Author: DarkOwl Content Team

April 24, 2025

We often associate the darknet with a negative stigma, primarily due to its frequent portrayal in the media for illicit activities and cybercrimes. However, much like the surface web, the darknet is a wide-open space that hosts a variety of resources – some of these resources are incredibly positive and life-changing. In this blog, our hope is to shine a light on the beneficial aspects of the darknet and explore the sites and services that make a positive impact on society. 

Privacy Protection and Freedom of Speech 

In an age where privacy is increasingly under threat, the darknet offers individuals a crucial safeguard for anonymity and freedom to express their thoughts without censorship. For people living under oppressive regimes where free speech is restricted or monitored, the darknet can be a haven. 

One of the most well-known privacy-focused platforms in ProtonMail, an encrypted email service that allows users to communicate safely without the fear of surveillance. SecureDrop, is an open-source platform developed by the Freedom of the Press Foundation, allowing journalists to receive tips from whistleblowers and activists without exposing their identity. These services are critical tools in protecting privacy and supporting democracy and transparency. 

Human Rights Advocacy and Whistleblower Protection 

The darknet provides a critical space for those fighting for human rights. Websites like The Tor Project provide the infrastructure that allows individuals to browse the web anonymously, reducing the risks of being tracked or persecuted. Activists can use the darknet to share critical information about political oppression, corruption, and human rights abuses without fear of retaliation.

Whistleblower sites give individuals a platform to report government or corporate wrongdoings while protecting their identities. Whistleblowers help expose corruption and injustice on a global scale. Many journalists, including those at major news outlets such as The Guardian or The New York Times, rely heavily on these darknet platforms to connect with sources who need to remain anonymous for their own safety. 

Education and Knowledge Sharing 

Although controversial, the darknet is a hub for educational resources. Multiple darknet sites are dedicated to providing free knowledge in areas ranging from cybersecurity to history and politics. These platforms can be indispensable to individuals who want to learn but cannot afford traditional schooling or because of restrictions imposed by government censorship or other types of censorship. 

Academia.edu is a darknet academic resources that provides access to papers, books, and research that may be blocked or restricted in certain countries. This availability to free education empowers individuals to improve their skills and access knowledge that may otherwise be out of reach 

Charitable Organizations and Support Services 

This might surprise some but there are many {legitimate} charitable organizations and support groups that operate on the darknet to assist those in need. For people in dangerous situations, whether they are refugees, victims of domestic violence, or living under oppressive regimes, the darknet offers a safe space to access vital resources. 

The Hidden Wiki offers links to the support networks that provide guidance on escaping from abusive relationships, finding medical care, and accessing counseling services. These resources can be critical for people who cannot access help through traditional means due to the fear of being tracked or judged. 

Privacy-Focused Marketplaces for Legal Goods 

While the darknet is notorious for illegal activity, there are also legitimate marketplaces that focus on privacy and security. These marketplaces allow people to buy and sell goods while keeping personal information private. Some marketplaces provide privacy conscious alternatives for purchasing legal items, like books, software, or hardware. 

The OpenBazzaar is a marketplace with a decentralized platform that allows users to trade goods and services directly with one another, using cryptocurrency for payments. OpenBazzaar was built on the principles of privacy, freedom, and distribution offering a safe and anonymous way to transact without the interference of third-party entities. 

Crisis Communication and Emergency Support 

In some cases, the darknet has served as a lifeline during times of crisis. For instance, during political unrest or natural disasters, the darknet has provided an outlet for individuals in need of urgent assistance or communication. Various groups have used the darknet to organize rescue operations or provide emergency services to people in need. 

This is most often showcased in countries facing censorship or political turmoil, the darknet becomes a vital tool for maintaining open lines of communication. People can continue to organize protests, share information about the safety of family members and coordinate relief efforts.  

Final Thoughts on the Darknet Being a Hidden Resource for Positive Change 

While the darknet is often associated with its darker more malicious side, and rightly so, it’s important to recognize that there is a great deal of good happening below those layers of the surface. From protecting privacy and freedom of speech to supporting human rights and providing resources for those in need. The darknet offers much more than what is often portrayed in the media. 

By highlighting these positive aspects, we can begin to bring awareness and understanding the true potential of the darknet as a force for good. It is a tool, and as with any tool, its value is deemed by those who wield it. When leveraged for privacy, security, and human rights, the darknet can provide vital services that improve the lives of individuals and strengthen society as a whole. 

If you’re interested in exploring the darknet firsthand or discovering its positive aspects, it’s crucial to educate yourself on the best practices for navigating it safely. DarkOwl has compiled a list of six best practices for exploring the darknet which you can find here.

---

Curious to learn more? Chat with us!

April 22, 2025

The modern intelligence analyst simply cannot cope with the wealth of data at their disposal.

The sheer volume of available intelligence is overwhelming. Nowhere is this need clearer than in open-source intelligence (OSINT), where the darknet plays a critical role.

As Randall Nixon, Director of the Open-Source Enterprise at the CIA, warned: “It’s amazing what’s there…the next intelligence failure could easily be an OSINT failure, because there’s so much out there.”

