By using the Vision UI and Search API from DarkOwl, a leading global provider for the collection and analysis of darknet data, 8com’s Security Operations Center can now also search specifically for compromised data in order to identify data leaks at an early stage and initiate security measures.
8com is now using DarkOwl’s Vision UI and Search API. DarkOwl specializes in the collection, analysis and provision of data from the darknet and offers the world’s largest commercially available database of darknet content, including over 746 million TOR records and more than 14 billion email addresses. DarkOwl is the industry’s leading provider of darknet data, offering the world’s largest commercially available database of darknet information. Using machine learning and human analysts, DarkOwl automatically, continuously and anonymously collects and indexes data from the dark web, deep web and other high-risk networks. The platform collects and stores data in near real-time so that darknet sites that frequently change their location, and availability can be securely queried without having to access the darknet directly.
“Leaked data is crucial in the fight against cybercriminals today. This information helps us to identify and protect potential future targets at an early stage. DarkOwl’s database is unrivaled in terms of both size and timeliness,” explains Götz Schartner, CEO of 8com. “DarkOwl CEO and Co-founder, Mark Turnage, adds, “We are proud to support 8com in their mission to proactively defend against cyber threats. Our partnership demonstrates how actionable darknet intelligence can be used to safeguard organizations and mitigate risk in an increasingly complex digital landscape.”
The 8com SOC uses the Search API to automatically search the database for its customers’ data in order to find out whether, for example, email addresses or other information such as passwords have already appeared in a leak. If there are any hits, the SOC analysts use the Vision UI to examine the results more closely and inform customers of their findings. If the specific case involves an actual attack for which more detailed information about the grouping is known, the data from the Vision UI is used to search for further threat indicators.
About 8com GmbH & Co. KG 8com’s Security Operations Center effectively protects its customers’ digital infrastructures against cyber attacks. To this end, 8com combines numerous managed security services such as Security Information and Event Management (SIEM), eXtended Detection and Response (XDR), Endpoint Detection and Response (EDR) with Incident Response and Vulnerability Management under one roof.
8com is one of the leading SOC providers in Europe. For 20 years, 8com’s goal has been to provide customers with the best possible protection against cyber attacks and to work together to achieve an economically viable yet high level of information security. Thanks to the unique combination of technical know-how and direct insights into the working methods of cyber criminals, the cyber security experts can draw on sound experience in their work. Learn more.
About DarkOwl DarkOwl is the industry’s leading provider of darknet data. We offer the world’s largest commercially available database of information collected from the darknet. Using machine learning and human analysts, we automatically, continuously, and anonymously collect and index darknet, deep web, and high-risk surface net data. Our platform collects and stores data in near real-time, allowing darknet sites that frequently change location and availability to be queried in a safe and secure manner without having to access the darknet itself. Customers are able to turn this data into a powerful tool to identify risk at scale and drive better decision making. For more information, contact DarkOwl.
BreachForums abruptly went offline, prompting a wave of opportunistic copycat domains and widespread confusion within the dark web community. The shutdown—now allegedly confirmed via a PGP-signed statement by former administrators—was attributed to a zero-day exploit targeting the MyBB forum software. This vulnerability was reportedly exploited either by law enforcement or rival threat actors.
The most recent clearnet domain, breachforums[.]st, began returning a 403 error on or around April 15–16. Telegram channels affiliated with the forum and its associated onion service also went offline during this period. A message allegedly authored by “Anastasia,” one of the key administrators, hinted at FBI involvement—though this remains unverified. Speculation flourished across darknet community, with theories ranging from insider betrayal to technical collapse due to outdated software and poor operational security (OPSEC).
Figure 1: BreachForums.st PGP signed message by its admins
Adding to the uncertainty, BreachForums’ backend was reportedly spotted for sale for $2,000, suggesting a deeper compromise. Notably, the site never displayed an official law enforcement seizure banner, which is typically required in such takedowns.
Figure 2: Breached.fi site view on April 20, 2025
Copycats and Chaos
In the aftermath, a proliferation of clone and impersonation domains emerged—breached[.]fi, breachforums[.]uk, and others. Some, such as the .fi variant, were initially perceived as legitimate but were quickly discredited.
The threat actor Rey, reportedly connected to the Hellcat Ransomware group, exposed breached[.]fi as fraudulent. Around the same time, the Telegram-based hacktivist group Dark Storm claimed responsibility for a DDoS attack on the same domain. Other impersonators, including breachforums[.]af, .is, .im, and .lol, featured fake FBI seizure notices or links redirecting to law enforcement sites and suspicious database vendors.
Some variants also demanded payment from users to access content, allegedly to prevent law enforcement infiltration.
April 28 Statement and Fragmented Reboots
On April 28, the original .st domain resurfaced with another PGP-signed message, confirming the MyBB zero-day exploit, denying arrests or data loss, and announcing a full backend rewrite. The message warned users that many of the copycat sites could be honeypots or phishing lures.
Despite this message, rumors about the admins’ fate and the legitimacy of emerging replacement sites persisted. Several splinter groups and reboot attempts have since appeared:
Faction Backed by 888, Technically Led by 302:
Following the April shutdown, a new initiative emerged reportedly backed by the BreachForums user 888, with technical support from another user, 302. Infrastructure linked to this faction surfaced in leaks pointing to IP 176.65.137.250:19191. While specific goals remain unclear, their involvement signals growing fragmentation. Notably, 888 had previously claimed credit for the BMW Hong Kong data leak in July 2024.
HassanBroker’s Initiative (Funded by Rey)
Another reboot attempt came from HassanBroker, who registered multiple lookalike domains, including breach-forums[.]com, .net, .org, and breached[.]ws. Claiming ties to IntelBroker, Hassan framed the project as a tribute to the original forum. It allegedly received a $500 USD donation from Rey, but doubts persist due to questions around the maturity of the moderation team and operational competence.
“Momondo” Reboot Claim
A user under the alias “Momondo” declared intentions to resurrect BreachForums, citing ties to its original founder Conor Brian Fitzpatrick (aka Pompompurin). While distancing himself from figures like Anastasia and ShinyHunters, Momondo emphasized community trust and OPSEC. However, investigations raised concerns that “Momondo” may be an impostor, potentially representing a honeypot or scam.
Context & Law Enforcement Pressure
BreachForums’ history is closely tied to law enforcement actions. Prior admins like “Omnipotent” and “Pompompurin” were arrested between 2022–2023, with roots tracing back to its predecessor RaidForums, launched in 2015. As of this writing, no official law enforcement action or confirmed arrests have been reported in connection with the April 2025 outage, despite the emergence of fake seizure pages on copycat domains.
These developments underscore the increasing volatility and decentralization of cybercriminal ecosystems under sustained law enforcement scrutiny. The BreachForums community now finds itself fragmented—caught between operational failures, mistrust, and intensifying pressure from global authorities.
