Source)

Curious about something you’ve read? Interested to learn more? Contact us to learn how darknet data applies to your use case

Darknet Indicators of Anomalous Health Incidents (AHIs)  

The U.S. Department of State and three-letter agencies across the U.S. Intelligence Community – which staffs a mixture of darknet intelligence and open-source intelligence (OSINT) researchers across a variety of security sectors – have had increasing concern by reports of what the U.S. Government identifies officially as “anomalous health incidents” (AHIs). The news media has generally labeled these incidents as reports of “Havana Syndrome,” due to the fact that the location of the first reports originated from diplomats located at the U.S. embassy in Cuba in 2016, but continues today around the globe.

An interim intelligence report on the subject was recently released by the CIA after President Biden’s call for answers as to the cause of the incidents and Congress passed the HAVANA Act last fall to help compensate victims. The report, briefed by government officials to POLITICO in mid-January, has received criticism for its “preliminary” intelligence assessment, which concluded no U.S. foreign adversary nor specific directed energy weapon is likely behind the nearly 1,000 allegedly directed attacks against government personnel stationed in embassies around the world.

Given the lack of inter-agency coordination on the interim report, it’s unclear whether these findings signal a finale to USG’s overarching investigation. According to open source reporting, there are still several cases the CIA could not explain and CIA Director William Burns issued a statement suggesting the agency will continue to look into the matter.

“We have reason to believe the interim report does not even represent the consensus of the full CIA, instead reflecting the views of a subset of officials most interested in resolution and closure.” - Statement from CIA Director William Burns

Recognizing the uncertainty of the findings and widespread outrage from AHI victims, DarkOwl sought out to gather and assess data across the darknet and deep web to provide supplemental indication of the public sentiment regarding AHIs, as well as additional insights into the potential technological sources that may be targeting diplomats and intelligence officials.

Chatter Spreading Potential Nation-State Sponsored Propaganda

During our research, we discovered indications of deep web users sharing Russia-sponsored anti-US propaganda related to mind-control and directed energy induced schizophrenia. For example, one user shared a link to content of this nature via a WordPress “blog” that directly references and links to an “independent research news website” called “Global Research” (globalresearch.ca). In 2020, the State Department identified the allegedly Canadian news outlet as a Russian controlled propaganda front.

  • According to DNS records, the WordPress blog domain cited (youarenotmybigbrother.blog) on the deep web is hosted on a server located at the IP address: 192.0.78.24/25, located in San Francisco, California.

  • DarkOwl reviewed the “Canadian” Global Research website for mentions of “Havana Syndrome” and surprisingly found no recent mentions of “Havana syndrome” or AHIs or any official neurological research, but instead found multiple re-shares of articles citing a study from the University of Edinburgh directly contradicting the State Department’s 2018 commissioned report from the University of Pennsylvania, peer reviewed and published by the Journal of the American Medical Association (JAMA).

  • The general lack of reporting related to Havana Syndrome on the Global Research website, including disinformation suggesting the incidents are caused directly by the USG or non-foreign directed energy sources, is significant and warrants further analytical review of other known Russian-sponsored propaganda websites.

  • Since the release of the interim CIA report last week, darknet and deep web users are aggressively re-sharing articles and podcasts “debunking” the idea of Havana Syndrome entirely as a mass psychogenic illness resulting from an internal U.S. government propaganda disinformation narrative to demonize Russia and destabilize to US-Cuba geopolitical relations.

Some deep web users hypothesize the remote possibility that US adversarial governments – such as Russia and China – use lower earth orbit satellites and even cellphone towers to direct nefarious RF signals attack targeted individuals.

  • In summer 2021, an anonymous user of the deep web imageboard known as 4chan, theorized that AHIs are caused by Russian space assets or US-based cell phone antennas that have been potentially converted into a microwave microphone to detect speech and inadvertently over-amplifies the signal causing brain damage. Other users of the same forum also imply that these attack vectors could be deployed by the US against their own personnel as part of some sort of covert operation.

  • On the subreddit /r/TargetedEnergyWeapons, Reddit users shared video from a 1985 CNN news report of a U.S. based RF directed energy weapon called the “Brain Bomb” that the U.S. government reportedly never pursued to discredit the USG.

4chan discussion about “Havana Syndrome” being caused by Russian-space listening devices (original thread removed by website since discovery)

Technical Materials Related to AHIs on the Darknet

Our analysts identified numerous mentions of the US government’s historical activities related to psychotronic and psychological warfare. Several deep web users circulated “blogs” – dating back to 2010 – that include a comprehensive archive of information related to potential neurological and psychological weapons developed by DARPA and the US Military as well as similar tools at the disposal of Russian intelligence arms.

The aforementioned blog highlights reports from the early 2000s that Putin supposedly outlawed the use of weapons of psychotronic influence with the intent to cause harm, despite the fact psychotronic weapons were specifically mentioned in open-source reporting of Russia’s advanced weapons state procurement plans outlined for 2011-2020.

“The development of weaponry based on new physics principles; direct-energy weapons, geophysical weapons, wave-energy weapons, genetic weapons, psychotronic weapons, etc., is part of the state arms procurement program for 2011-2020”

— Russian Defense Minister Anatoly Serdyukov after meeting with Putin in March 2012

DarkOwl analysts also observed numerous darknet and deep web users discussing and resharing a 1976 declassified intelligence report from the Defense Intelligence Agency titled, “Biological Effects of Electromagnetic Radiation (Radiowaves and Microwaves) Eurasian Communist Countries (U).”

Segment from declassified 1976 DIA report shared on the darknet

Another report shared across darknet and deep web users originated from the U.S. Army and dates back to December 13th, 2006 . The report was released through an official Freedom of Information Act request by a Mr. Donald Friedman of California, USA.

The document contains an unclassified addendum to another intelligence assessment, which was developed by the National Ground Intelligence Center (NGIC) and likely originated in the late nineties, based on the document number. The US Intelligence Community downgraded the report from SECRET//NOFORN and details the “Bioeffects of Select Nonlethal Weapons”.

Darknet users referencing this report generally used it as supporting evidence that the US military has extensive research on the effects of microwave radiation for battlefield and crowd control use. Like the March 1976 report, the NGIC intelligence reporting regarding the effects of directed pulsed radio-frequency correlate with the symptoms experienced by diplomats and intelligence personnel reporting AHIs.

The report also identifies that the associated technology is readily commercially available, but would need to be customized for intensity variability and targeted use.

US Army response to 2006 FOIA request dated, 13 December 2006.

Segment from the NGIC report detailing the technology’s biological influence on the subject.

The NGIC report further identifies auditory phenomenon experienced by subjects, e.g. “clicking, hissing, ticking, and buzzing” consistent with the 2018 JAMA report consolidating the findings from the University of Pennsylvania clinical study of AHI victims. These symptoms are near identical to symptoms connected with the “Frey Effect,” discussed extensively across chat platform users and Reddit discussion forum participants as well as research conducted by the Robert Lansing Institute.

“Ability to hear the “sounds” depends on high frequency hearing and low ambient noise. Pulsed RF/MW in the 2.4-10,000MHz range produces perceived noises that resemble sounds “such as a click, buzz, hiss, knock, or chirp”–just as diplomats report. ”

— Quote Correlating Diplomats’ Symptoms to the Frey Effect (Source: Robert Lansing Institute)

Segment from the NGIC report detailing the technology’s biological influence on the subject.

One darknet Tor service we identified has over 1,400 technical documents detailing numerous radio frequency (RF) and directed energy (DE) based technologies utilized for such subjects as: mind control, remote viewing, psychoacoustic effect, and electronic surveillance.

Much of the content includes academic research and intelligence agency and military documentation as well as biographies of key academic and intelligence researchers in paranormal studies and mind control related topics. The originating domain has not been online since November 2018, but all available content from the domain is archived in the DarkOwl Vision database of historical darknet records.

Source DarkOwl Vision (DocID: 68eafa7fafe9be29be48f419d8c1fb89b4fa5707)

On another user on Tor posted a report as recently as late August 2021, describing US Navy sound-based non-lethal weapon program. According to the post, this program utilizes a recording of the target’s own voice, captured with a long-range microphone, that the system distorts by applying phase shifting and auditory track overlay and feedback.