The U.S. Office of the Director of National Intelligence (ODNI) has designated OSINT the “INT of first resort.” Recent global conflicts, including those in Ukraine and Gaza, have underscored OSINT’s critical role in modern intelligence.

Darknet Data is Critical OSINT

Cybercriminal marketplaces, encrypted messengers, forums and hacker sites serve as hubs for illicit transactions, where drugs, weapons, extreme politics, stolen credentials, malware, and hacking services are openly traded. These platforms operate much like traditional e-commerce sites, complete with vendor ratings, escrow services, and customer reviews. As a non-exclusionary ecosystem, its potential is infinite.

Darknet Data Challenges

Darknet data is a goldmine of intelligence. Unlike structured enterprise datasets, darknet data is chaotic, multilingual, and riddled with deception, requiring robust machine learning techniques to extract meaningful insights.

Darknet data is inherently messy, containing slang, obfuscation techniques, and multilingual text. Let alone short-lived and transient sites and pages. Additionally, much of the data is stored in an unstructured format, making it difficult to apply Natural Language Processing (NLP) and Large Language Models (LLMs) effectively. Many darknet sites also introduce deliberate noise—web pages filled with random or misleading content—to further obscure information.

Legal and Ethical Risks

Since the darknet is designed for anonymity, traditional privacy regulations don’t always apply in the same way they do for regulated social media. However, the ethical implications of darknet surveillance must still be considered, especially when handling sensitive intelligence and personally identifiable information (PII).

Illegal Content

Darknet data often includes information related to illegal activities, which can pose significant challenges for generative AI and Large Language Models (LLMs). Many models have built-in safeguards that restrict processing such content, making off-the-shelf AI solutions less viable for darknet analysis. Additionally, the more specific the input data, the harder it is to bypass these restrictions. For example, extracting insights from a full dataset structure is generally easier than pulling highly specific details, such as product names, which may trigger model safety mechanisms.

The Possibilities of AI

The goal of intelligent systems should be to enhance human capabilities, enabling people to focus on higher-value, strategic decision-making, and creative tasks rather than routine processing.

As darknet activity continues to expand, advanced big data analytics and AI-driven methods will be essential to making sense of this vast, high-risk ecosystem.

Quantum Computing increases computational power so that week-long analysis will take minutes, with unprecedented levels of accuracy. Recent leaps in quantum computing will ensure the processing of Darknet data is considerably easier.  

Human Behaviour Analysis in Anonymized Spaces

When no one is looking, how do people behave? The darknet provides a unique perspective on human behavior—a reflection of how individuals and groups act when they believe they are untraceable. Under the veil of assumed anonymity, forums and marketplaces reveal unfiltered reactions to the outside world. This creates an opportunity for social scientists, intelligence analysts, and behavioral researchers to study criminal psychology and radicalization patterns.

Graph Neural Networks (GNNs) are particularly effective for link prediction and clustering, helping identify connections that may not be obvious through traditional analysis for entity resolution.

Anomaly Detection and Trend Monitoring

Detecting anomalies in darknet activity is essential for identifying emerging threats. Analysts tracking illicit trades look for anomalous patterns in trade volume, pricing, and vendor behavior—indicators that may signal disruptions, law enforcement interventions, or the emergence of new criminal enterprises.

Predictive Analysis and Threat Forecasting

By analyzing historical data, organizations can predict the likelihood of future cyber threats, misinformation campaigns, and illicit trade patterns.

As Greg Ryckman, Deputy Director for Global Integration at the Defense Intelligence Agency (DIA), stated: “We need a professional cadre that does open-source collection for a living, not amateur.”

With the integration of AI-powered predictive models, darknet data can be used to simulate complex scenarios, sanitise PII and help organizations prepare for emerging risks—whether that be the spread of disinformation, shifts in ransomware tactics, or geopolitical cyber threats.

DarkOwl’s Contribution

DarkOwl is exploring the use of LLMs to identify additional personally identifiable information (PII) entities. By refining these models to detect structured elements within highly unstructured text, we are developing tools that can track cybercriminal activity and detect fraud at scale.

Beyond entity extraction, we are also applying topic modeling techniques to classify and label darknet content. By using Latent Dirichlet Allocation (LDA) and transformer-based models like BERT, we have successfully categorized subsets of forums, marketplaces, and chat data.  We plan to expand on this work to create unique digital fingerprints of these spaces. This will allow us to track shifting trends, identify when threat actors migrate from one marketplace to another, and detect the resurgence of illicit communities following law enforcement takedowns.

We have successfully applied Generative AI models to pull structured product details from specific darknet marketplaces. We plan to expand this work to allow us to monitor illicit trade trends, track specific vendors, and assess market shifts over time. As our AI models continue to structure and analyze darknet data, we gain deeper visibility into longitudinal trends.

We are exploring AI-driven summarization, NER, clustering, and topic modeling to filter out irrelevant noise and surface high-priority leaks. By applying AI-powered triage mechanisms, we can determine which breaches pose the greatest risk to organizations.