Figure 7: BreachForums Timeline
Conclusion
Recent events highlight the instability of darknet forums, even those with established reputations like BreachForums. Despite law enforcement pressure and internal conflict, such platforms often re-emerge in new forms. What shape the next version of BreachForums will take—and who will lead it—remains uncertain. DarkOwl will continue to monitor this evolving situation closely.
Cybersecurity might as well have its own language. There are so many acronyms, terms, sayings that cybersecurity professionals and threat actors both use that unless you are deeply knowledgeable, have experience in the security field or have a keen interest, one may not know. Understanding what these acronyms and terms mean is the first step to developing a thorough understanding of cybersecurity and in turn better protecting yourself, clients, and employees.
This blog aims to provide a comprehensive overview of doxing, its implications, and strategies to safeguard against it.
Doxing 101
Doxing, derived from the phrase “dropping documents,” is the act of publicly providing PII and other data about an individual or organization without their consent. In recent years, this has predominantly been done using the internet and is a process that began in the late 1990s. The act of doxing an individual in of itself is not illegal depending on how the information shared is obtained. Most data shared is likely obtained from data brokers and social media sites. Although, others are obtained through illegal means. Regardless of the way the data is obtained, the purpose and outcomes are usually nefarious and used for online shaming, extortion, targeting, stalking, and hacktivism operations.
Targets of Doxing
Anyone can be a target of doxing. Celebrities and politicians are often targets, employees of prominent organizations, and law enforcement agencies and officers. For instance, during the 2019–2020 Hong Kong protests, both pro-democracy activists and police officers were doxed, leading to harassment and threats against them and their families. Another notable example is the doxing of a New York Times reporter who revealed the identity of the person behind the “Libs of TikTok” Twitter account, leading to significant backlash. Business leaders and employees, especially those associated with contentious industries or decisions, can be targets. A website named “Dogequest” reportedly published personal details of Tesla owners across the U.S., aiming to shame and intimidate them due to Elon Musk’s political affiliations. Unfortunately, ordinary citizens can become victims, especially in cases of personal disputes, online arguments, or as collateral damage in broader conflicts.
Resources Used to Dox
Doxers use a multitude of sources and resources to dox. The graphic below is a great outline and resource from Homeland Security.
Consequences of Doxing
Although this information is posted online, it can have very real consequences for the individuals whose information is posted. An impact of doxing is identity theft and financial crime, as all information about an individual is provided, criminals can use this data to conduct financial crimes. This can be a difficult thing to identify and recover from, with funds often taken before an individual even knows their data has been shared.
The posts can also cause reputational damage, sharing information an individual may not want shared with their friends and family. There is also the possibility that material could be shared which may affect an individuals employment status.
Furthermore, this data can be used to stalk and harass individuals, some of the posts on Doxbin actively encourage others to target individuals. This can leave the victims open to threats of physical violence as well as the trauma of knowing that someone knows where they live and work and could attempt to contact them at any time. Victims are often also subjected to harassment through prank/harassing phone calls, spam emails, and online harassment and cyber bullying through social media.
These threats can have a lasting emotional impact on individuals.
Real Life Example
Site Spotlight: Doxbin
In our marketplace, site and actor spotlight series, we highlighted Doxbin. You can check out the full write up on it here, which offers an in-depth examination of the controversial paste site known for facilitating the publication of personal information.
To summarize, Doxbin is a paste site that allows users to post personal identifiable information (PII) about individuals, often without their consent. Originally operating as a Tor-based .onion site, Doxbin has since transitioned to the clearnet and maintains an official Telegram channel, broadening its accessibility while retaining its association with underground communities.
Doxbin facilitates doxing by allowing users to upload text-based content related to individuals. The site claims to restrict content that is spam, child explicit material (CSAM), or violates the hosting country’s jurisdictional laws. However, in practice, there is minimal moderation, and information is often shared with the intent to target individuals.
The exposure of PII on Doxbin can lead to severe consequences for victims, including harassment, identity theft, and threats to personal safety. Victims may also be subjected to harassment through prank calls, spam emails, and cyberbullying on social media.
How Can I Protect Myself?
While it’s impossible to eliminate all risks, certain measures can reduce the likelihood of being doxed:
Limit Personal Information Online: Be cautious about the details you share on social media and other platforms.
Enhance Privacy Settings: Adjust settings on social media accounts to restrict who can view your information.
Use Strong, Unique Passwords: Implement robust passwords and consider using a password manager.
Monitor Your Digital Footprint: Regularly search for your name online to identify and address potential exposures.
Be Wary of Phishing Attempts: Avoid clicking on suspicious links or providing information to unverified sources.
Doxing represents a significant threat in the digital era, emphasizing the importance of proactive measures to protect personal information. By understanding the tactics used by doxers and implementing robust security practices, individuals can better safeguard their privacy and well-being. As always, if you are a victim of online crime, file a complaint with the FBI’s Internet Crime Complaint Center (IC3) at ic3.gov.
In mid-April 2025 the infamous messaging board 4chan was taken down, the site returned an error allegedly as a result of a cyber-attack from a rival messaging board group. While the site was down for just over a week it did reappear, albeit with more security than the site had previously had.
Throughout its tenure, 4chan has been a petri dish for internet culture, heavily influencing the humor and vocabulary of social media and meme pages worldwide. However, the anonymity the site works on that fosters creativity also enables its dark side with huge volumes of extremist content and the use of language, slurs and off-color jokes that historically would be banned from traditional social media sites. Nonetheless the site is important in understanding how some individuals operate on the internet and how this site has influenced real world events.
In this blog we will review the history of 4chan, what it is used for and by who and review the recent activity which led to the brief downtime.
Figure 1 – 4chan logo taken from the site
Historical Overview of 4chan
4chan was founded on October 1, 2003, by a 15-year-old New Yorker named Christopher “moot” Poole. Poole created 4chan as an English-language counterpart to the Japanese imageboard Futaba Channel (2chan), initially focusing on anime and manga discussion. Using translated open-source code from 2chan, “moot” built 4chan as an anonymous forum where users could post images and messages without registering accounts or providing any form of username. The site contains multiple boards which host discussions on a variety of topics. This anonymity and ephemeral design (threads are deleted after becoming inactive) set 4chan apart from other forums and quickly fostered a freewheeling, chaotic community. The site has gone through many changes both in management and in use since its inception.
The site was originally launched as 4chan.net with a single board (“/b/” for random anime discussion). By year’s end, multiple boards for hentai, “cute” anime, wallpapers, yaoi, etc. were added. However, the site had issues almost from the beginning, in February 2004 the original domain was suspended, forcing a move to 4chan.org, and in March “moot” threatened to shut down the site due to server costs before user donations kept it alive. PayPal froze 4chan’s donations account in mid-2004 over content complaints, causing six weeks of downtime.