The weapon, called the Acoustic Hailing and Disruption (AHAD) system, then transmits the high intensity auditory signal directly back to the target using a parametric speaker, disorienting them to the point of they are confused and cannot speak.

Darknet post detailing US and Russian non-lethal weapon technologies. (Source: DarkOwl Vision – DocID d75544cb73549b3db675562290debec678700692)

A darknet discussion forum user talks of Active Denial Systems (ADS) to cause a sensation of being on fire for crowd control. (Source: DarkOwl Vision – DocID 1b851c844c50ed2099adce8ba48e4963146dc6b3)

The same darknet service also highlights a similar technology called the 5P-42 Filin that has purpotedly been in production since 2019 by the Russian military. This technology allegedly uses a pulsed beam of light to disrupt a target’s vision and cause temporary nausea.

According to additional open-source reporting, the Filin, also known as the “Eagle Owl” in Russian, was originally manufactured for use on large naval warships and frigates by Russian state military contractor, Ruselectronics, and considered a “weapon of mass disorientation.”

A ground-based portable version of the same system is in development (if not already in production) for use by special forces in close-combat anti-terrorism operations.

Brochure detailing technical specifications of the Russian 5P-42 Filin Weapon System. (Source)

AHIs on the darknet and deep web: AHI technologies for sale and hobbyist experimentation

DarkOwl analysts also observed that EMF-based technologies and associated hardware could be purchased from darknet marketplaces and improvised using COTS products to conduct targeted rogue AHIs and human neurological experimentation.

During the course of our investigation, we also uncovered evidence of electromagnetic frequency generators, designed for jamming wideband telecommunications signals such as: GSM, LTE, and GPS for sale on darknet marketplaces for under $500 USD.

With the knowledge provided across other darknet and OSINT sources about ADSs, the device could be easily improvised and repurposed for a malicious objective. DarkOwl detected an advertisement for limited quantities of a military-grade frequency jammer in September 2020 for $1,200 USD.

The documents shared on that darknet domain includes specific frequencies and intensities of unique RF and DE waveforms to cause specific bioeffect and could be easily replicable by hobbyist electrical engineers with access to darknet and deep web content.

In one circumstance, a San Francisco-based Medium user known as “Jay” has purportedly been “targeted by DEW [directed energy weapons] for the last four years” and has since been researching directed energy extensively to better understand the threat. As of November 2018, he had concluded the frequency of the threat fell within the range of 18 and 50 GHZ conducting measurements with commercially off the shelf (COTS) Narda and Trifeld electromagnetic frequency (EMF) meters.

Other deep web sites also include posts with detailed step-by-step instructions for how to make “Home Made” Active Denial Systems using commercially-available 2.4GHz wavelengths using items readily available inside someone’s residence. The author implies the length of the 2.4GHz waveforms can remotely induce headaches, fevers, cataracts, or other chronic-fatigue symptoms in a human target.

“Home Made” Directed Energy Weapon described on the deep web (Source redacted for security purposes)

AHI conspiracy theories on the darknet and deep web

At the conclusion of our analysis, we determined that most of the content related to AHIs from underground darknet and deep web sources is driven by conspiracy theories. For example, in July 2021, one user on a Telegram channel postulated that “Havana syndrome” and “Monkeypox” were a concerted agenda to cover up adverse reactions from the COVID vaccination.

By and large, this type of fear, uncertainty, and doubt is widely circulated and quite popular across the deep web, in particular, “anti-vax” communities and clearly not remotely accurate, given AHIs were recorded well before the COVID-19 pandemic.

Source DarkOwl Vision DocID: 5c860642d80f221e6a86199fb915877285140bea

Long before reports of AHIs surfaced in public news media, the darknet and its associated underground communities housed a considerable population of anti-government advocates with deep rooted beliefs in a “deep-state” – including the notion that western governments sanction and/or actively conduct non-consensual psychological and neurological experiments on its populations.

Believers are equipped to evangelize other forum and chatroom members, armed with reports relating to government projects like Mk Ultra, NSA’s TEMPEST, and “Silent Talk” and detailed research pertaining to peripheral topics such as synthetic telepathy, active denial systems, and psychotronic influence. Many times, such users are quickly labeled “tin-foiled hats” and easily dismissed; however, DarkOwl analysts have witnessed their influence increase since the Guardian published information leaked by Edward Snowden and increased circulations of reports of AHIs outside of Cuba and China.

Some darknet discussion forum users assert they had been directly attacked with directed energy attacks in a similar fashion to AHIs of deployed State Department personnel. There is no way to confirm the veracity of such statements.

Darknet users discussing the Havana Syndrome (Source: DarkOwl Vision -DocID: 47c5b3b89f1176fe6f025b3346af860fcb680d49)

Some deep web users have also been circulating blog content from the surface web that supports the idea of a global New World Order with the ability to control mass populations and targeting individuals with AHI for a specific and often nefarious agenda. Users point to the persecutory delusion known as “gang stalking” and associated websites replete with technical and academic content in attempt to legitimize their conspiracy theory and their perception of being targeted directly by the government.

  • According to DNS records, the blog referenced above (gangstalkingmindcontrolcults.com) is hosted on a server at the IP address: 192.124.249.178 and is located in Menifee, California.

Conclusion

During the course of our research, our analysts identified a significant quantity of Havana Syndrome-related information across numerous sources in the underground. Much of this information is directly tied to anti-US propaganda, disinformation campaigns, and baseless conspiracy theories. However, there is also legitimate information on active denial directed energy weaponry circulating in a violence-inciting atmosphere on the deep and dark web, which can easily enable and embolden an ordinary person’s ability to successfully carry out sinister attacks using AHI technology.


Curious about something you’ve read? Interested to learn more? Contact us to learn how darknet data applies to your use case

Disappearance of Darknet Markets Point to Potential Exit Scams or Seizures  

After observing unusual darknet marketplace activity over the past few weeks, our analysts performed a retrospective investigation that uncovered a widescale shift of the active-marketplace spectrum. This investigation was prompted by the observation that, over the last two weeks, a number of prominent darknet marketplaces suddenly went offline without any indication of their return, or any explanation regarding the cause of their disappearance. Upon further analysis, data demonstrated that in late December, URLs for over 30% of the known darknet markets operating on Tor would not load. The volume of downed marketplaces prompted DarkOwl’s team to take a closer look, only to discover an underground community as perplexed as we were.

Was this the result of a coordinated marketplace Exit Scam?

Figure 1: Graph depicting the status of darknet markets over the last 9 weeks

In response to this sudden mass-closure of darknet markets, users on the popular discussion forum, Dread suggested that it was a concerted “Exit Scam.” So, what is an exit scam?

The darknet is home to many a scammer and darknet marketplaces have historically been a high-stake risk for buyers, who will often deposit cryptocurrency on the market “in escrow” to transact through the market with illicit goods’ vendors. Over the years, DarkOwl has witnessed several marketplaces shutdown without warning to their buyers or vendors and escape with several million dollars’ worth of their customers cryptocurrencies in the process. This can occur similarly with vendors who take their buyers funds for a good or service and never deliver. Either scenario is referred to as an “exit scam.”

Very few marketplace administrators publicly “retire” and gracefully shutdown their operations like White House Market (WHM) did back in October 2021.

More often, the darknet rumor mill across forums and discussion boards hints at the potential “exit scam” of a market a few weeks prior to its disappearance. For example, when Wall Street Market (WSM) shutdown in April 2019, it was believed that WSM admins had exit scammed their buyers and vendors with one moderator further attempting to extort the market’s users for 0.05 BTC or risk them leaking their known physical addresses of record from transacting on the market. Shortly after Germany’s criminal police unit, known as Bundeskriminalamt (BKA) announced they had seized the market, its digital infrastructure, and arrested at least three administrators in Germany.

Tracking the online/offline status of darknet markets per week

DarkOwl analysts compiled the following table, which tracks the status of each darknet marketplace in question over the course of the weeks during which the heightened activity occurred.