---

Curious to learn more? Contact us.

April 15, 2025

Telegram, once the Wild West of chat applications, has undergone significant changes. This shift came after its CEO and founder faced legal troubles with French authorities. (We recently covered this situation in another blog, if you haven’t read it, I highly recommend checking it out. Good Read Ahead) 

In short, Telegram is now implementing new trust and safety measures aimed at making the platform safer for users and curbing cybercrime. These efforts include banning and shutting down cybercrime-related channels, as well as making it harder to find them when they do operate. 

At first glance, this sounds like a huge win, something worth celebrating. We should be cheering, maybe even organizing a parade in honor of these developments. 

However, before we start throwing confetti, there’s a significant problem: these cybercriminal channels are still operating—they’re just harder for investigators to track and monitor. 

Locks only keep honest people honest… or, in this case, anything good on the internet can also be used for bad. 

A Frustrating Reality for Investigators 

This isn’t meant to be a criticism of Telegram (though it might sound like one), but rather an expression of investigator frustration. I fully support Telegram’s efforts to prevent illicit activities on its platform. It’s an uphill battle, especially considering how much easier it was for threat actors to operate on Telegram compared to traditional dark web sites. 

Previously, Telegram had key advantages for cybercriminals: 
👍Ease of access – Unlike dark web forums that require special browsers, Telegram is readily available. 
👍Simple search functionality – No need to memorize or hunt for links; just use the search bar. 
👍 A wider customer base – More users meant more potential buyers for illicit services. 

For investigators, this also made Telegram a gold mine of intelligence; until now. 

The Growing Challenges of Threat Intelligence on Telegram 

The issue isn’t just that threat actors aren’t getting the hint to leave Telegram. It’s that the new safety measures make investigating them exponentially more difficult. 

• Frequent bans, frequent reappearances – Some channels are getting shut down weekly, if not daily, only to resurface under new names. 

• Time-consuming investigations – Investigators now have to spend considerable time tracking a single channel and its possible reincarnations. 

• Obscured search results – Telegram has adjusted its search algorithm, making it harder to locate certain channels, even when using exact keywords. 

Gone Are the Days of Easy Telegram Monitoring 

Take the following example: 

A cybercriminal channel was banned and then quickly reopened. You’d assume it would be easy to find again, but if you search for a keyword from the screenshot, like “txtlog”, the new version of the channel won’t appear in the results. 

For threat intelligence teams, this is a nightmare. Valuable intelligence is still out there, but now there’s a significant delay before someone manages to find it. This lag time creates a window of opportunity for cybercriminals to regroup and continue their activities unchecked. 

Final Thoughts: A Step in the Right Direction, but Challenges Remain 

To conclude this rant, I want to acknowledge that Telegram’s efforts are commendable. Their actions prove that they are taking a stronger stance against cybercrime on their platform. 

As someone with experience in social media trust and safety, I understand the immense challenge of moderating a platform at this scale. But the fight isn’t over. The real goal should be deterring threat actors from returning at all, rather than just making it harder to find them. 

Hopefully, with continued improvements, Telegram can reach a point where cybercriminals realize it’s no longer a viable option—and investigators don’t have to spend all their time chasing shadows. 

---

Stay up to date with the latest from DarkOwl analysts. Follow us on LinkedIn.

April 10, 2025

The semiconductor industry powers everything from computing and artificial intelligence to defense systems and the Internet of Things. Given its strategic importance, it has become a prime target for cybercriminals, nation-state actors, and ransomware groups—many of whom operate across the darknet. 

On these hidden networks, adversaries trade stolen intellectual property, zero-day exploits, and even sell access to compromised enterprise environments. This blog explores how these darknet-enabled attacks unfold. 

Why Semiconductor Companies Are Prime Targets 

Semiconductor companies, design, manufacture and sell semiconductors which are essential to modern electronics. Semiconductors are materials, typically silicon, that have electrical conductivity between a conductor and an insulator. They power everything from smartphones and laptops to cars and medical equipment. Due to their importance these companies are targeted for a range of reasons and in a range of ways.  

Due to their use of advanced chip designs and fabrication techniques, which are worth millions, they are often targeted by advanced persistent threat (APT) groups in order to steal intellectual property. Governments seek to control semiconductor advancements for technological and military superiority, leading to targeted cyberespionage campaigns. 

Due to the components that are required the companies often rely on a complex global supply chain made up on many different companies and providers. This leaves them open to vulnerabilities from cyber threat actors which could lead to compromise. The SolarWinds and Kaseya attacks, where third-party vulnerabilities led to board compromises.  

Given the high cost of production downtime, attackers often use ransomware and wiper malware to extort payments or cripple manufacturing facilities. This can be in an attempt to crimple critical infrastructure or simply to extort companies worth millions of cash.  

How Semiconductor Firms Are Targeted on the Darknet 

Threat actors can use multiple tactics to infiltrate semiconductor companies and their supply chains. Some of their activities take place on the dark web.  