As the site rose in popularity, 4chan’s “/b/ – Random” board became infamous for its anything-goes culture. By 2008, /b/ was receiving up to 150–200k posts per day and had cultivated a reputation for adolescent irreverence and “notorious” pranks. Media outlets described /b/ as the “asshole of the Internet,” akin to a high-school bathroom wall of graffiti. In 2008, The Guardian summed up 4chan’s community as “lunatic, juvenile […] brilliant, ridiculous and alarming”, reflecting the site’s mix of absurd humor and offensive content.
However, users on the 4chan site were not just posting and sharing memes between themselves. 4chan users pioneered collective online pranks and what they referred to as “raids.” Some of the users famously harassed white nationalist radio host Hal Turner with prank calls and DDoS attacks in 2006–07 (leading Turner to attempt an unsuccessful lawsuit). In early 2008, 4chan users helped spawn the hacktivist group Anonymous and launched “Project Chanology,” a protest against the Church of Scientology that moved from online pranks to real-life street demonstrations. This period was a “golden age” of trolling that saw users coordinating high-profile stunts, elevating 4chan’s notoriety and influence.
By the 2010s, 4chan had expanded well beyond its anime roots. New boards were added for topics like weapons (/k/), video games (/v/), sports (/sp/), and literature (/lit/), reflecting a broader user base. In 2011, “moot” made a significant moderation decision: he deleted the “/new/” (news) board because it had become overrun with racist content, and also temporarily removed “/r9k/” due to issues with its purpose. Later that year, 4chan introduced “/pol/” (“Politically Incorrect”) as a replacement board for political discussion – a decision that would prove fateful as /pol/ soon became a hotspot for extremist and controversial content (more on that later).
In August 2014, anonymous hackers leaked a trove of private celebrity nude photos, the infamous “Fappening” scandal, 4chan was one of the first sites where the images were widely posted. The incident forced 4chan to implement a DMCA policy and start cracking down on stolen explicit material, a notable shift for a site long permissive about content. However, the site continued to host images of this kind with a second scandal taking place, known as the Fappening 2.0 in 2017.
Around the same time (2014), 4chan was deeply involved in the Gamergate saga – an online harassment campaign targeting women in the gaming industry. Discussions about “Gamergate” originated on 4chan (notably on the /r9k/ board) and led to coordinated harassment of game developers and journalists. Moot eventually banned Gamergate threads for violating 4chan’s rules, prompting many aggrieved users to migrate to alternative imageboards, such as 8chan, which at times have been considered to contain more extreme material. These 2014 events were watershed moments, bringing 4chan intense media scrutiny for facilitating harassment and hosting illicit content.
On January 21, 2015, Christopher Poole “moot” stepped down as 4chan’s administrator, citing stress and the strain of managing frequent controversies like Gamergate. In September 2015, Poole announced he had sold 4chan to Hiroyuki Nishimura, the Japanese entrepreneur who founded 2channel, the very site that inspired 4chan.
As 4chan matured, it increasingly became associated with the rise of the alt-right and online extremist movements. The anonymous poster known as “Q” – who sparked the QAnon conspiracy theory – first appeared on 4chan’s /pol/ board in late 2017.
Figure 4: Pepe the Frog
Memes and slogans, long used on 4chan seeped into mainstream politics; during the 2016 U.S. election, /pol/ users aggressively supported Donald Trump and spread memes like Pepe the Frog as political symbols, a meme which is now designated as a hate symbol. By this time, outsiders often conflated 4chan with its most toxic board (/pol/), even though the site still hosted diverse communities.
In 2019, after a string of mass violence incidents were linked to manifestos on a 4chan spin-off (8chan), authorities and internet companies increased scrutiny on anonymous forums. Some ISPs in Australia and New Zealand even temporarily blocked access to 4chan in March 2019 following the Christchurch massacre, in attempts to stop the spread of the shooter’s video.
Despite numerous controversies and predictions of its demise, 4chan remains online and influential. According to the site itself the site “serves approximately 680,000,000-page impressions to over 22,000,000 unique visitors per month (~11 MM in the US)”. It continues to be a global hub for internet subculture, though its reputation is forever tied to the edgier side of the web, which is perhaps what led to its recent troubles.
The 4chan Community and Its Subcultures
Data on 4chan’s user demographics is scarce due to the anonymous nature of the site However, it’s generally accepted that the user base skews young and male, with a strong representation of teenagers, students, and twenty-somethings who are internet-savvy.
Figure 5: Stats shown on 4chan.org
One of 4chan’s defining features is that users post anonymously – there are no usernames or profiles (aside from optional tags like “ID” on certain boards). This anonymity, combined with a lack of permanent archives on many boards, has cultivated a unique culture. Users often share gory or pornographic images, engage in extreme trolling, or discuss sensitive topics like self-harm, all under the banner of anonymity.
Figure 6 – Example of Anonymous posts on 4chan
Users often refer to each other simply as “anon,” and any hierarchy or fame a user gain is ephemeral. In this environment, community identity forms around boards and shared memes rather than individual people. Over the years, distinct subcommunities have thrived on 4chan, each with its own norms and in-jokes. The fact that all users are anonymous also makes it very difficult for investigators reviewing the credibility of threats made on 4chan which are unfortunately very common.
Major Boards and Subcommunities
Figure 7: List of boards currently active on 4chan
4chan is divided into dozens of topic-specific boards, each indicated by a short tag (like /x/ or /g/). As the Wikipedia description aptly summarizes, “the site hosts boards dedicated to a wide variety of topics, from video games and television to literature, cooking, weapons, music, history, technology, anime, fitness, politics, and sports, among others.”
While a lot of these topics are innocuous, such as discussions of TV, Movies and gaming, the anonymous nature of the sites means that even these topics can generate extremist and violent conversations. However, there are several boards hosted on 4chan where the content is almost exclusively extremist in nature.
/b/ – “Random”
The original board and longtime center of 4chan. /b/ has minimal rules and is known for its extreme anything-goes culture. Posts on /b/ can range from juvenile humor and absurd memes to grotesque shock images and offensive tirades. /b/ was where many famous pranks and memes originated. The LOLcats phenomenon – cutesy cat photos with captions and the practice of “Rickrolling,” tricking someone into watching Rick Astley’s music video, are often credited as starting on 4chan. One of the lighter sides of the site.
/pol/ – “Politically Incorrect”
Arguably the most controversial board on 4chan, /pol/ was created in October 2011 as a space for political discussion without strict moderation. It quickly became a magnet for extremists and fringe ideologies. Here, users share memes and news from a far right or conspiratorial perspective, often pushing and surpassing the limits of hate speech. Notably, many alt-right and white nationalist memes were popularized on /pol/. The board’s influence on real-world politics is significant. /pol/ was an early organizing hub for support of Donald Trump in 2016, and Trump’s campaign team appeared to acknowledge the board by tweeting memes that originated there. /pol/’s “culture” of aggressive, trolling debate has spread to other platforms and is emulated by some other extremist sites.
