Author: DarkOwl Content Team

August 05, 2025

In previous blogs, DarkOwl has explored reactions from hacktivist groups on the deep and dark web in response to the Israel-Iran conflict and the U.S.’ attacks against nuclear sites in Iran. In addition to activity from hacktivist groups, analysts have also observed extensive online chatter within far-right spaces in response to the Israel-Iran-U.S. conflict. For this blog, DarkOwl specifically examined some of the most popular political far-right Telegram channels to determine which opinions and sentiments have been most prevalent within these groups.  

Significantly, since the U.S. strike on Iranian nuclear sites on June 22, analysts observed a striking difference in opinion between vocal subscribers in multiple far-right Telegram channels. These channels are known for platforming misinformation and conspiracy theories and are characterized by a significant number of subscribers—in some cases as many as 200,000. In recent weeks, many of the articles posted by the channels on a daily basis have been regarding developments in the Israel-Iran conflict. Upon review, the discussions observed in response to these developments have been marked by disagreement and incoherence. Though this disconnect is not particularly unusual in and of itself, the Israel-Iran-U.S. conflict appears to have brought out inconsistencies within extreme right-wing circles even more so than before. Nonetheless, however, hatred remains a binding force between many of the members of these groups despite ideological or subideological differences. 

Ideological Rifts 

A review of multiple discussions within far-right Telegram channels since June 22 revealed significant ideological rifts. More specifically, opinions fell into a striking collection of not necessarily mutually exclusive categories: (1) pro-Israel; (2) pro-Trump; (3) anti-Israel; (4) anti-Israel and anti-Iran; (5) antisemitic and pro-Iran; (6) Islamophobic and pro-Israel (7) antisemitic AND Islamophobic (i.e. racist); (8) anti-U.S; etc. For instance, while some vehemently praised the Trump Administration’s response to the conflict—dubbing the president the “Moses of our Time”—others fiercely criticized the administration, arguing that the U.S. “will suffer a national humiliation” as a result (it is worth noting for context that these channels are generally known for consistently supporting the current administration). Meanwhile, while some actively advocated for intervention in the conflict, others strongly opposed any involvement. These ideological oppositions were even made evident in users’ emoji reactions to comments. In response to one individual referring to the U.S. as a terrorist state for targeting Iran, some responded negatively with “thumbs down” emojis, while others responded positively with “thumbs up.” Similar emoji breakdowns were also noted in other instances. 

Furthermore, in addition to this wide variety of ideological differences, many individuals were also seen sharing conspiracy theories, misinformation, and disinformation. This included, for instance, some claiming that the “Deep State Cabal”—rather than Iran—poses a threat to the United States. This merging of conspiracy theories and disparate ideologies further conveyed the chaotic nature of this typically more homogenous information space.  

Shared Hatred  

In addition to a wide variety of contradicting opinions and ideologies, analysts noted an unsurprisingly significant amount of hatred directed at groups and individuals perceived as threats or adversaries to the current system. Among specific Israel-Iran-U.S. conflict updates, notably fierce comments were observed in response to two key events in recent weeks: the declaration of a fatwa against U.S. President Trump and reports that the U.S.’ strikes against Iran did not destroy the nation’s nuclear infrastructure. 

A June 29 article regarding the issuing of a fatwa against President Trump by an Iranian cleric gained notable traction on Telegram, with numerous users calling for the assassination of Supreme Leader Ayatollah Ali Khamenei in response. In a reflection of the previously noted ideological disagreement between far-right users in the channels, some were observed calling for the end of U.S. involvement, suggesting the responsibility to address the conflict lies with Israel instead. Among these responses, however, one sentiment emerged as most dominant: Islamophobia. Though such rhetoric was not limited to fatwa-related discussions within the channel, it appeared even more frequently in this instance, with individuals sharing hateful, violent rhetoric directed at Iranians and Muslims broadly. Several users also called for the targeting and deportation of American Muslims (referred to by one individual as “savages in our society”), claiming that they “pose a threat.” This rampant hate is consistent with the observed increase in both Islamophobia and antisemitism since the escalation of the Israeli-Palestinian conflict in October, 2023. Indeed, the FBI found that anti-Muslim incidents rose by 300% in just two months following Hamas’ October 7 attack.  

Similarly fervent responses were observed in response to an article addressing reports indicating that the U.S. did not destroy Iran’s nuclear capabilities—despite the administration’s assertions that the targeted sites were “obliterated.” The misleading article—which attempted to undermine the findings of U.S. intelligence officials—was repeatedly shared across far-right channels and gained more than 20,000 views. In response to the story, numerous users referred to the reporters who shared the findings as “traitors” and called for them to be jailed. One individual also called for charging a specific reporter with “espionage against the United States” and expressed disdain for the intelligence officers who compiled the report. Similar to Islamophobic rhetoric, this hate directed towards reporters and officials who share facts contradicting the administration’s claims is consistent with the persistent animosity towards reputable sources shared by far-right groups.  

Conclusion 

Overall, analysts observed nearly every possible combination of opinions within multiple far-right Telegram channel discussions in response to the Israel-Iran-U.S. conflict. This finding is significant in that it reflects what appears to be a fracturing of far-right ideology within this specific monitored ecosystem of large-scale Telegram channels. Even though pro-administration rhetoric appears to remain dominant, many users were observed criticizing one another—seemingly more fervently than in response to previous non-foreign policy-related discussions.  Despite this noted difference in opinion, however, one fact remains consistent: regardless of specific ideology/ideologies, many of the individuals within these groups are linked by a hatred that transcends any ideological framework. Whether it’s hatred directed at journalists or members of targeted religious communities, the sentiment remains an overriding force within these communities. 