Darknet Markets for Stolen Data & Initial Access 

Darknet forums such as RAMP, Genesis Market (before takedown), and BreachForums can offer compromised credentials, session tokens, and MFA bypass methods for employees in the semiconductor sector. Threat actors will offer these credentials for sale to the highest bidders. They are often known as Initial Access Brokers. (IAB) 

Initial access brokers (IABs) often sell pre-compromised RDP, VPN, and Citrix credentials, allowing ransomware groups to gain footholds in corporate networks. 

Ransomware Attacks on Semiconductor Manufacturers 

Semiconductor companies are not immune to ransomware attacks, as few organizations are these days. In fact they may appear as enticing targets due to the worth of the organizations and the technology that they deal in. As with any other ransomware attack, information relating to the organization is exfiltrated, which can include a range of document types, in this case including  sensitive semiconductor designs and threaten to leak them unless a ransom is paid. Ransomware Groups such as LockBit, BlackCat (ALPHV), and RansomEXX have been observed targeting semiconductor firms. 

Zero-Day Exploits and Vulnerability Markets 

A zero-day vulnerability is a security flaw in software or hardware that is to the technology owner and therefore has no patch or fix available at the time it’s discovered. Zero-day vulnerabilities in ICS/SCADA, firmware, and chip toolchains can be sold on the darknet and in private Telegram channels. This is very rare and these types of vulnerabilities are worth a huge amount of money, especially when targeting critical infrastructure.  

However firmware vulnerabilities in semiconductor manufacturing equipment, particularly ASML lithography systems and ARM-based architectures, are known to have been exploited in targeted attacks. 

Supply Chain Infiltration and Hardware-Level Attacks 

Threat researchers have identified instances where adversaries embed malicious firmware in chips before deployment. This has been a major concern for critical infrastructure sectors who could be relying on compromised semiconductor components. Attackers have also been known to compromise EDA (Electronic Design Automation) tools and semiconductor manufacturing software, injecting backdoors into fabricated chips. 

Darknet Recruiting and Credential Stealing 

Darknet forums have been observed offering payment in cryptocurrency for insider access or data leaks within semiconductor firms. Data leak and infostealer malware like RedLine, StealC, Raccoon, etc are widely used to harvest credentials that are resold and can be used for supply chain targeting or to target employees of semiconductor companies themselves. 

Real-World Attacks on Semiconductor Companies 

Several semiconductor firms have suffered high-profile cyberattacks in recent years, reinforcing the urgency of darknet threat monitoring. 

• NVIDIA Breach (2022) – Lapsus$ Group 
  • Stolen proprietary GPU designs and employee credentials. 
  • Attackers leaked code-signing certificates, enabling malicious driver development. 

• TSMC Supply Chain Ransomware Attack (2023) 
  • A third-party supplier was compromised by LockBit ransomware, exposing sensitive business data. 
  • Attackers demanded a $70M ransom. 

• Intel & AMD Firmware Leaks 
  • Engineering documentation and firmware signing keys leaked on underground forums. 
  • Exploited for BIOS and firmware-level rootkit attacks. 

Strategies to Mitigate Darknet Threats 

Semiconductor companies need proactive cybersecurity measures to mitigate darknet-driven threats. These companies and their partners should monitor the darknet to track mentions of company assets, stolen credentials, and exploit chatter. They should also actively monitor initial access brokers, ransomware leak sites, and private forums for early indicators of compromise. DarkOwl data can assist in conducting this monitoring and alerting on identified threats.  

Conclusion 

As semiconductor firms continue to drive technological progress, they will remain top-tier targets for darknet cybercriminals and state-sponsored attackers. A multi-layered security approach, incorporating darknet monitoring, access control, supply chain security, and proactive threat hunting, is crucial to mitigate evolving cyber threats. 

By understanding how attackers operate on the darknet, semiconductor companies can stay ahead of threats, safeguard intellectual property, and ensure business continuity in an increasingly hostile cyber landscape. 

---

Stay up to date with the latest from DarkOwl. Follow us on LinkedIn.

April 03, 2025

On January 6, 2021, supporters of President Donald Trump stormed the United States Capitol in an effort to prevent the certification of President Joe Biden’s 2020 election victory. In the lead up to Congress’ joint session, President Trump repeatedly made unfounded claims of voter fraud and, in a January 6 speech, encouraged his supporters to march towards the Capitol building and to “fight like hell.” Shortly thereafter, a crowd wielding flags and weapons gathered at the Capitol, quickly outnumbering police and starting a riot. Protesters forced their way into the Capitol building, breaking through doors and windows, and began to search for members of Congress and then-Vice President Mike Pence. As the riot continued, President Trump criticized Vice President Pence for presiding over the certification of the election; rioters were heard chanting “hang Mike Pence.”  

While the violent mob’s efforts to undermine the election certification were ultimately unsuccessful, approximately 140 law enforcement officers were injured in the attack and five people died during and soon after the riot. Following the attack, the Federal Bureau of Investigation launched the “largest criminal investigation in U.S. history” looking into the siege, which it identified as an act of domestic terrorism. As noted by NPR—which tracked all federal criminal cases pertaining to the attack—the FBI estimates that “around 2,000 people took part in criminal acts on Jan. 6.” In total, 1,575 individuals were charged. Among these were individuals with ties to far-right domestic extremist groups, including the Three Percenters, Proud Boys, and Oath Keepers.  