/r9k/ – ROBOT9001
This board was originally an experiment requiring posts to be unique to reduce copypasta, but it evolved into a different space. By the 2010s, /r9k/ became associated with lonely or disaffected young men with many posts about depression, social rejection, or nihilistic humor. It is here that the concept of the “incel” (involuntarily celibate) took root, along with memes about “beta” males.
Spreading of Extremist Content
4chan’s lax moderation has led to numerous instances of illegal and extremist content being posted, in some cases forcing law enforcement involvement. Users are known to often post violent content. In 2014, a 4chan user uploaded photos of a murdered woman’s body to /b/ claiming responsibility. The victim was later identified, and the post was linked to a real murder. Police were able to track and arrest the poster in that case, illustrating how anonymity can be pierced in some cases and with law enforcement powers.
There have also been numerous bomb or mass violence threats posted on 4chan as “jokes” or hoaxes – several leading to evacuations and arrests. A recent case in 2023 saw a New Jersey man arrested for using 4chan to threaten a Florida sheriff, and other users in different states were arrested for copycat death threats. 4chan can therefore be seen as one of the first sites used to encourage the practice of Swatting.
Hate speech and extremist propaganda is endemic to 4chan. The site has been accused in investigative reports of “incubating hate speech that may have fueled mass shootings”, since perpetrators of attacks in places like Christchurch, El Paso, and Buffalo frequented 4chan or its spinoffs and sometimes announced their intentions there. This resulted in a legal scare for 4chan when the New York State Attorney General investigated 4chan after the May 2022 Buffalo mass shooting – the shooter was radicalized on 4chan. The NY AG explored whether 4chan could be held liable for “providing a platform to plan and promote violence”, though ultimately, they didn’t file charges.
4chan has been at the heart of numerous violent and extremis acts. Controversies have made 4chan a frequent target for those who argue the internet should be more regulated. Yet, despite every scandal – from child porn crackdowns to global news making hacktivism – 4chan persists. That resilience was tested yet again very recently, when the site faced one of its most serious disruptions to date: a major hack that took it offline.
Recent Incident: 4chan Goes Down in a Cyberattack
Figure 8: AI Generated Image An illustration of an anonymous hacker. In April 2025, 4chan suffered a major breach that exposed internal data and knocked the site offline.
In mid-April 2025, 4chan experienced an outage, a rare event for a site that, despite its issues, usually stays online. On April 14, 2025, users suddenly found 4chan unreachable or only partially loading. It soon emerged that 4chan had been hacked and taken down by a hacker. The site was offline for days, prompting widespread speculation and the Twitter hashtag “#4chanHack” as people wondered what had happened.
Figure 9: Soyjak.Party logo taken from website
A group of users on a rival imageboard called Soyjak.party (nicknamed “the Party”) began claiming responsibility for the attack. Soyjak.party is a community that splintered from 4chan, often antagonistic toward it. According to posts by someone with the handle “Chud” on that site, an unnamed hacker had gained access to 4chan’s systems over a year prior and waited. On April 14, this hacker finally “executed Operation Soyclipse,” as Chud described it, which involved taking control of 4chan’s backend.
The hackers defaced 4chan by temporarily restoring a long-defunct board (/qa/) with the message “U GOT HACKED XD” emblazoned on it. They also claimed to have exfiltrated a trove of data, including 4chan’s source code and user information. Screenshots were leaked on Soyjak.party and other forums showing what appeared to be 4chan’s administrator control panels and maintenance tools.
One screenshot showed internal discussions on a private staff board (/j/) and a moderator interface that could view users’ IP addresses and locations. Another leak contained a list of email addresses of 4chan’s moderators, administrators, and janitors (janitors are basically volunteer moderators). The attackers doxed 4chan’s own staff, ironic for a site that prizes anonymity. Posts on Soyjak.party even began to share personal info and photos purportedly of some 4chan mods after this leak.
Figure 11: “Proof” of 4chan hack on Soyjak.party
Facing this breach, 4chan’s administrators took all servers offline to “control the damage,” according to the attackers’ account. For a period on April 15, the site either wouldn’t load at all or showed only a basic text version with errors, indicating the staff was struggling to restore things. One major theory, supported by a screenshot of a Bluesky social media post, was that 4chan’s software was woefully out of date – running an unpatched PHP version from 2016 – making it vulnerable. If true, the hack was a result of 4chan’s technical debt and lack of updates, something the site had been lucky to avoid catastrophe from until now. A Wired article noted that rumors of legacy, unpatched software causing the breach were circulating widely.
Over the next couple of days, more information came out via cybersecurity reporters. BleepingComputer reported that the hacker had indeed leaked parts of 4chan’s PHP source code on another forum – Kiwi Farms. The Daily Dot obtained samples of the stolen data, confirming it included an index of 4chan’s staff (one admin and ~218 moderators/janitors), hundreds of pages of archived posts (possibly from private boards), and even a list of users who had purchased 4chan Pass subscriptions (which involves an email address). In short, this was a comprehensive breach – touching administrative info, user data, and site code. DarkOwl also obtained a copy of the leaked documents.
During the outage, 4chan’s administrators maintained near-complete silence. Attempts by journalists to get a statement were futile – Reuters reported that messages to 4chan’s press email went unanswered. Amusingly (in true 4chan fashion), one of the compromised moderator emails did reply to a Reuters inquiry by sending a link to an unrelated 4-minute shock video, essentially trolling the reporter.
By April 16 and 17, 2025, 4chan’s service was still unstable. Some users could load the site; others encountered Cloudflare errors. Gradually, the site did come back online, though many wondered what long-term impact the hack would have. This incident led many to speculate about the future of 4chan – would it bounce back as it always has, or was this the beginning of the end? However, the site did comeback online and appeared to have beefed up their security. Users on the site picked up where they had left off with no apparent reduction in activity in response to the attack and the leaked data, although there were some suggestions that jannies left after having their personal information leaked.
Despite this the future of 4chan remains uncertain. The site stands at a delicate point: it must adapt to survive, yet it must retain its essence to remain 4chan. If it manages to tighten security, maintain financial stability, and navigate legal waters while continuing to let its community be largely self-regulating and anarchic, it may well continue to be a fixture of the internet for years to come. Even if 4chan were to fall, its influence would live on – in the memes we share, the slang we use, and the dispersed communities that would carry forward its spirit. As of now, 4chan endures and its story is a testament to the chaotic, untamable force of online anonymity that it pioneered back in 2003.
Our analyst team shares a few articles each week in our email newsletter which goes every Thursday. Make sure to register! This blog highlights those articles in order of what was the most popular in our newsletter – what our readers found the most intriguing. Stay tuned for a recap every month. We hope sharing these resources and news articles emphasizes the importance of cybersecurity and sheds light on the latest in threat intelligence.