A market’s status is changed to CLOSED once the market has been OFFLINE for 3 to 4 weeks in a row or the administrator of the market has announced retirement or exit scam on a public discussion forum or Dread subdreadit.

Figure 2: Chart depicting the status of darknet markets over the last 9 weeks

Did persistent DDoS attacks lead to marketplace admin retirements?

Other theories around this shift in the market point to the potential scenario of administrator burnout and subsequent retirement after reportedly repeated DDoS attacks in recent months.

In the middle of December, Torrez Market officially stated their retirement with the market admin, known as mrBlonde, advising darknet users to “use common sense” and avoid using an “established market” stating that as the older the market gets, the more likely it will be to collapse.

Shortly before the new year, a DDoS attack appeared to have affected a handful of markets, including Cartel Market who posted they were experiencing outages which took the market without any official word from their administrator. Vendors on the market suggest they lost access to their accounts prior to the DDoS attack.

Around the same time Cannazon also suffered from DDoS attack and then posted they were “retiring” and not pulling an exit scam.

“Everyone knew this day would come. No market will be here forever. We are officially retiring.”

— Cannazon Team PGP Message

DDoS attacks prior to market shutdown have been analogous with the “canary-in-the-coal-mine” to a market seizure by an international law enforcement effort. Law enforcement could have easily taken over the Cannazon admins’ accounts and posted the PGP message on Dread. Nevertheless, there are some indications from the darknet community that a war between marketplaces has emerged in recent week with DDoS as the weapon of choice.

As of time of writing, users from World Market stated they were getting 502 errors and the market appeared to be under heavy DDoS attack. Two days ago, the market administrator, Lovelace posted a message directed at Dark0de claiming the competitor market team were using a circuit tool attack (DDoS) against World Market’s main mirror and ASAP Market. The comments included a lengthy post by DeSnake, the administrator of the recently revitalized AlphaBay Market.

Coincidentally, the URLS for the market called “Potluck Market” since mid-November, have been redirecting to World Market. Potluck market supposedly closed back in late 2020 after a scandal ensued when the market staff hired a known pedophile. Potluck staff member, Florida, shared how equally important verifying staff before hiring is to OpSec in a lengthy post on Dread shortly before the closure.

Late last week, Dark0de was also inaccessible and two weeks ago the market’s admin posted they too were under DDoS attack on their Dread subdreadit.

DarkFox market was offline for over 5 days for “maintenance” and many Dread users feared it too was exit scamming, but as of time of writing, the market appears back online and stable along with a new mirror equipped with “anti-DDoS filters.”

On a German discussion forum, one user posted that they believe Monopoly Market – offline since the end of 2021 had also exit scammed.

Users on Dread have been equally concerned with posts titled “RIP Monopoly” on their subdreadit. The moderator for the subdreadit, ShakyBeats, proposed locking down the board until word from the market administrator was heard. Another user indicated that the exit scam theory was weak considering a week before it went down the administrator launched an “update” to the market server software that updated critical dates of the vendor and buyer’s activities for orders on the market. The user theorized this would be lost effort if the administrator had planned to scam a week later.

Notably, after the DDoS attack that impacted Cartel, around the end of December, several markets including: ASAP, Yakuza, TOR2Door, Monopoly, Archetype, and TOR Market all went offline and seemingly headed to a “CLOSED” status. But this week, TOR2Door and TOR Market rallied back online.

Versus Market, a popular market throughout 2020 and offline since early November after enabling DDoS protection, also suddenly reappeared operational without any announcement of their return.

Four other markets: Quest, Hermes, Nemesis, and MGM Grand also appeared back online after being offline since early November. DarkOwl has no indication these market administrators are working together, but their appearance all at the same time is suspicious.

–   DarkOwl Vision has knowledge of Nemesis market since fall of 2021, and their market launch page claims they have been operational since May 2021. The subdreadit for the market, /d/NemesisMarket has been banned for rules violations, suggesting this market may have been run by scammers.

–   The Hermes subdreddit appeared on Dread a year ago with a post claiming they had 500 users registered from their market moderator, Stitch3s. There has been no new activity since the re-launch.

Final Thoughts

DarkOwl determined during this quick analysis that darknet markets are experiencing instability with many markets either under heavy DDoS and possibly on the verge of exit scam. DarkOwl believes Monopoly, Cartel, Yakuza, and Archtype are offline permanently and Torrez and Cannazon exited due to retirement.

While some suspect that it was a large-scale Exit Scam operation, others have hinted that it could be the by-product of an international law enforcement operation. Interestingly, at the end of last week, seven of the markets that were previously offline and had been assessed as closed permanently appeared from the ashes, only eliciting further skepticism around the markets and their credibility in general.

It’s unclear whether the DDoS activity against the markets that have recently disappeared is related to a law enforcement activity as the Justice Department has yet to post any seizure banners or make any official announcements. DarkOwl will continue to follow this closely and provide more information as it comes available.


Curious about something you’ve read? Interested to learn more? Contact us to learn how darknet data applies to your use case

Tor project announces domain name scheme shift

Last summer, the Tor Project announced that in October it would be ending support for its legacy v2 domain naming scheme, and began encouraging darknet administrators to start migrating their hidden darknet websites – known as onion services – to the more secure v3 address scheme. For non-technical users of the Tor anonymous network, this seems inconsequential nor applicable to them, except Tor’s onion service addressing nomenclature – designated as v2 versus v3 – is the primary mechanism by which services hosted on the network are accessed.

Maintaining persistent access and knowledge of this darknet landscape is critical to provide continuous coverage of data from the dark web.

When the projected time of the cutover came in mid-October, Tor services were not immediately “shut off” and inaccessible as expected. Tor project removed v2 introduction points with Tor version 0.4.6, but the effects are only realized for relay operators that updated their node with the latest software version.

Within that month, Tor Project did update the Tor Browser to version 10.5.10 disabling v2 and rendering v2 onion services unavailable. However, DarkOwl discovered depreciated v2 onion services are still accessible with legacy browser client executables. Then, just this week, Tor Project released Tor Browser 11.0.1 which includes additional features like a blockchain explorer.

Now that v2 onion services are no longer supported by the Tor Project, DarkOwl estimates a decrease of 62% of known onion services across the Tor network.

Screen Shot 2021-10-16 at 4.28.55 PM.png

In the last year, many onion services providers on Tor have published both a v2 and v3 address, which replicates their website content on both address types to ease the transition and “mirror” the content accordingly, thereby minimizing content loss. Read below for more details on the evolution of the different onion service address types and why v3 addresses are preferred.

How Many Tor v3 Onions Have Emerged?

DarkOwl maintains one of the largest databases of Tor darknet content, including historical and “deep” darknet records. DarkOwl’s crawlers monitor the Tor network for mentions of Tor onion services and schedules new v3 addresses discovered for crawling and indexes the content into its searchable Vision SaaS platform for its clients to access.

Due to the nature of the network and its privacy focused topology, it is impossible to quantify the real number of services operating on the network at any given time. V2 onion descriptor information is stored in plain text in the hidden service directory (HSDir) and at one time, provided some indication of the volume of services available, but such information is not available for v3 services.

In fact, according to Tor Project metrics, there could be upwards of 600,000 v3 onion services active in the network, but that number is extrapolated from relays operating as onion-service directories.

A recent technical blog on v3 onion services suggests many of the v3 services are “barely used” – or setup to merely act as slave services for a malicious botnet.

In the last six weeks, DarkOwl’s Vision platform has observed an average of 104,095 active .onion services across both address schemes of which: 62% are v2 addresses and 38% are v3 addresses.

These numbers are determined by a daily snapshot of DarkOwl’s collection stack seeded by DarkOwl’s network intelligence gleaned by crawling the network 24/7 since 2016. These numbers are not reflective of the true total number of onion services active in the network on any given day.

DarkOwl analysts also noted that during the month of July 2021, when the option to create new v2 onion services was removed from the codebase by Tor Project, DarkOwl Vision witnessed a surge in new v3 addresses and identified 2963 new v3 onions in the last two weeks of July alone.

Figure 1: Average Number of Onion Services Online According to DarkOwl’s Database

Tor Users Respond

Most Tor onion service providers have embraced the network address deprecation and encouraged its visitors to add their new v3 address to their browser bookmarks.