On January 20, 2025, the first day of his second term, President Donald Trump issued “complete and unconditional pardon to all […] individuals convicted of offenses related to events that occurred at or near the United States Capitol on January 6, 2021.” The order specifically named nine members of the Oath Keepers and five members of the Proud Boys—among them, Stewart Rhodes, the founder of the Oath Keepers who was sentenced to 18 years in prison. Since the pardoning, the previously publicly available dataset detailing convictions of January 6 rioters has been removed from the Department of Justice’s (DOJ) website. A complete database detailing all January 6 criminal cases remains available on NPR’s website. 

Since the January 20 pardoning, DarkOwl has observed violent rhetoric and conspiracy theories circulating within January 6-affiliated online groups (including those linked to the Proud Boys and Oath Keepers). This blog will explore the frequency and type of rhetoric observed on the surface, deep, and dark web as it pertains to the pardoning of the January 6 defendants. 

J6 Community’s Online Ecosystem 

Analysts have observed an extensive online community consisting of individuals indicted and/or sentenced for the January 6 (J6) attack, their family, and J6 apologists. Dozens of Telegram channels are dedicated to sharing J6-related news and updates, including information about releases and the few who remain in prison. The J6 Telegram landscape also consists of channels belonging to J6 defendants who have been released and are now sharing their stories, spreading mis- and disinformation, and corralling support for the few January 6 defendants who have not yet been released. Many of these individuals have also been observed calling for retribution through investigations into, and prosecutions of, the “criminals walking free who did this.” While many J6-related Telegram channels have dozens or hundreds of followers, others have as many as 10,000, reflecting the scale of the community and the extent of its reach.  

Additional activity has also been identified on surface web-level video-sharing social media platforms, particularly Rumble, which remains especially popular among right-wing creators and is often referred to as “right-wing YouTube.” Some channels on Rumble are exclusively dedicated to J6 news; however, prominent content creators—some with nearly 200,000 followers—are also providing J6 defendants with a platform. Multiple J6 defendants—among them, Stewart Rhodes, founder of the Oath Keepers—have been invited to popular Rumble channels as special guests since their pardoning, where they actively shared mis- and disinformation and claim that the FBI “manufactured narratives” regarding the January 6 attack. Henry “Enrique” Tarrio—former head of the Proud Boys—was also interviewed by Sean Spicer on his YouTube channel, where similar misinformation was shared. Both Rhodes and Tarrio had been convicted of seditious conspiracy for their roles in the January 6 attack. 

Similar activity has been observed on other surface web social media platforms, most notably Twitter. In posts observed following the pardoning of the January 6 defendants, pro-J6 Twitter posts frequently received even more views than those on Telegram. The reach of these posts is consistent with the increase in harmful and extremist content seen on the platform since it was acquired by Elon Musk in 2022. Some Telegram channels made by and tailored to J6 defendants were also found to have matching accounts on Twitter.    

Rhetoric Observed Post-J6 Pardons 

Following the Trump Administration’s pardoning of those indicted for the January 6 attack, analysts observed a wide variety of rhetoric, including continued efforts by J6 supporters to release the remaining prisoners, extensive conspiratorial rhetoric, calls for retribution, and—in some cases—calls for violence against the federal employees who investigated the attack on the U.S. Capitol.  

Notably, J6 participants and supporters on the surface, deep, and dark web—from Telegram to Twitter—are coming together to call for the release of the few remaining rioters who are in prison. Emboldened by the administration’s pardons, numerous Telegram channels and Twitter accounts appear to be intensifying efforts to release the remaining J6 defendants. Many channels and accounts make nearly daily posts encouraging supporters to call President Trump, U.S. Attorney General Pam Bondi, and other officials within the Trump Administration to request the release of the J6 “hostages.” Several of these accounts are administrated by recently pardoned J6 defendants who, in addition to calling for the release of all J6 defendants, are also encouraging those who have been pardoned to share “testimonial videos” to “expose the truth.”  

Conspiracy theories are at the heart of many of these discussions being held in J6 communities on the surface, deep, and dark web. The overarching, unfounded conspiracy theory observed across multiple platforms is the belief that the January 6 attack was orchestrated by the U.S. government. J6 supporters have been observed referring to the attack as the “J6 Fed-surrection,” and have shared conspiratorial articles claiming that FBI agents participated in the insurrection. One of the posts sharing this unfounded claim on Twitter gained 170,000 views, reflecting how this type of misinformation is gaining traction and becoming a part of the dominant discourse.    

These conspiracy theories have further fueled J6 campaigns for retribution, as notably observed in a January 30, 2025 Telegram post calling for the creation of a “J6 Taskforce” intended to “document the abuses of power and overreach demonstrated by the justice department, DC jail, DC courts, and Bureau of Prisons.” The post discussed a letter sent to President Trump to request such a taskforce, which would specifically be composed of “J6ers, J6 family members and advocates.” Indeed, DarkOwl has observed a pattern of J6 supporters interested in participating in the administration of “justice” against those who they believe have wronged them.  Immediately following their release, both  Stewart Rhodes and Enrique Tarrio vowed retribution and called for the prosecution and imprisonment of those who investigated the January 6 attack or testified against them.  