1. Police shuts down KidFlix child sexual exploitation platform – Bleeping Computer
In an April 2 press release, Europol announced that Kidflix—”one of the largest platforms used to host, share, and stream child sexual abuse material (CSAM) on the dark web”—was shut down in an international operation dubbed “Operation Stream.” The investigation was led by the State Criminal Police of Bavaria (Bayerisches Landeskriminalamt) and the Bavarian Central Office for the Prosecution of Cybercrime (ZCB), and was supported by Europol. The platform was taken down on March 11 by German and Dutch authorities. Read full article.
2. Russia-Linked Gamaredon Uses Troop-Related Lures to Deploy Remcos RAT in Ukraine – The Hacker News
In a March 28 report, researchers at Cisco Talos revealed an ongoing phishing campaign believed to be carried out by the Russian hacking group Gamaredon against entities in Ukraine. The campaign uses malicious LNK files compressed inside ZIP archives and disguised as Microsoft Office documents featuring Russian words “related to the movement of troops in Ukraine.” As noted in the report, “The PowerShell downloader contacts geo-fenced servers located in Russia and Germany to download the second stage Zip file containing the Remcos backdoor.” Article here.
Researchers have observed a cryptocurrency and bulk email phishing campaign dubbed “PoisonSeed” that is compromising corporate email marketing accounts. As noted by BleepingComputer, the campaign utilizes the compromised accounts to “distribute emails containing crypto seed phrases used to drain cryptocurrency wallets.” A report from Silent Push reveals that targeted crypto companies have included Coinbase and Ledger, while the targeted bulk email providers include Mailchimp, SendGrid, Hubspot, Mailgun, and Zoho. Read more here.
4. Infamous message board 4chan taken down following major hack – Bleeping Computer
On April 15, the notorious imageboard 4chan was taken offline after suffering what is believed to be a hack carried out by a competing imageboard. As noted by BleepingComputer, users on the lesser-known imageboard Soyjak.party have since claimed responsibility for the attack and leaked screenshots of “admin panels and a list of emails allegedly belonging to 4chan admins, moderators, and janitors.” Significantly, the administration panels and maintenance tools the hacker claims to have access to would allow them to gain access to users’ locations and IP addresses. Read here.
5. APT29 Deploys GRAPELOADER Malware Targeting European Diplomats Through Wine-Tasting Lures – The Hacker News
Researchers at Check Point have identified an advanced phishing campaign targeting diplomatic entities across Europe. According to Check Point’s April 15 report, the campaign is being carried out by the Russian state-sponsored threat actor APT29, also known as Midnight Blizzard and Cozy Bear. The newly identified campaign utilizes a new variant of WINELOADER and a new malware loader codenamed GRAPELOADER. The campaign functions by impersonating “a major European foreign affairs ministry to distribute fake invitations to diplomatic events—most commonly, wine tasting events.” Learn more.
6. FBI: Scammers pose as FBI IC3 employees to ‘help’ recover lost funds – Bleeping Computer
On April 18, 2025, the Federal Bureau of Investigation (FBI) released a public service announcement warning of an ongoing fraud scheme in which scammers are impersonating FBI Internet Crime Complaint Center (IC3) employees. According to the announcement, the FBI has received more than 100 reports of such impersonation scams between December 2023 and February 2025. The scammers have been observed impersonating IC3 employees while offering to assist victims of fraud. Read full article.
7. Six arrested for AI-powered investment scams that stole $20 million – BleepingComputer
In an April 7 press release, Spain’s Policía Nacional announced the arrest of six individuals affiliated with a criminal organization behind a large-scale cryptocurrency investment scam that defrauded 19 million Euros from 208 victims worldwide. The joint Policía Nacional and Guardia Civil operation—dubbed “COINBLACK — WENDMINE”—began just over two years ago following the report of a victim in Granada being defrauded of €624,000. In addition to the six arrests, the operation also resulted in the seizure of “100,000 Euros, mobile phones, computers, hard drives, firearms, and documents.” Read full article.
8. Chinese Hackers Target Linux Systems Using SNOWLIGHT Malware and VShell Tool – The Hacker News
The Sysdig Threat Research Team (TRT) has identified a new campaign carried out by the Chinese state-sponsored threat actor UNC5174 (also known as Uteus). In late January 2025, researchers observed the threat actor using VShell, a new open-source tool and command and control (C2) infrastructure, to infect Linux systems. The newly observed campaign also utilizes a variant of SNOWLIGHT malware. According to the report, the campaign has been active since at least November 2024. Learn more.
Make sure to register for our weekly newsletter to get access to what our analysts are reading on a weekly basis.
We often associate the darknet with a negative stigma, primarily due to its frequent portrayal in the media for illicit activities and cybercrimes. However, much like the surface web, the darknet is a wide-open space that hosts a variety of resources – some of these resources are incredibly positive and life-changing. In this blog, our hope is to shine a light on the beneficial aspects of the darknet and explore the sites and services that make a positive impact on society.
Privacy Protection and Freedom of Speech
In an age where privacy is increasingly under threat, the darknet offers individuals a crucial safeguard for anonymity and freedom to express their thoughts without censorship. For people living under oppressive regimes where free speech is restricted or monitored, the darknet can be a haven.
One of the most well-known privacy-focused platforms in ProtonMail, an encrypted email service that allows users to communicate safely without the fear of surveillance. SecureDrop, is an open-source platform developed by the Freedom of the Press Foundation, allowing journalists to receive tips from whistleblowers and activists without exposing their identity. These services are critical tools in protecting privacy and supporting democracy and transparency.
Human Rights Advocacy and Whistleblower Protection
The darknet provides a critical space for those fighting for human rights. Websites like The Tor Project provide the infrastructure that allows individuals to browse the web anonymously, reducing the risks of being tracked or persecuted. Activists can use the darknet to share critical information about political oppression, corruption, and human rights abuses without fear of retaliation.
Whistleblower sites give individuals a platform to report government or corporate wrongdoings while protecting their identities. Whistleblowers help expose corruption and injustice on a global scale. Many journalists, including those at major news outlets such as The Guardian or The New York Times, rely heavily on these darknet platforms to connect with sources who need to remain anonymous for their own safety.
Education and Knowledge Sharing
Although controversial, the darknet is a hub for educational resources. Multiple darknet sites are dedicated to providing free knowledge in areas ranging from cybersecurity to history and politics. These platforms can be indispensable to individuals who want to learn but cannot afford traditional schooling or because of restrictions imposed by government censorship or other types of censorship.
Academia.edu is a darknet academic resources that provides access to papers, books, and research that may be blocked or restricted in certain countries. This availability to free education empowers individuals to improve their skills and access knowledge that may otherwise be out of reach
Charitable Organizations and Support Services
This might surprise some but there are many {legitimate} charitable organizations and support groups that operate on the darknet to assist those in need. For people in dangerous situations, whether they are refugees, victims of domestic violence, or living under oppressive regimes, the darknet offers a safe space to access vital resources.