Some darknet website administrators assumed the v2 onion services were inaccessible back in July and disabled all their v2 addresses when the Tor Project simply disabled the creation of new services in the 0.4.6. release last summer.

Figure 1 Tor Onion Service Provider’s Depreciation Announcement on I2P. Source DarkOwl Vision Document

Figure 2: Tor Onion Service Provider’s Depreciation Announcement on I2P. Source DarkOwl Vision Document

Other users are skeptical of the shift, especially those that firsthand experienced multiple concerted v3 onion service outages in January. All v3 onion services were offline for more than 3 hours at a time when the consensus health check failed, due to excessive traffic directed at the directory authorities – possibly due to uncontrolled DDoS between darknet markets.

According to the Tor Project, the implementation bug was fixed in the July 0.4.6 release to default to a “reasonably live” version of the consensus health when a “live” consensus is unavailable.

Figure 2 Source DarkOwl Vision Document about v3 domain outage due to consensus health

Figure 3: Source DarkOwl Vision Document about v3 onion service outage due to consensus health

History of Tor & Decentralized Network Security

The original purpose of the “The Onion Router” (Tor) protocol was to provide US government intelligence operatives in the field secure communications without compromising their digital or physical location. In 1996, the first “0th generation” onion router (OR) was setup as an experiment in encrypted network topography in a virtual environment on a single computer. Because it included export-restricted technology, the “1st Generation” Tor was developed and successful in its mission of providing a concealed internet for the US government for several years. By the year 2000, the “1st generation” Tor had reportedly served upwards of 5 million network accesses a day. In 2003, the “2nd Generation” Tor came along with network improvements, hence where the term “onion v2” originates. DarkOwl Vision Users Can Read More in DocID – f4dafdd81bd9dac95d017a84d4c39d1c71f7dd5f

In 2006, when the US Naval Research Laboratories handed over Tor to a group of volunteers at the Tor Project, the network’s purpose was to provide a decentralized, censorship resistant platform for users to communicate and share information.

The Tor platform quickly became a haven for criminal activity, facilitating anonymous communication across underground digital communities and forums, elaborate drug marketplaces, child pornography and human trafficking. Consequently, deanonymizing onion services hosting criminal content has been a focus of many three-letter acronyms government and law-enforcement (LE) agencies around the world. Academic researchers and computer network science experts have received numerous grants and government funding to extensively study deanonymization attack methodologies and many journal publications exist.

Over the years, DarkOwl has witnessed successful deanonymization through various techniques including rendezvous point circuits (a.k.a. the cookie attack), time-correlation attacks, distributed denial of service attacks, which often force a criminal onion service to a LE-controlled guard node, (a.k.a. sniper attack), and circuit fingerprinting attacks.

Tor Project states that v3 onion service addressing is secure against enumeration attacks as well as other attacks that aren’t related to keys.

  • An adversary who runs a relay on the Tor network can slowly learn a list of all the v2 onion services, via the v2 HSDir system.
  • An adversary who can factor 1024-bit RSA keys can impersonate a v2 onion service.
  • An adversary who can generate around 2^40 RSA keys can expect to generate two that correspond to the same onion address (a collision attack).

Earlier this year, German researchers published a TLS traffic analysis attack methodology, demonstrating 100% successful Tor onion service deanonymization in 12.5 days or less.

Tor v2 versus v3

Tor onion service addresses are intentionally not memorable, relying on a random string of non-mnemonic characters and numbers followed by the “.onion” top level domain (TLD). This string is automatically generated when the onion service is originally configured using a public key.

V3 onion service addresses are discernible by their lengthy 56-character address, e.g. Tor Project’s v3 address looks like: http://2gzyxa5ihm7nsggfxnu52rck2vv4rvmdlkiu3zzui5du4xyclen53wid[.]onion, where its v2 address is 16-characters: http://expyuzz4wqqyqhjn[.]onion.

The 16-character v2 address hashes represent an 80-bit number in base32 that contains the RSA public key of the onion service, where the v3 is 256-bit representation of its Elliptical Curve Cryptography (ECC) public key. Therefore, the onion service address is essentially a cryptographic representation of the originating domain’s information and a principal justification for network administrators encouraging exclusively using a more secure form of addressing.

The v3 address utilizes SHA3/ed25519/curve25519 cryptography which is considerably more secure than v2’s SHA1/DH/RSA1024 address encryption. The v2 addresses have been the standard for 15 years and the network overdue for a more secure mechanism to become standard.

The Tor Project announced it would be deprecating the v2 address format in July 2020 and outlined a specific timeline of the depreciation process, first removing the option to create new v2 onion services earlier this year and and releasing a new network client and browser in October that rendered v2 onion services inaccessible.

1. September 15th, 2020

0.4.4.x: Tor will start warning onion service operators and clients that v2 is deprecated and will be obsolete in version 0.4.6.

2. July 15th, 2021

0.4.6.x: Tor will no longer support v2 and support will be removed from the code base.

3. October 15th, 2021

Release Tor client stable versions for all supported series that will disable v2 entirely.

Tor Development Continues and v2 [WARN]

In July, Tor Browser began displaying a “deprecated soon” warning message every time a v2 onion service was accessed. Since mid-October, instead of the warning page, the Tor Browser client logs records numerous [WARN] messages when the client accesses a legacy v2 onion service, despite displaying the website contents in the browser.

Figure 3 Depreciation Warning Notification on all v2 Onion Services from July 2021 onward

Figure 4: Deprecation Warning Notification on all v2 Onion Services from July 2021 onward

According to the developer’s comments on the Tor Project’s Github, eliminating v2 from the Tor network involves:

o   Modifying HSDir to stop accepting or serving v2 descriptors

o   Introduction points will stop allowing introductions for v2.

o   Refusing the TAP connection from the service side for rendezvous points.

Figure 5: Tor Browser Application Logs Warning of Depreciated Onion Service Connection. Tested with TBB version 10.5.8.

These changes were scheduled to be released with version 0.3.5.x-final, but the actual release date of that update is unclear and no due date specified. Even though the introduction points no longer allow for v2 onion service address introductions, the effects of this will not actually be realized until every relay operator updates to the latest version of the Tor executable with these latest changes.

In early October, Tor Developer David Goulet edited Tor Project issue #40476 removing the 3rd bullet above stating:

“I decided to NOT remove the Rendezvous code path for TAP connections as it would create more complexity to the patch for which I'm trying to keep minimal.” - David Goulet, Tor Developer

Goulet merged the ticket with the disable SOCKS connections for v2 addresses in mid-October and closed the ticket.

Interestingly, in version tor-0.4.7.2-alpha, last modified less than a month ago, developer release notes focus on a new consensus method for v3 network congestion control and closes ticket #40476 by returning “bad hostname” for v2 onion service addresses.

Onion service v2 addresses are now not recognized anymore by tor meaning a bad hostname is returned when attempting to pass it on a SOCKS connection. No more deprecation log is emitted client side. Closes ticket 40476.

As of October 26th, Tor source code version 0.4.7.8 was available for download from the Tor Project and appears to incorporate all the changes mentioned above. One minor difference our analysts noted that the changelog states, “Send back the extended SOCKS error 0xF6 (Onion Service Invalid Address) for a v2 onion address” instead of “bad hostname.”

And v4 is already here

In 2019, rumors of a v4 onion service address emerged and many Tor onion service network administrators supposedly already mirror their content on v4 addresses.

The v4 onion services reportedly uses less CPU computational activity and subsequently less electricity to reduce e-pollution. There is allegedly also additional error handling, improved bootstrap reporting, and support for adaptive circuit padding to prevent time-based deanonymization attacks.

DarkOwl has not observed any v4 addresses in the network, nor has Tor Project released any documentation about v4 addresses for confirmation or analysis.


 Curious about something you’ve read? Contact us to learn how darknet data applies to your use case

Tor v2 Deprecation Shifts Darknet Landscape

DarkOwl has unprecedented coverage of data from prominent darknets including Tor (or The Onion Router), which is widely considered to be the most well-known and popular darknet. In order to maintain collecting content from darknets such as Tor, our engineers continually monitor technological changes and advances in hidden services networks. In doing so, we often have unique insight in to the shifting landscape of the dark web.