The majority of the rhetoric observed by DarkOwl in J6-affiliated Telegram channels since the pardons has not been violent in nature. This is not to say, however, that there has been a total absence of concerning or violent rhetoric. In response to articles about the House Select Committee on the January 6 Attack, DarkOwl saw Telegram users calling for acts of violence against those who participated in the committee. One user suggested “send Luigi [Mangione] to [their] homes,” while another added: “could always just have them ‘commit suicide.’”  

Significantly, there appears to be even more violent rhetoric directed at the J6 Committee on Twitter than on Telegram. In response to a tweet sharing an article about unfounded claims that the FBI participated in the January 6 attack, numerous individuals called for violence against the mentioned FBI officials. Users in the comment section mentioned firing squads and hangings, with one individual making an indirect threat by encouraging “traitors and liars” to “RUN!!” DarkOwl also located instances of similar rhetoric on Rumble, where users insisted on prison or the death penalty for “the entire J6 committee, Schiffs of the World, Fauci’s, Bill Gates, etc.” This language is consistent with the type of rhetoric that has been observed since the results of the 2024 presidential election, with individuals specifically calling for violence against former members of the Biden Administration.  

Conclusion 

Ultimately, the network of J6 participants and supporters online—both on the surface and dark web—remains extensive and robust. It is a community characterized by the active propagation of conspiracy theories, misinformation, and disinformation. Perhaps more importantly, however, it is a collective of individuals bound by anger and a desire for retribution, as is evidenced by repeated calls for vengeance, whether through prison sentences or executions.  

Research across these J6-related online spaces—whether on Telegram, Twitter, Rumble, or others—reveals an overarching sentiment: the veneration of those convicted for participating in the violent attack on the U.S. Capitol. The defendants are portrayed as heroes—a misrepresentation that is only further bolstered by the administration’s pardons and President Trump’s description of the rioters as “patriots.” Based on the rhetoric seen across numerous platforms, the J6 community’s goals appear clear: release the remaining prisoners and push for the persecution of members of the J6 Committee. Whether or not—and how—the group is able to achieve the latter, however, remains unclear. 

---

Don’t miss anything from DarkOwl analysts. Subscribe to email.

April 01, 2025

Happy April Fools’ Day, friends! Instead of the usual prank-filled antics, I decided to take my curiosity to the next level. Last night, armed only with coffee, bravery, and an excessive number of browser tabs open, I ventured deep into the legendary—and mysterious—dark web. 

Spoiler Alert: I survived…barely! 

Hour 1: Preparation and Anticipation 

To access the dark web, you need something called the Tor browser, which claims to protect your identity online. I downloaded it, feeling like a hacker from an ’80s cyber-thriller movie. For added protection, I wore sunglasses indoors (obviously) and put my browser window in Incognito mode (because double anonymity cancels out, right?). 

Hour 3: Lost in the Rabbit Hole 

I quickly discovered something unexpected. Rather than finding shady websites selling counterfeit unicorn tears or alien secrets, I stumbled into endless forums discussing whether pineapple belonged on pizza. Seriously? This is the stuff they hide from Google? It turns out the real conspiracy here might be pizza toppings! 

Hour 6: Finally, The Dark Side 

Navigating deeper, I found some genuinely bizarre markets offering everything from invisibility cloaks (sadly, “out of stock”) to jars labeled “authentic air from Area 51.” I placed an order immediately, naturally, paying in cryptocurrency—specifically something called “FoolCoin,” which suspiciously crashed right after my purchase. 

Hour 12: I’m Being Watched 

Paranoia began creeping in as I visited a chatroom where users communicated exclusively in cat emojis. I attempted to blend in, carefully selecting 🐱🐱🐾🐾, which was apparently a deeply offensive phrase. I was promptly banned. 

Hour 18: Surprising Discoveries 

Contrary to my expectations of black market dealings and illicit hacking tips, the deepest corners of the dark web were mainly populated by lonely people sharing their poetry about existential dread and asking for dating advice. 

Also, there was a surprising lack of actual darkness—most sites had a retro neon vibe. (The 1990s want their animated GIFs back.) 

Hour 23: Reality Check 

Suddenly, a chat message popped up on my screen: 

“We’ve been expecting you.” 

My heart raced. This was it, my dark web initiation—or my undoing. Before panic set in, another message followed: 

“Just kidding! April Fools’! Want to buy more FoolCoin?” 

I’d been played. And it was glorious.

Hour 24: Reflection 

As my dark web adventure concluded, it struck me that perhaps the greatest mystery isn’t what’s lurking in these hidden corners of the internet. Maybe it’s why we’re so fascinated by them in the first place. 

Or maybe it’s still the pineapple-on-pizza debate. Honestly, it’s probably that. 