The Hidden Wiki offers links to the support networks that provide guidance on escaping from abusive relationships, finding medical care, and accessing counseling services. These resources can be critical for people who cannot access help through traditional means due to the fear of being tracked or judged.
Privacy-Focused Marketplaces for Legal Goods
While the darknet is notorious for illegal activity, there are also legitimate marketplaces that focus on privacy and security. These marketplaces allow people to buy and sell goods while keeping personal information private. Some marketplaces provide privacy conscious alternatives for purchasing legal items, like books, software, or hardware.
The OpenBazzaar is a marketplace with a decentralized platform that allows users to trade goods and services directly with one another, using cryptocurrency for payments. OpenBazzaar was built on the principles of privacy, freedom, and distribution offering a safe and anonymous way to transact without the interference of third-party entities.
Crisis Communication and Emergency Support
In some cases, the darknet has served as a lifeline during times of crisis. For instance, during political unrest or natural disasters, the darknet has provided an outlet for individuals in need of urgent assistance or communication. Various groups have used the darknet to organize rescue operations or provide emergency services to people in need.
This is most often showcased in countries facing censorship or political turmoil, the darknet becomes a vital tool for maintaining open lines of communication. People can continue to organize protests, share information about the safety of family members and coordinate relief efforts.
Final Thoughts on the Darknet Being a Hidden Resource for Positive Change
While the darknet is often associated with its darker more malicious side, and rightly so, it’s important to recognize that there is a great deal of good happening below those layers of the surface. From protecting privacy and freedom of speech to supporting human rights and providing resources for those in need. The darknet offers much more than what is often portrayed in the media.
By highlighting these positive aspects, we can begin to bring awareness and understanding the true potential of the darknet as a force for good. It is a tool, and as with any tool, its value is deemed by those who wield it. When leveraged for privacy, security, and human rights, the darknet can provide vital services that improve the lives of individuals and strengthen society as a whole.
If you’re interested in exploring the darknet firsthand or discovering its positive aspects, it’s crucial to educate yourself on the best practices for navigating it safely. DarkOwl has compiled a list of six best practices for exploring the darknet which you can find here.
The modern intelligence analyst simply cannot cope with the wealth of data at their disposal.
The sheer volume of available intelligence is overwhelming. Nowhere is this need clearer than in open-source intelligence (OSINT), where the darknet plays a critical role.
As Randall Nixon, Director of the Open-Source Enterprise at the CIA, warned: “It’s amazing what’s there…the next intelligence failure could easily be an OSINT failure, because there’s so much out there.”
The U.S. Office of the Director of National Intelligence (ODNI) has designated OSINT the “INT of first resort.” Recent global conflicts, including those in Ukraine and Gaza, have underscored OSINT’s critical role in modern intelligence.
Darknet Data is Critical OSINT
Cybercriminal marketplaces, encrypted messengers, forums and hacker sites serve as hubs for illicit transactions, where drugs, weapons, extreme politics, stolen credentials, malware, and hacking services are openly traded. These platforms operate much like traditional e-commerce sites, complete with vendor ratings, escrow services, and customer reviews. As a non-exclusionary ecosystem, its potential is infinite.
Darknet Data Challenges
Darknet data is a goldmine of intelligence. Unlike structured enterprise datasets, darknet data is chaotic, multilingual, and riddled with deception, requiring robust machine learning techniques to extract meaningful insights.
Darknet data is inherently messy, containing slang, obfuscation techniques, and multilingual text. Let alone short-lived and transient sites and pages. Additionally, much of the data is stored in an unstructured format, making it difficult to apply Natural Language Processing (NLP) and Large Language Models (LLMs) effectively. Many darknet sites also introduce deliberate noise—web pages filled with random or misleading content—to further obscure information.
Legal and Ethical Risks
Since the darknet is designed for anonymity, traditional privacy regulations don’t always apply in the same way they do for regulated social media. However, the ethical implications of darknet surveillance must still be considered, especially when handling sensitive intelligence and personally identifiable information (PII).
Illegal Content
Darknet data often includes information related to illegal activities, which can pose significant challenges for generative AI and Large Language Models (LLMs). Many models have built-in safeguards that restrict processing such content, making off-the-shelf AI solutions less viable for darknet analysis. Additionally, the more specific the input data, the harder it is to bypass these restrictions. For example, extracting insights from a full dataset structure is generally easier than pulling highly specific details, such as product names, which may trigger model safety mechanisms.
The Possibilities of AI
The goal of intelligent systems should be to enhance human capabilities, enabling people to focus on higher-value, strategic decision-making, and creative tasks rather than routine processing.
As darknet activity continues to expand, advanced big data analytics and AI-driven methods will be essential to making sense of this vast, high-risk ecosystem.
Quantum Computing increases computational power so that week-long analysis will take minutes, with unprecedented levels of accuracy. Recent leaps in quantum computing will ensure the processing of Darknet data is considerably easier.
Human Behaviour Analysis in Anonymized Spaces
When no one is looking, how do people behave? The darknet provides a unique perspective on human behavior—a reflection of how individuals and groups act when they believe they are untraceable. Under the veil of assumed anonymity, forums and marketplaces reveal unfiltered reactions to the outside world. This creates an opportunity for social scientists, intelligence analysts, and behavioral researchers to study criminal psychology and radicalization patterns.
Graph Neural Networks (GNNs) are particularly effective for link prediction and clustering, helping identify connections that may not be obvious through traditional analysis for entity resolution.
Anomaly Detection and Trend Monitoring
Detecting anomalies in darknet activity is essential for identifying emerging threats. Analysts tracking illicit trades look for anomalous patterns in trade volume, pricing, and vendor behavior—indicators that may signal disruptions, law enforcement interventions, or the emergence of new criminal enterprises.
Predictive Analysis and Threat Forecasting
By analyzing historical data, organizations can predict the likelihood of future cyber threats, misinformation campaigns, and illicit trade patterns.
As Greg Ryckman, Deputy Director for Global Integration at the Defense Intelligence Agency (DIA), stated: “We need a professional cadre that does open-source collection for a living, not amateur.”
With the integration of AI-powered predictive models, darknet data can be used to simulate complex scenarios, sanitise PII and help organizations prepare for emerging risks—whether that be the spread of disinformation, shifts in ransomware tactics, or geopolitical cyber threats.
DarkOwl’s Contribution
DarkOwl is exploring the use of LLMs to identify additional personally identifiable information (PII) entities. By refining these models to detect structured elements within highly unstructured text, we are developing tools that can track cybercriminal activity and detect fraud at scale.
Beyond entity extraction, we are also applying topic modeling techniques to classify and label darknet content. By using Latent Dirichlet Allocation (LDA) and transformer-based models like BERT, we have successfully categorized subsets of forums, marketplaces, and chat data. We plan to expand on this work to create unique digital fingerprints of these spaces. This will allow us to track shifting trends, identify when threat actors migrate from one marketplace to another, and detect the resurgence of illicit communities following law enforcement takedowns.