Tor project announces domain name scheme shift

Last summer, the Tor Project announced that in October it would be ending support for its legacy v2 domain naming scheme, and began encouraging darknet administrators to start migrating their hidden darknet websites – known as onion services – to the more secure v3 address scheme. For non-technical users of the Tor anonymous network, this seems inconsequential nor applicable to them, except Tor’s onion service addressing nomenclature – designated as v2 versus v3 – is the primary mechanism by which services hosted on the network are accessed.

Maintaining persistent access and knowledge of this darknet landscape is critical to provide continuous coverage of data from the dark web.

When the projected time of the cutover came in mid-October, Tor services were not immediately “shut off” and inaccessible as expected. Tor project removed v2 introduction points with Tor version 0.4.6, but the effects are only realized for relay operators that updated their node with the latest software version.

Within that month, Tor Project did update the Tor Browser to version 10.5.10 disabling v2 and rendering v2 onion services unavailable. However, DarkOwl discovered depreciated v2 onion services are still accessible with legacy browser client executables. Then, just this week, Tor Project released Tor Browser 11.0.1 which includes additional features like a blockchain explorer.

Now that v2 onion services are no longer supported by the Tor Project, DarkOwl estimates a decrease of 62% of known onion services across the Tor network.

Screen Shot 2021-10-16 at 4.28.55 PM.png

In the last year, many onion services providers on Tor have published both a v2 and v3 address, which replicates their website content on both address types to ease the transition and “mirror” the content accordingly, thereby minimizing content loss. Read below for more details on the evolution of the different onion service address types and why v3 addresses are preferred.

How Many Tor v3 Onions Have Emerged?

DarkOwl maintains one of the largest databases of Tor darknet content, including historical and “deep” darknet records. DarkOwl’s crawlers monitor the Tor network for mentions of Tor onion services and schedules new v3 addresses discovered for crawling and indexes the content into its searchable Vision SaaS platform for its clients to access.

Due to the nature of the network and its privacy focused topology, it is impossible to quantify the real number of services operating on the network at any given time. V2 onion descriptor information is stored in plain text in the hidden service directory (HSDir) and at one time, provided some indication of the volume of services available, but such information is not available for v3 services.

In fact, according to Tor Project metrics, there could be upwards of 600,000 v3 onion services active in the network, but that number is extrapolated from relays operating as onion-service directories.

A recent technical blog on v3 onion services suggests many of the v3 services are “barely used” – or setup to merely act as slave services for a malicious botnet.

In the last six weeks, DarkOwl’s Vision platform has observed an average of 104,095 active .onion services across both address schemes of which: 62% are v2 addresses and 38% are v3 addresses.

These numbers are determined by a daily snapshot of DarkOwl’s collection stack seeded by DarkOwl’s network intelligence gleaned by crawling the network 24/7 since 2016. These numbers are not reflective of the true total number of onion services active in the network on any given day.

DarkOwl analysts also noted that during the month of July 2021, when the option to create new v2 onion services was removed from the codebase by Tor Project, DarkOwl Vision witnessed a surge in new v3 addresses and identified 2963 new v3 onions in the last two weeks of July alone.

Figure 1: Average Number of Onion Services Online According to DarkOwl’s Database

Tor Users Respond

Most Tor onion service providers have embraced the network address deprecation and encouraged its visitors to add their new v3 address to their browser bookmarks.

Some darknet website administrators assumed the v2 onion services were inaccessible back in July and disabled all their v2 addresses when the Tor Project simply disabled the creation of new services in the 0.4.6. release last summer.

Figure 1 Tor Onion Service Provider’s Depreciation Announcement on I2P. Source DarkOwl Vision Document

Figure 2: Tor Onion Service Provider’s Depreciation Announcement on I2P. Source DarkOwl Vision Document

Other users are skeptical of the shift, especially those that firsthand experienced multiple concerted v3 onion service outages in January. All v3 onion services were offline for more than 3 hours at a time when the consensus health check failed, due to excessive traffic directed at the directory authorities – possibly due to uncontrolled DDoS between darknet markets.

According to the Tor Project, the implementation bug was fixed in the July 0.4.6 release to default to a “reasonably live” version of the consensus health when a “live” consensus is unavailable.

Figure 2 Source DarkOwl Vision Document about v3 domain outage due to consensus health

Figure 3: Source DarkOwl Vision Document about v3 onion service outage due to consensus health

History of Tor & Decentralized Network Security

The original purpose of the “The Onion Router” (Tor) protocol was to provide US government intelligence operatives in the field secure communications without compromising their digital or physical location. In 1996, the first “0th generation” onion router (OR) was setup as an experiment in encrypted network topography in a virtual environment on a single computer. Because it included export-restricted technology, the “1st Generation” Tor was developed and successful in its mission of providing a concealed internet for the US government for several years. By the year 2000, the “1st generation” Tor had reportedly served upwards of 5 million network accesses a day. In 2003, the “2nd Generation” Tor came along with network improvements, hence where the term “onion v2” originates. DarkOwl Vision Users Can Read More in DocID – f4dafdd81bd9dac95d017a84d4c39d1c71f7dd5f

In 2006, when the US Naval Research Laboratories handed over Tor to a group of volunteers at the Tor Project, the network’s purpose was to provide a decentralized, censorship resistant platform for users to communicate and share information.

The Tor platform quickly became a haven for criminal activity, facilitating anonymous communication across underground digital communities and forums, elaborate drug marketplaces, child pornography and human trafficking. Consequently, deanonymizing onion services hosting criminal content has been a focus of many three-letter acronyms government and law-enforcement (LE) agencies around the world. Academic researchers and computer network science experts have received numerous grants and government funding to extensively study deanonymization attack methodologies and many journal publications exist.

Over the years, DarkOwl has witnessed successful deanonymization through various techniques including rendezvous point circuits (a.k.a. the cookie attack), time-correlation attacks, distributed denial of service attacks, which often force a criminal onion service to a LE-controlled guard node, (a.k.a. sniper attack), and circuit fingerprinting attacks.

Tor Project states that v3 onion service addressing is secure against enumeration attacks as well as other attacks that aren’t related to keys.

  • An adversary who runs a relay on the Tor network can slowly learn a list of all the v2 onion services, via the v2 HSDir system.
  • An adversary who can factor 1024-bit RSA keys can impersonate a v2 onion service.
  • An adversary who can generate around 2^40 RSA keys can expect to generate two that correspond to the same onion address (a collision attack).

Earlier this year, German researchers published a TLS traffic analysis attack methodology, demonstrating 100% successful Tor onion service deanonymization in 12.5 days or less.

Tor v2 versus v3

Tor onion service addresses are intentionally not memorable, relying on a random string of non-mnemonic characters and numbers followed by the “.onion” top level domain (TLD). This string is automatically generated when the onion service is originally configured using a public key.

V3 onion service addresses are discernible by their lengthy 56-character address, e.g. Tor Project’s v3 address looks like: http://2gzyxa5ihm7nsggfxnu52rck2vv4rvmdlkiu3zzui5du4xyclen53wid[.]onion, where its v2 address is 16-characters: http://expyuzz4wqqyqhjn[.]onion.

The 16-character v2 address hashes represent an 80-bit number in base32 that contains the RSA public key of the onion service, where the v3 is 256-bit representation of its Elliptical Curve Cryptography (ECC) public key. Therefore, the onion service address is essentially a cryptographic representation of the originating domain’s information and a principal justification for network administrators encouraging exclusively using a more secure form of addressing.

The v3 address utilizes SHA3/ed25519/curve25519 cryptography which is considerably more secure than v2’s SHA1/DH/RSA1024 address encryption. The v2 addresses have been the standard for 15 years and the network overdue for a more secure mechanism to become standard.

The Tor Project announced it would be deprecating the v2 address format in July 2020 and outlined a specific timeline of the depreciation process, first removing the option to create new v2 onion services earlier this year and and releasing a new network client and browser in October that rendered v2 onion services inaccessible.

1. September 15th, 2020

0.4.4.x: Tor will start warning onion service operators and clients that v2 is deprecated and will be obsolete in version 0.4.6.