Disclaimer: This post was entirely fictional—no actual dark-web diving took place. Or did it? 😉 

Happy April Fools’ Day! 

(Seriously, though…) Stay Cyber Safe! 

Jokes aside, the Dark Web poses real security risks. Here’s your actual cybersecurity advice to take away today: 

• Be wary of unsolicited emails and unfamiliar links. 

• Use two-factor authentication (2FA) to keep accounts secure. 

• Regularly update your passwords and avoid reusing them. 

• Stay informed, stay vigilant, and when in doubt, trust no one, except maybe your trusted cybersecurity friend. 

Happy April Fools’ Day from DarkOwl. Remember, cybersecurity doesn’t have to be scary, even if the Dark Web sometimes is. 

Stay safe, and may your passwords be as mysterious as today’s blog! 

Written by AI. Happy April Fools! 

April 01, 2025

Our analyst team shares a few articles each week in our email newsletter which goes every Thursday. Make sure to register! This blog highlights those articles in order of what was the most popular in our newsletter – what our readers found the most intriguing. Stay tuned for a recap every month. We hope sharing these resources and news articles emphasizes the importance of cybersecurity and sheds light on the latest in threat intelligence.

1. This Data Could Destroy The FBI—Russian Crime Gang Warns Kash Patel – Forbes

In a February 25 post on their dark web leak site, the Russian ransomware gang LockBit claimed to have stolen data from the Federal Bureau of Investigation (FBI). The post directly addresses new FBI Director Kash Patel and claims that the ransomware gang has “an archive of classified information” that would “negatively affect the reputation of the FBI [and] destroy it as a structure.” The message prompts FBI Director Patel to contact LockBit personally in order to gain access to the password-protected file included in the post. Read full article.

2. Police arrests 300 suspects linked to African cybercrime rings – Bleeping Computer

In a March 24 press release, INTERPOL announced the arrest of 306 suspects and the seizure of 1,842 devices as part of the INTERPOL-led operation “Red Card,” which aims to “disrupt and dismantle cross-border criminal networks.” The arrests were carried out in Benin, Côte d’Ivoire, Nigeria, Rwanda, South Africa, Togo, and Zambia. Operation Red Card, which took place between November 2024 and February 2025, specifically targeted “mobile banking, investment, and messaging app scams,” which involved more than 5,000 victims. Article here.

3. X hit by ‘massive cyberattack’ amid Dark Storm’s DDoS claims – Bleeping Computer

On March 10, X (formerly known as Twitter) suffered multiple worldwide outages. The hacktivist group Dark Storm has claimed responsibility for the distributed denial-of-service (DDoS) attacks which caused the outages. Specifically, the group made posts on their Telegram channel the same day the attacks took place and shared screenshots from check-host.net as proof of the attack. Tens of thousands of users were impacted by the outages. Read more here.

6. Cyberattack takes down Ukrainian state railway’s online services – Bleeping Computer

On Sunday, March 23, Ukraine’s national railway operator Ukrzaliznytsia was targeted in a “systematic, complex, and multi-level” cyber-attack. The attack disrupted the company’s online services, preventing users from purchasing tickets. Railway operations themselves were not impacted by the intrusion, however the hit to online systems resulted in long waiting times, delays, and overcrowding. Read full article.

7. Vo1d Botnet’s Peak Surpasses 1.59M Infected Android TVs, Spanning 226 Countries – The Hacker News

According to researchers at Xlab, nearly 1.6 million Android TV devices have been infected with a new and improved variant of the Vo1d malware botnet. 226 countries have been targeted in the campaign, with Brazil, South Africa, and Indonesia accounting for the largest number of infections (24.97%, 13.6%, and 10.54% respectively). Xlab has been tracking the campaign since November, 2024, and has reported that the botnet peaked on January 14, 2025. The new variant currently encompasses 800,000 daily active IP addresses. Read full article.

8. BADBOX 2.0 Botnet Infects 1 Million Android Devices for Ad Fraud and Proxy Abuse – The Hacker News

Over 1 million devices have been impacted in a fraud operation dubbed “BADBOX 2.0,” an expansion of the previous BADBOX operation discovered in 2023. As noted in the Satori Threat Intelligence report, “BADBOX 2.0 is the largest botnet of infected connected TV (CTV) devices ever uncovered.” Satori researchers assess that it is likely that the same threat actors are behind both operations. Four different threat actor groups have been identified: SalesTracker Group, MoYu Group, Lemon Group, and LongTV. Learn more.

---

Make sure to register for our weekly newsletter to get access to what our analysts are reading on a weekly basis.

March 27, 2025

It’s that time of year—time to start planning your next vacation. The big question is: where do you start searching for the best deals? With so many options and countless advertisements, should you just go straight to the hotel chain’s website? 

What if I told you that the dark web might offer the biggest savings, if you can navigate its hidden marketplaces, chat groups, and cryptocurrency payments? 

Obviously, this is satire, as using such methods could be illegal or violate a company’s terms of service, potentially leading to the loss of your booking or criminal charges. 