We have successfully applied Generative AI models to pull structured product details from specific darknet marketplaces. We plan to expand this work to allow us to monitor illicit trade trends, track specific vendors, and assess market shifts over time. As our AI models continue to structure and analyze darknet data, we gain deeper visibility into longitudinal trends.
We are exploring AI-driven summarization, NER, clustering, and topic modeling to filter out irrelevant noise and surface high-priority leaks. By applying AI-powered triage mechanisms, we can determine which breaches pose the greatest risk to organizations.
Read on for highlights from DarkOwl’s Product Team for Q1 that kicked off a strong 2025, including new exciting product features.
Major Vision UI Updates
Teaming
DarkOwl Vision UI now supports team management by an organization administrator. The organization administrator can arrange users into teams and assign team owners. Teams can be assigned to work together on Cases, including all related alerts, saved searches, and search blocks. Users will see a new My Teams page within the Settings section, which will display their teams and assigned Cases.
Case Findings
The Cases feature was updated with a new section—Findings. Vision UI users can save important search results and alerts into their Cases as Findings, to research and dive into later. Findings capture the original result, and then provide annotation capabilities to create Snippets, add Notes, or organize by Criticality or Tag. The Note element increases collaboration opportunities with teammates.
Leak Visualizations
Leak Explore visualizations give clients more insight into the composition of each leak. Clients can now see a graphic of the top file extensions within each leak, with an option to view the full list of extensions. This feature is also available in our API.
Alert Timeline Visualization + Delete Alert Flow
A new visualization to view Alerts on a timeline is now available in both Case Alerts and Personal Alerts. This summarizes Alerts generated by criticality, over time.
Another client request was to make bulk actions more easily accessible and readily available. Now, when you start selecting Alerts, an “Actions” button will appear and give bulk options for creating Case Findings or deleting a subset of alerts.
Collection Stats
Highlights
Quarter after quarter, our data collection team continues to astonish us with the quantity of data made available across DarkOwl products.
The team had overall astounding growth of 44% in data leak records. To break it down, the tea, had 4% growth in email addresses, 12% growth in credit card numbers, 27% increase in total collected I2P documents, 10% growth in total collected paste documents, and another 12% growth in total collected records from Telegram – just to highlight a few.
Leaks of Interest Collected
When your search results are from data leaks, users can review additional information curated by DarkOwl analysts, giving you enrichment on the data leak. The descriptions below are all available in our Leak Explore UI feature, or Leak Context API endpoint.
TXTLOG Alien
A batch of infostealer logs, associated to the Alien TXTLOG Stealer Logs, was made freely available on TXT LOG ALIEN, a Telegram Channel, between March 4, 2025 and March 18, 2025. Data exposed includes rows of URL:LOGIN:PASSWORD combinations that may include websites, IP addresses, usernames, email addresses, plaintext passwords and various other sensitive information.
Oracle Cloud Sample
Data purported to be from Oracle Cloud servers was posted for sale on BreachForums, a hacking forum, on March 20, 2025. According to the post, Oracle’s traditional servers were hacked, exposing over 6 million user customer records. Data exfiltrated is reported to include usernames, names, company names, keys, locations, passwords, email addresses, countries, employee information, phone numbers and mobile numbers. A sample database was posted as proof of the claim.The threat actor alleged that data was stolen from Single Sign-On (SSO) and Lightweight Directory Access Protocol (LDAP) systems, including Java KeyStore (JKS) files, passwords, key files, and Enterprise Manager Java Policy Store (JPS) keys. The threat actor noted the SSO passwords are encrypted but sought support to decrypt the LDAP hashed passwords from the threat community. The threat actor revealed, via a file, around 140,000 domains of companies impacted and demanded payment to prevent the sale of employee information, noting the individual companies could contact him directly about removing their specific data prior to the sale. Further, the threat actor issued a 72-hour ultimatum for Oracle to respond via official company channels.
Zacks.com
Data purported to be from Zacks was posted on BreachForums, a hacking forum, on January 24, 2025. According to the post, in June 2024 Zach Investment Research experienced a data breach exposing their source code and their databases containing 15 million lines of customer and client data. Data exposed includes user identification (UID), company names, names, email addresses, phone numbers, usernames, passwords, and physical addresses.
Ticketmaster
Data purported to be from TicketMaster was posted on LeakBase, a hacking forum, on July 9, 2024. According to the post, the breach is from 2024, contains 55 million rows and was was formatted by threat actor TimeBit. Data exposed includes customer IDs, IP addresses, purchase details, full names, genders, dates of birth, language, physical addresses, email addresses, and partial credit card numbers.
bankofamerica.com
Data purported to be from Bank of America was posted on BreachForums, a hacking forum, on December 2, 2024. According to the post, the leak is from May 31, 2023 and is attributed to the Ransomware group Cl0p and the MOVEit vulnerability. Data exposed includes account information, names, company names, usernames, expiration dates, dates of birth, bank account numbers, financial data, phone numbers, physical addresses, email addresses, vendor information, and IP addresses.
Curious how these features and data can make your job easier? Get in touch!
Telegram, once the Wild West of chat applications, has undergone significant changes. This shift came after its CEO and founder faced legal troubles with French authorities. (We recently covered this situation in another blog, if you haven’t read it, I highly recommend checking it out. Good Read Ahead)
In short, Telegram is now implementing new trust and safety measures aimed at making the platform safer for users and curbing cybercrime. These efforts include banning and shutting down cybercrime-related channels, as well as making it harder to find them when they do operate.
At first glance, this sounds like a huge win, something worth celebrating. We should be cheering, maybe even organizing a parade in honor of these developments.
However, before we start throwing confetti, there’s a significant problem: these cybercriminal channels are still operating—they’re just harder for investigators to track and monitor.
Locks only keep honest people honest… or, in this case, anything good on the internet can also be used for bad.
A Frustrating Reality for Investigators
This isn’t meant to be a criticism of Telegram (though it might sound like one), but rather an expression of investigator frustration. I fully support Telegram’s efforts to prevent illicit activities on its platform. It’s an uphill battle, especially considering how much easier it was for threat actors to operate on Telegram compared to traditional dark web sites.
Previously, Telegram had key advantages for cybercriminals: 👍Ease of access – Unlike dark web forums that require special browsers, Telegram is readily available. 👍Simple search functionality – No need to memorize or hunt for links; just use the search bar. 👍 A wider customer base – More users meant more potential buyers for illicit services.
For investigators, this also made Telegram a gold mine of intelligence; until now.
The Growing Challenges of Threat Intelligence on Telegram
The issue isn’t just that threat actors aren’t getting the hint to leave Telegram. It’s that the new safety measures make investigating them exponentially more difficult.
Frequent bans, frequent reappearances – Some channels are getting shut down weekly, if not daily, only to resurface under new names.