2. July 15th, 2021

0.4.6.x: Tor will no longer support v2 and support will be removed from the code base.

3. October 15th, 2021

Release Tor client stable versions for all supported series that will disable v2 entirely.

Tor Development Continues and v2 [WARN]

In July, Tor Browser began displaying a “deprecated soon” warning message every time a v2 onion service was accessed. Since mid-October, instead of the warning page, the Tor Browser client logs records numerous [WARN] messages when the client accesses a legacy v2 onion service, despite displaying the website contents in the browser.

Figure 3 Depreciation Warning Notification on all v2 Onion Services from July 2021 onward

Figure 4: Deprecation Warning Notification on all v2 Onion Services from July 2021 onward

According to the developer’s comments on the Tor Project’s Github, eliminating v2 from the Tor network involves:

o   Modifying HSDir to stop accepting or serving v2 descriptors

o   Introduction points will stop allowing introductions for v2.

o   Refusing the TAP connection from the service side for rendezvous points.

Figure 5: Tor Browser Application Logs Warning of Depreciated Onion Service Connection. Tested with TBB version 10.5.8.

These changes were scheduled to be released with version 0.3.5.x-final, but the actual release date of that update is unclear and no due date specified. Even though the introduction points no longer allow for v2 onion service address introductions, the effects of this will not actually be realized until every relay operator updates to the latest version of the Tor executable with these latest changes.

In early October, Tor Developer David Goulet edited Tor Project issue #40476 removing the 3rd bullet above stating:

“I decided to NOT remove the Rendezvous code path for TAP connections as it would create more complexity to the patch for which I'm trying to keep minimal.” - David Goulet, Tor Developer

Goulet merged the ticket with the disable SOCKS connections for v2 addresses in mid-October and closed the ticket.

Interestingly, in version tor-0.4.7.2-alpha, last modified less than a month ago, developer release notes focus on a new consensus method for v3 network congestion control and closes ticket #40476 by returning “bad hostname” for v2 onion service addresses.

Onion service v2 addresses are now not recognized anymore by tor meaning a bad hostname is returned when attempting to pass it on a SOCKS connection. No more deprecation log is emitted client side. Closes ticket 40476.

As of October 26th, Tor source code version 0.4.7.8 was available for download from the Tor Project and appears to incorporate all the changes mentioned above. One minor difference our analysts noted that the changelog states, “Send back the extended SOCKS error 0xF6 (Onion Service Invalid Address) for a v2 onion address” instead of “bad hostname.”

And v4 is already here

In 2019, rumors of a v4 onion service address emerged and many Tor onion service network administrators supposedly already mirror their content on v4 addresses.

The v4 onion services reportedly uses less CPU computational activity and subsequently less electricity to reduce e-pollution. There is allegedly also additional error handling, improved bootstrap reporting, and support for adaptive circuit padding to prevent time-based deanonymization attacks.

DarkOwl has not observed any v4 addresses in the network, nor has Tor Project released any documentation about v4 addresses for confirmation or analysis.


 Curious about something you’ve read? Contact us to learn how darknet data applies to your use case

Analysis of E-mail Domain Preferences by Ransomware Operators

To learn more about the technology habits of ransomware operators, DarkOwl analysts conducted a brief survey of content issued by RaaS groups over the last few years and collated mentions of any email domains they provided for victims to initiate contact with them. The data we analyzed included ransomware notes harvested from multiple darknet sources from 2016 through the first two quarters of 2021.

The chart below depicts the results of our findings, and demonstrates which email services were and/or are popular amongst ransomware gangs over the past several years.

Distribution of E-mail Domain Preferences by Ransomware Group by Calendar Year

Distribution of E-mail Domain Preferences by Ransomware Group by Calendar Year

Quick Takeaways

  • Since 2019, ransomware criminal gangs prefer the Swiss-based Protonmail and German-based Tutanota encrypted e-mail services over other e-mail service providers. The data included in this analysis summed the domains mentioned across all service provider TLDs, e.g. .ch, .io, .pm, etc.

  • E-mail service providers AOL and India.com were most popular in 2016 and 2017 but use of these providers have dropped off considerably in recent years.

  • Google’s Gmail has experienced moderate, alibeit consistent use by many ransomware criminal groups.

Tutonata emerges as most popular email service in 2021 thus far

For the first half of 2021, Tutonata appears to be leading Protonmail in total email accounts mentioned across notes published in the first two Quarters of 2021. Both email services have been the subject of controversy over recent years, including last December when open source reporting indicated that the German government had been forcing Tutanota to setup backdoors, enabling law enforcement to monitor and read e-mails in plain text.

While the reason for the decline in Protonmail’s popularity can not be stated definitively, the fact that the service has been the subject of debate is likely a contributing factor. In 2019, some users across the darknet and Reddit began spreading rumors that ProtonMail was likely a law enforcement honeypot – citing how its Tor service redirects back to the surface web upon account creation. Theories that developers at MIT with oversight from the NSA, CIA, and DARPA assisted CERN with Protonmail’s source code and encryption development. Further arguments included how Protonmail stores email data and metadata in formats similar to those that Edward Snowden had stated the CIA requires. (Source)

This debate is heated and greatly divided with many stating the Privacy WatchDog Blog detailing how Protonmail is a honeypot is anti-Protonmail propaganda website, spreading FUD and baseless conspiracy theories. Additional reports suggest that the CIA for decades has utilized front-companies and technical organizations based in Switzerland to spy on European governments, adding fuel to the paranoia and conspiratorial chatter.

Future Predictions

While the trends for email address domains observed during the first two quarters of 2021 are consistent with preferences in recent years, this data analysis further predicts that the total number of email addresses from ransomware victim notes for 2021 will be likely less than totals observed from previous years.

We predict this due to the volume of ransomware groups utilizing alternative communication methods with their victims. DarkOwl has observed numerous links to Telegram accounts and real-time chats directly hosted Tor darknet onion services to conduct ransom payment negotiations in lieu of traditional e-mail based communications.

 
Example conversation between ransomware gang and one of its victims on a chat service

Example conversation between ransomware gang and one of its victims on a chat service

 

Curious about something you read? Interested in learning more? Contact us to find out how darknet data applies to your use-case

AvosLocker Debuts Service on Tor for Press Releases

Since the beginning of July, information security researchers who have been keeping up with the darknet ransomware community have been anxiously awaiting the debut of AvosLocker’s official Tor service, which will be used as a forum for the ransomware-as-a-service (RaaS) group to communicate with the public about their victims. In early July, DarkOwl observed a v2 Tor onion service branded with AvosLocker’s name and brand logo – a purple bug with green-tipped antennae – stating that the reader’s (victim’s) network and hard drives had been “encrypted using AES-256 military grade encryption.”

The landing page (pictured below) included a simple form where victims with an “ID” could enter the darknet service to begin negotiations with the AvosLocker team on their ransom payment and status of their extorted data. An ID is only available to those who received a ransom note upon encryption of their computer networks.

 
Figure 1: AvosLocker Victim Onion Service on the Tor anonymous network (captured July 8, 2021)

Figure 1: AvosLocker Victim Onion Service on the Tor anonymous network (captured July 8, 2021)

 

The new onion service – collected by DarkOwl automated crawlers on the Tor anonymous network earlier this week – lists at least six victims consisting of a mixture of transportation and logistics corporations and legal firms across the globe.

Editors note: DarkOwl has intentionally chosen not to disclose the victims’ names and has sanitized all mentions of victims in the screen captures below included in this piece

 
Figure 2: AvosLocker Press Release Onion Service on the Tor network (captured July 13, 2021)

Figure 2: AvosLocker Press Release Onion Service on the Tor network (captured July 13, 2021)

 

DarkOwl also detected an AvosLocker affiliate registration and login portal on their original v2 Tor service. The registration form indicates AvosLocker issues invitation codes for access to the domain.

There is no mention of AvosLocker or their logo on the affiliate-related portal onion services (pictured below).