Cheap Bookings

The dark web hosts numerous vendors claiming to offer deeply discounted travel bookings, sometimes as much as 80% off standard prices. These listings cover everything from airline tickets and hotel stays to car rentals and vacation packages. 

While these deals may sound tempting, they often come with serious risks. 

How Are These Discounts Possible? 

Dark web travel deals typically result from fraud, hacking, or insider manipulation. Common methods include: 

• Carded Bookings: Reservations made using stolen credit card details, which are often flagged and canceled before the traveler can use them. 

• Hacked Travel Accounts: Fraudsters gain access to compromised airline, hotel, or car rental accounts, using stored points or payment methods to book travel. 

• Insider Access: Some sellers claim to have contacts within travel companies who manipulate reservations for a fee. 

• Fake or Resold Reservations: Some listings involve legitimate bookings resold at a discount, but travelers risk cancellations if the original buyer disputes the charge. 

While these cheap travel deals may seem like an easy way to save money, most buyers end up losing more than they gain, whether through last-minute cancellations, financial losses, or legal consequences. 

Travel Site Carding  

Carding refers to the use of stolen credit card information to make unauthorized purchases. This is one of the primary ways criminals secure cheap travel bookings on the dark web. 

Fraudsters exploit compromised payment details to book flights, hotels, and car rentals at a fraction of the normal price—often reselling these bookings to unsuspecting buyers. 

How Travel Site Carding Works 

At the core of travel site carding is stolen credit card data, which fuels an underground economy of fraudulent bookings. Hackers and cybercriminals obtain this information in various ways, large-scale data breaches, phishing scams, malware attacks, or even by purchasing stolen details on dark web marketplaces. Once obtained, these compromised credit card details are sold in bulk, often for as little as $10 to $50 per card, depending on the card’s available balance and spending limits. 

Armed with stolen card details, fraudsters quickly move to make high-value travel bookings, flights, hotels, car rentals, and vacation packages, before the actual cardholder notices the unauthorized transactions. Since most credit card companies have fraud protection systems in place, criminals often prefer last-minute bookings, reducing the window of time for detection. These fraudulent transactions are usually done through compromised accounts or newly created profiles, making it harder for travel companies to link the bookings to the real perpetrators. 

The travel industry has become a prime target for carding because, unlike traditional e-commerce purchases that require shipping addresses, travel services involve digital confirmations, making them easier to exploit. Criminals take advantage of instant booking confirmations to quickly secure flights or hotel rooms, often completing their travels before the fraud is even detected. 

Refund Scams

So, you booked a trip but still want a discount? What if you could get a full refund, even after enjoying your stay? 

One of the more brazen scams discussed on dark web forums involves fraudulent refund claims. Scammers manipulate hotel policies to get their money back, sometimes using extreme methods including one case where a scammer suggested urinating on the hotel bed to fabricate evidence. 

The Art of the Travel Refund Scam 

For some, getting a hotel refund isn’t about dissatisfaction, it’s about manipulation. Scammers exploit refund policies using deceptive tactics, sometimes going to extreme lengths to fabricate complaints. 

One common method involves faking unsanitary conditions. A scammer might scatter staged evidence like soiled bedding, stains, or even dead insects they brought along. With shocking photos in hand, they demand a refund for an “unacceptable” room. 

Others take a more destructive approach, intentionally damaging amenities like TVs or air conditioning units and then claiming the room was already in poor condition. Acting frustrated, they pressure hotels into offering refunds or discounts. 

Some fraudsters rely on fake medical complaints, claiming allergic reactions to mold or illness from “toxic” cleaning chemicals. By threatening negative reviews or legal action, they push hotel staff into issuing refunds. 

While these scams don’t always work, some travelers see them as an easy way to score a free stay. Unfortunately, this leads to stricter refund policies and higher prices for honest guests. 

While booking sites don’t always favor the consumer, having “evidence” and being persistent can increase the chances of getting money back. This shows the extreme lengths some scammers go to in order to save money on their travels—even resorting to urinating on a bed for photographic proof. 

Risks of Using Dark Web Travel Bookings 

While the promise of cheap travel is tempting, there are major downsides: 

• Cancellations & Denied Check-ins: If fraud is detected, hotels and airlines cancel bookings without notice. 

• Legal Consequences: Purchasing knowingly fraudulent services can lead to criminal charges. 

• Loss of Money: Many dark web vendors scam buyers, taking payments without delivering valid reservations. 

• Exposure to Cybercrime: Engaging with dark web marketplaces increases the risk of malware, scams, and data theft. 

Final Thoughts 

While cheap travel deals on the dark web may sound like a way to save money, they come with significant risks. In most cases, travelers end up losing more than they gain, whether through canceled trips, lost money, or even legal trouble. 

Instead of turning to illegal or high-risk methods, savvy travelers should look for legitimate discounts, reward programs, and last-minute booking strategies. 

This also highlights the importance of the hospitality industry monitoring dark web intelligence. These scams ultimately lead to increased prices for honest travelers. 

Remember: If it seems too good to be true, it probably is. 

---

Curious about the darknet? Contact us!