Time-consuming investigations – Investigators now have to spend considerable time tracking a single channel and its possible reincarnations.
Obscured search results – Telegram has adjusted its search algorithm, making it harder to locate certain channels, even when using exact keywords.
Gone Are the Days of Easy Telegram Monitoring
Take the following example:
A cybercriminal channel was banned and then quickly reopened. You’d assume it would be easy to find again, but if you search for a keyword from the screenshot, like “txtlog”, the new version of the channel won’t appear in the results.
For threat intelligence teams, this is a nightmare. Valuable intelligence is still out there, but now there’s a significant delay before someone manages to find it. This lag time creates a window of opportunity for cybercriminals to regroup and continue their activities unchecked.
Final Thoughts: A Step in the Right Direction, but Challenges Remain
To conclude this rant, I want to acknowledge that Telegram’s efforts are commendable. Their actions prove that they are taking a stronger stance against cybercrime on their platform.
As someone with experience in social media trust and safety, I understand the immense challenge of moderating a platform at this scale. But the fight isn’t over. The real goal should be deterring threat actors from returning at all, rather than just making it harder to find them.
Hopefully, with continued improvements, Telegram can reach a point where cybercriminals realize it’s no longer a viable option—and investigators don’t have to spend all their time chasing shadows.
The semiconductor industry powers everything from computing and artificial intelligence to defense systems and the Internet of Things. Given its strategic importance, it has become a prime target for cybercriminals, nation-state actors, and ransomware groups—many of whom operate across the darknet.
On these hidden networks, adversaries trade stolen intellectual property, zero-day exploits, and even sell access to compromised enterprise environments. This blog explores how these darknet-enabled attacks unfold.
Why Semiconductor Companies Are Prime Targets
Semiconductor companies, design, manufacture and sell semiconductors which are essential to modern electronics. Semiconductors are materials, typically silicon, that have electrical conductivity between a conductor and an insulator. They power everything from smartphones and laptops to cars and medical equipment. Due to their importance these companies are targeted for a range of reasons and in a range of ways.
Due to their use of advanced chip designs and fabrication techniques, which are worth millions, they are often targeted by advanced persistent threat (APT) groups in order to steal intellectual property. Governments seek to control semiconductor advancements for technological and military superiority, leading to targeted cyberespionage campaigns.
Due to the components that are required the companies often rely on a complex global supply chain made up on many different companies and providers. This leaves them open to vulnerabilities from cyber threat actors which could lead to compromise. The SolarWinds and Kaseya attacks, where third-party vulnerabilities led to board compromises.
Given the high cost of production downtime, attackers often use ransomware and wiper malware to extort payments or cripple manufacturing facilities. This can be in an attempt to crimple critical infrastructure or simply to extort companies worth millions of cash.
How Semiconductor Firms Are Targeted on the Darknet
Threat actors can use multiple tactics to infiltrate semiconductor companies and their supply chains. Some of their activities take place on the dark web.
Darknet Markets for Stolen Data & Initial Access
Darknet forums such as RAMP, Genesis Market (before takedown), and BreachForums can offer compromised credentials, session tokens, and MFA bypass methods for employees in the semiconductor sector. Threat actors will offer these credentials for sale to the highest bidders. They are often known as Initial Access Brokers. (IAB)
Initial access brokers (IABs) often sell pre-compromised RDP, VPN, and Citrix credentials, allowing ransomware groups to gain footholds in corporate networks.
Ransomware Attacks on Semiconductor Manufacturers
Semiconductor companies are not immune to ransomware attacks, as few organizations are these days. In fact they may appear as enticing targets due to the worth of the organizations and the technology that they deal in. As with any other ransomware attack, information relating to the organization is exfiltrated, which can include a range of document types, in this case including sensitive semiconductor designs and threaten to leak them unless a ransom is paid. Ransomware Groups such as LockBit, BlackCat (ALPHV), and RansomEXX have been observed targeting semiconductor firms.
Zero-Day Exploits and Vulnerability Markets
A zero-day vulnerability is a security flaw in software or hardware that is to the technology owner and therefore has no patch or fix available at the time it’s discovered. Zero-day vulnerabilities in ICS/SCADA, firmware, and chip toolchains can be sold on the darknet and in private Telegram channels. This is very rare and these types of vulnerabilities are worth a huge amount of money, especially when targeting critical infrastructure.
However firmware vulnerabilities in semiconductor manufacturing equipment, particularly ASML lithography systems and ARM-based architectures, are known to have been exploited in targeted attacks.
Supply Chain Infiltration and Hardware-Level Attacks
Threat researchers have identified instances where adversaries embed malicious firmware in chips before deployment. This has been a major concern for critical infrastructure sectors who could be relying on compromised semiconductor components. Attackers have also been known to compromise EDA (Electronic Design Automation) tools and semiconductor manufacturing software, injecting backdoors into fabricated chips.
Darknet Recruiting and Credential Stealing
Darknet forums have been observed offering payment in cryptocurrency for insider access or data leaks within semiconductor firms. Data leak and infostealer malware like RedLine, StealC, Raccoon, etc are widely used to harvest credentials that are resold and can be used for supply chain targeting or to target employees of semiconductor companies themselves.
Real-World Attacks on Semiconductor Companies
Several semiconductor firms have suffered high-profile cyberattacks in recent years, reinforcing the urgency of darknet threat monitoring.
NVIDIA Breach (2022) – Lapsus$ Group
Stolen proprietary GPU designs and employee credentials.
A third-party supplier was compromised by LockBit ransomware, exposing sensitive business data.
Attackers demanded a $70M ransom.
Intel & AMD Firmware Leaks
Engineering documentation and firmware signing keys leaked on underground forums.
Exploited for BIOS and firmware-level rootkit attacks.
Strategies to Mitigate Darknet Threats
Semiconductor companies need proactive cybersecurity measures to mitigate darknet-driven threats. These companies and their partners should monitor the darknet to track mentions of company assets, stolen credentials, and exploit chatter. They should also actively monitor initial access brokers, ransomware leak sites, and private forums for early indicators of compromise. DarkOwl data can assist in conducting this monitoring and alerting on identified threats.
Conclusion
As semiconductor firms continue to drive technological progress, they will remain top-tier targets for darknet cybercriminals and state-sponsored attackers. A multi-layered security approach, incorporating darknet monitoring, access control, supply chain security, and proactive threat hunting, is crucial to mitigate evolving cyber threats.
By understanding how attackers operate on the darknet, semiconductor companies can stay ahead of threats, safeguard intellectual property, and ensure business continuity in an increasingly hostile cyber landscape.
DarkOwl is a Denver-based company that provides the world’s largest index of darknet content and the tools to efficiently find leaked or otherwise compromised sensitive data. We shorten the timeframe to detection of compromised data on the darknet, empowering organizations to swiftly detect security gaps and mitigate damage prior to misuse of their data.