 
Figure 3: AvosLocker Affiliate Login Portal on the Tor anonymous network (captured July 15, 2021)

Figure 3: AvosLocker Affiliate Login Portal on the Tor anonymous network (captured July 15, 2021)

 

Returning back to AvosLocker’s debut of their new, branded onion service, it is worth noting that ransomware operators set up public PR-oriented blogs for any number of reasons:

  1.     They are truly a brand-new ransomware operator conducting ransomware campaigns against victims, employing a unique ransomware encryption cipher, as well as other tactics, techniques and procedures (TTPs);

  2.     They are an existing RaaS affiliate with enough profitable and successful operations to warrant their own victim shaming Tor service; or

  3.    They are a seasoned ransomware operator who is intentionally attempting to obfuscate their operation’s identity by rebranding and changing aliases of key members.

The fact AvosLocker is operating as a RaaS gang employing the traditional “affiliate” model – as noted by the login portal above – means it is highly unlikely they are an affiliate of an existing RaaS group and more likely a rebranding of existing RaaS operator.

Accompanying this theory, DarkOwl analysts quickly observed that the AvosLocker’s new service has striking resemblance to other websites established on Tor, more specifically the infamous Doppelpaymer RaaS gang.

DarkOwl has no indication that AvosLocker is an affiliate of Doppelpaymer, or if it has merely copied the HTML/CSS templates employed by the Doppelpaymer group; it is not uncommon for hosts of Tor onion services to create websites that look and feel like previously published services.

In contrast to the AvosLocker’s service, the Doppelpaymer leaks service on Tor requires the visitor to solve a reCAPTCHA and enable Javascript for the domain to load properly.

 
Figure 4: DoppelPaymer Ransomware Leak Service on Tor anonymous network (captured July 2, 2021)

Figure 4: DoppelPaymer Ransomware Leak Service on Tor anonymous network (captured July 2, 2021)

 

Doppelpaymer has plenty of justification to rebrand their operations, but there is insufficient evidence at this time to confirm AvosLocker is their new brand. In December of 2020, the FBI issued a warning against the Doppelpaymer RaaS gang after a series of attacks last fall in Europe resulted in the death of healthcare patient in Germany. (Source)

The last victim posted on the Doppelpaymer leak service is dated back to May of 2021, and the last one before that was in February. This might suggest Doppelpaymer could be slowing down its operations to avoid additional scrutiny from the media and law enforcement.


Interested in learning more? Contact us to learn how darknet data applies to your use case

Round-up of the Latest Ransomware Gangs Operating on the Darknet

Ransomware as a service (RaaS) gangs readily use darknets like the Tor Project for coordinating their attacks. DarkOwl analysts frequently observe threat actors discussing vulnerabilities and attack vectors, contracting with initial access brokers (IABs) for exposed credentials and access, negotiating directly with victims for ransom payments, and publicly shaming victims through releasing information about attacks and selling/auctioning extorted data. Since the disappearance of Maze Cartel last year and DarkSide this year – shortly after the attack on Colonial Pipeline that crippled a U.S. fuel supply line – DarkOwl has observed many RaaS threat actors come and go, rebranding with nuanced differences. Affiliate programs also increase the presence of new RaaS partners operating similar global campaigns.

This round-up will introduce the new and emerging RaaS groups that DarkOwl has observed as actively operating on the darknet today.

LV Blog

Threat actors behind the LV ransomware appear to have deployed their own personalized version of the 2.03 source binaries developed by the infamous REvil/Sodinokibi ransomware group. The LV ransomware group appears to be targeting victims in France as indicated by their latest public announcements.

Pictured (above) RaaS Group: LV Blog

Pictured (above) RaaS Group: LV Blog

Arvin Club

Arvin Club, a group that touts the mantra “Born to Connect” [translated from Persian], launched their own services on Tor, with victim data and other well-known data leaks including RockYou2021 and the Compilation Of Many Breaches (or COMB).

Arvin Club’s Telegram Channel has been active much longer than their Tor onion service and is quite popular. The channel predominantly contains re-shares of other data leaks (including the information stolen from the Ministry of Intelligence of Iran), press reports of significant cyber attacks, and onion service URLs for popular ransomware groups.

On the 5th of July, Arvin Club announced a statement refuting rumors accusing them of cooperating with the Iranian government.

In the recent hacking case, we are accused of collaborating with the Iranian government. We do not accept this and deny it. We did not buy any data from anyone.

— Statement from Arvin Club [quote has been translated from Persian to English]
Pictured (above) RaaS Group: Arvin Club

Pictured (above) RaaS Group: Arvin Club

Xing

Xing is a self-claimed Chinese-language ransomware assessed to be an affiliate of the Avaddon/MountLocker ransomware family. Shortly after DarkSide hit Colonial, Xing hit another critical company to the pipeline industry, with an entry on its Tor service for Linestar Integrity Services, known for providing maintenance, compliance, auditing, and IT services to pipeline clients.

Interestingly, they refer to their victims as “participants” as if they had a choice in being targeted by the ransomware variant.

Pictured (above) RaaS Group: Xing

Pictured (above) RaaS Group: Xing

LockBit 2.0 – Reboot

Last summer, LockBit along with Sekhmet were allegedly key members of the Maze Cartel, e.g. ransomware affiliate program. LockBit 2.0 is a reboot of the original group’s activities with a new Tor onion service and call for “partners” keeping with the affiliate RaaS model of most darknet ransomware groups.

In their Conditions for Partners and Contacts press release they list “encryption speed and self-spread functions” as “unparalleled benefits of their ransomware software and include a list of software tests performed to back their claims.

Pictured (above) RaaS Group: LockBit 2.0

Pictured (above) RaaS Group: LockBit 2.0

Lorenz / SZ40

Lorenz’s Tor service features the tagline “Nothing personal, it’s strictly business” with an extensive list of victims in their short time of operation, launching back in April 2021. In late June, Dutch cybersecurity researchers at Tesorion released a decrypter that they were able to develop after extensive reverse engineering of this malware variant.

Pictured (above) RaaS Group: Lorenz

Pictured (above) RaaS Group: Lorenz

HiveLeaks

The Hive ransomware group appeared in June with little self-proclamation but instead jumping right into leaking victim data. Each victim post includes the date it was encrypted and the date when the data will be disclosed in the event of non-payment. They are credited with the security breach of software and data solutions provider, Altus Group, which took place in mid-June.

Pictured (above) RaaS Group: Hive

Pictured (above) RaaS Group: Hive

Prometheus

Prometheus arrived in early 2021 with claims that they were a “group of REvil.” DarkOwl analysts noticed this association had been removed from their domain in late June, perhaps due to the increased publicity REvil has received for attacks against Kaseya and JBS.

According to open-source reporting, the Prometheus ransomware variant has possible associations with the Thanos ransomware variant.

Pictured (above) RaaS Group: Prometheus

Pictured (above) RaaS Group: Prometheus

The image below is the logo for Prometheus ransomware in early June advertising their association with REvil. This designation has been removed from their Tor onion service.

rw-8.jpg

Grief

The Grief ransomware has marketing and branding down to it a tee, with its “Grief came to …” theme for its public shaming of victims. The ransomware group’s latest Tor service also include infographics to illustrate the financial and economic impacts of not paying ransomware.

Pictured (above) RaaS Group: Grief

Pictured (above) RaaS Group: Grief

Vice Society

Not much is known about the latest newcomer to the ransomware community, Vice Society. They do not have any partners listed on their Tor service which features the tagline, “With Love!” Known victims include more than one school district, suggesting they are not interested in very lucrative ransom payouts. Vice Society is assessed to be a possible spin-off of the Hello Kitty ransomware variant based on similarities in the techniques used for Linux system encryption.

Pictured (above) RaaS Group: Vice Society

Pictured (above) RaaS Group: Vice Society


 

Interested in learning more? Contact us to learn how darknet data applies to your use case

 

TBG Security chooses Darknet Data Experts, DarkOwl to bolster its Risk Management Services

Denver, CO – WEBWIRE – Thursday, April 29, 2021

“Most of our clients realize that it’s only a matter of time before information from or about their organization and/or it’s people gets posted on the dark web,” says Frank Murphy CEO, TBG Security.

Threat intelligence experts TBG Security have partnered with DarkOwl, the leaders in darknet data, adding another critical module to their risk management suite of solutions.

TBG will now be able to leverage to power of DarkOwl’s vast database of darknet content on behalf of its clients helping to ensure that they are minimizing uncertainty in an increasingly hostile information environment. TBG helps organizations plan, implement and monitor successful cyber security programs that align with their business objectives.

Mark Turnage, CEO at DarkOwl comments: “The professionals at TBG Security have worked in cybersecurity for years and their wealth of knowledge and dedication to their clients are best in class. Whether your goal is to comply with regulatory requirements, test your system for vulnerabilities or improve your overall security posture, they will tailor an offering to meet your needs.”

TBG Security offers a wide range of security services, all designed to improve and maintain an organizations overall security posture. They leverage their expertise in cyber security, risk and compliance management, virtual CISO, vendor risk management, security consulting, penetration testing and red teaming. TBG designs and delivers solutions to work in harmony with a company’s existing operations and has been assisting clients of various sizes for over 15 years.

“Most of our clients realize that it’s only a matter of time before information from or about their organization and/or it’s people gets posted on the dark web,” says Frank Murphy CEO, TBG Security. “By partnering with Dark Owl, we are providing our team with access to the largest dataset of darknet intelligence, putting us in a much better position to provide our clients with a complete and accurate picture of the threats posed to their business as well as their personnel. As a trusted advisor to our clients, leveraging DarkOwl allows us to provide our clients with a comprehensive view of their risk posture and positions us to better protect them against the bad actors.”
 
About TBG Security
TBG Security is a leading provider of information security and risk management solutions for Fortune 1000 and Fortune 500 companies. TBG designs and delivers cybersecurity solutions to work in harmony with existing operations. Companies depend on TBG services in areas including risk management, security strategies for compliance, vendor risk management, physical, network and application security thru penetration testing and red teaming. We tailor our solutions to meet your business needs. For more information visit us at https://tbgsecurity.com.

About DarkOwl
We are darknet experts. DarkOwl was founded in 2016, and we are the world’s leading provider of DARKINT™ darknet intelligence and offer the largest commercially available database of darknet content. DarkOwl enables cybersecurity organizations, law enforcement and government organizations to fully understand their security posture and detect potential breaches and violations of the law and mitigate them quickly. We offer a variety of options to access our data, please visit us at www.darkowl.com

 

Media Contact
For DarkOwl:
Kim Ketchel
Director of Marketing, DarkOwl

FinClusive Taps Darknet Data Expert Darkowl to Broaden Its Initiatives to Provide Inclusive Financial Access

FinClusive is breaking the mold of financial access for millions of businesses and individuals with Compliance as a Service, supported by tools such as darknet data intelligence.

Denver, CO – WEBWIRE – Tuesday, December 8, 2020

DarkOwl and FinClusive announced today a partnership that will enable FinClusive access to DarkOwl’s massive darknet database in support of its Compliance as a Service (CaaS) platform and its mission to expand access to financial services to the underserved.

FinClusive is the only provider that is built on proven systems to create secure, user-friendly financial engagement and is delivering the core elements of a scalable and compliant-centric digital financial services platform. Their goal is to bring secure, compliance-centered banking to the 2.5 to 3.5 billion people and businesses worldwide who are financially excluded or underserved and make compliance simple and access to basic financial services seamless.

Amit Sharma, FinClusive’s CEO states, “As many as 3.5 billion people and millions of organizations worldwide are underserved or excluded from the financial system.  It’s not enough to simply put the tools in place to enable organizations that provide financial services to be the most robust bunker on the planet; that bunker must allow more people and businesses into the system.  Our partnership with Dark Owl will enable greater transparency and security while making financial access easier for many around the world.”

FinClusive’s Compliance as a Service (CaaS) is an automated and full-stack financial crimes compliance (FCC) solution in one workflow designed for traditional banks and modern financial technology companies. Features include:

  • Evaluate actual vs perceived compliance risk—of individuals and businesses

  • Dynamically screen thousands of data and risk management sources globally

  • Comprehensive due diligence—from basic to enhanced, and offline data—fully integrated

DarkOwl CEO, Mark Turnage comments, “FinClusive’s approach to compliance is revolutionary and it provides a single risk and compliance gateway to secure financial services that have been out of reach for so many small businesses, individuals and non-profits. We applaud their mission and recognize their groundbreaking technological expertise and look forward to a very successful partnership”
 

About FinClusive
FinClusive is a hybrid fin-/reg-tech company that provides a full-stack financial crimes compliance (FCC) platform that facilitates inclusion (access to secure accounts and payments) for the world’s financially underserved and excluded.  FinClusive recognizes the growth in alternative financial services and technologies and the opportunity they afford to supporting financial inclusion globally, and we help bridge these growing systems and traditional banking with comprehensive compliance to reinforce financial system integrity and access in tandem. Learn more at www.finclusive.com
 

About DarkOwl
We are darknet experts. DarkOwl was founded in 2016, and we are the world’s leading provider of DARKINT ™, darknet intelligence and offer the largest commercially available database of darknet content. DarkOwl enables cybersecurity organizations, law enforcement and government organizations to fully understand their security posture, detect potential breaches and violations of the law and mitigate them quickly. We offer a variety of options to access our data, please visit us at www.darkowl.com
 
 
 
 
 
 
Media Contact
For DarkOwl:
Kim Ketchel
Director of Marketing, DarkOwl
[email protected]

Tactical Analysis Intelligence and Darknet Data Experts DarkOwl Engage in Partnership to Accelerate Risk Assessment and Management

Tactical AI is excited for the opportunity to enhance our current data search and monitoring services with expanded darknet data through our partnership with Dark Owl. Tactical AI’s search system provides critical data used for legal disputes, risk management, and due diligence, while our monitoring system provides our clients with prompt alerts necessary to limit the damaging effects of information security breaches.

“Our mission is to provide the most comprehensive set of information available on the surface, deep, and dark webs, and in the timeliest possible manner,” says Wayne McDowell, CEO of Tactical Analysis Intelligence. “The scope of the darknet data provided by Dark Owl and the speed in which it is received allows us to gather complete and accurate threat and business intelligence pictures for our clients and to promote an immediate and quick response.”

Leveraging 30+ years in the cyber security, threat and risk industry, Tactical AI’s proprietary analysis technology uncovers information not available using traditional techniques, allowing businesses to make informed decisions more quickly and solve the toughest and most critical business problems.

DarkOwl CEO Mark Turnage comments: “This is a great fit for our vast darknet database, Tactical AI’s proprietary deep search system and their breach monitoring ability taps directly into DarkOwl’s power. We are thrilled to assist them in protecting their clients IP, PII, financial information and data from exposure.”

Tactical AI’s team consists of legal experts, private investigators, former intelligence officers, and security and risk management specialists. They routinely monitor both public and non-public internet sources to ensure that their clients remain safe from cyberattacks.

About Tactical Analysis Intelligence
Tactical AI is a data search and monitoring company with offices located in Chicago, Illinois and Toronto, Canada. With over 30 years in the cyber intelligence industry, we provide information not available using traditional techniques, allowing businesses to make informed decisions more quickly and solve the toughest and most critical business problems. Tactical AI’s monitoring services have helped protect Intellectual Property, Asset Data, and Financial Information from breach and exposure to competitors. www.tactical-ai.com

About DarkOwl
We are darknet experts. DarkOwl was founded in 2016, we are the world’s leading provider of DARKINT™, darknet intelligence and offer the world’s largest commercially available database of darknet content. DarkOwl enables cybersecurity organizations, law enforcement and government organizations to fully understand their security posture, detect potential breaches and violations of the law and mitigate them quickly. We offer a variety of options to access our data, please visit us at www.darkowl.com

Media Contact
For DarkOwl:
Kim Ketchel
Director of Marketing, DarkOwl

Copyright © 2024 DarkOwl, LLC All rights reserved.
Privacy Policy
DarkOwl is a Denver-based company that provides the world’s largest index of darknet content and the tools to efficiently find leaked or otherwise compromised sensitive data. We shorten the timeframe to detection of compromised data on the darknet, empowering organizations to swiftly detect security gaps and mitigate damage prior to misuse of their data.