---

Stay up to date. Follow DarkOwl on LinkedIn.

August 04, 2025

Our analyst team shares a few articles each week in our email newsletter which goes every Thursday. Make sure to register! This blog highlights those articles in order of what was the most popular in our newsletter – what our readers found the most intriguing. Stay tuned for a recap every month. We hope sharing these resources and news articles emphasizes the importance of cybersecurity and sheds light on the latest in threat intelligence.

1. Ukraine arrests suspected admin of XSS Russian hacking forum – Bleeping Computer

In a July 23 press release, French authorities announced the arrest of the alleged administrator of the notorious, Russian cybercrime forum XSS. According to the announcement, the suspect was arrested in Kyiv, Ukraine, by Ukrainian authorities on July 22 in the presence of French police and with support from Europol. The investigation was launched four years ago, on July 2, 2021, by the cybercrime division of the Parquet de Paris (the Public Prosecutor’s Office). In addition to the arrest in Ukraine, authorities also seized the XSS.is domain. As noted by Hackread, following the action the site featured a seizure notice stating that the domain had been seized by French law enforcement. Read full article.

2. Android malware Anatsa infiltrates Google Play to target US banks – Bleeping Computer

Researchers at ThreatFabric have identified a new Android banking malware campaign which utilizes the Anatsa Android banking trojan. According to the report, the campaign is targeting North American users and posed as a PDF viewer app in the U.S. Google Play Store; it was downloaded over 50,000 times before being removed. The app was initially launched as a legitimate app before being “transformed into a malicious one approximately six weeks after release.” The latest campaign is notably characterized by a broadened target list including a range of American mobile banking apps. Article here.

3. Iranian-Backed Pay2Key Ransomware Resurfaces with 80% Profit Share for Cybercriminals – The Hacker News

Researchers at Morphisec have observed the resurgence of the Iranian-backed ransomware-as-a-service (RaaS) “Pay2Key.” The company’s report—released just a month after Israel launched attacks against Iran’s nuclear and military facilities—reveals that the scheme now operates as “Pay2Key.I2P” and offers a greater profit share to those who target Iranian adversaries. As noted by the researchers, “the group offers an 80% profit share (up from 70%) to affiliates supporting Iran or participating in attacks against the enemies of Iran, signaling their ideological commitment.” Read more here.

4. China-Based APTs Deploy Fake Dalai Lama Apps to Spy on Tibetan Community – The Hacker News

In a July 23 report published by Zscaler ThreatLabz, researchers attributed two cyberattack campaigns against the Tibetan community to a China-linked APT group. The two campaigns—dubbed Operation GhostChat and Operation PhantomPrayers—targeted Tibet with multi-stage infection chains deploying Ghost RAT and PhantomNet backdoors. These attacks capitalized on heightened online activity in the weeks leading up to Dalai Lama’s 90th birthday on July 6. The campaigns functioned by “leveraging multiple subdomains […] to impersonate legitimate platforms.” Read here.

6. FBI seizes $2.4M in Bitcoin from new Chaos ransomware operation – Bleeping Computer

On July 28, Dallas FBI announced the seizure of over $1.7 million worth of cryptocurrency in mid-April 2025. According to the statement, the funds were “traced to a cryptocurrency address allegedly associated with a member of the Chaos ransomware group.” The seized amount has now been valued at over $2.4 million. The alleged member of Chaos has been tied to ransomware attacks carried out against Texas companies and other targets. Read full article.

7. Four arrested in UK over M&S, Co-op, Harrods cyberattacks – Bleeping Computer

In a July 10 press release, the U.K.’s National Crime Agency (NCA) announced the arrest of four individuals for their suspected involvement in a series of cyberattacks against three major retailers (Marks & Spencer, Co-op, and Harrods). According to the statement, the arrested individuals include two 19-year-olds, one 17-year-old, and a 20-year-old. They were arrested on suspicion of “Computer Misuse Act offences, blackmail, money laundering and participating in the activities of an organised crime group.” Read full article.

8. US sanctions North Korean firm, nationals behind IT worker schemes – Bleeping Computer

In a July 24 press release, the U.S. Department of the Treasury’s Office of Foreign Assets Control (OFAC) announced the sanctioning of the North Korea-based Korea Sobaeksu Trading Company and three associated individuals for their participation in fraudulent remote IT worker schemes. As previously noted in DarkOwl’s Weekly Intelligence Summaries, the DPRK government uses these IT worker schemes to generate illicit revenue. The IT workers involved in the scheme use “fraudulent documents, stolen identities, and false personas to obfuscate their identities and infiltrate legitimate companies.” Learn more.

---

Make sure to register for our weekly newsletter to get access to what our analysts are reading on a weekly basis.

July 24, 2025

Cybersecurity might as well have its own language. There are so many acronyms, terms, sayings that cybersecurity professionals and threat actors both use that unless you are deeply knowledgeable, have experience in the security field or have a keen interest, one may not know. Understanding what these acronyms and terms mean is the first step to developing a thorough understanding of cybersecurity and in turn better protecting yourself, clients, and employees. 

In this blog series, we aim to explain and simplify some of the most commonly used terms. Previously, we have covered bullet proof hosting, CVEs, APIs, brute force attacks, zero-day exploits, doxing, and data harvesting. In this edition, we dive into indicators of compromise. 

Indicators of Compromise (IoC) 101 

Indicators of Compromise (IoCs) are pieces of forensic data or artifacts found on a network or operating system that, with high confidence, indicate a potential intrusion, breach, or malicious activity has already occurred. Think of them as the “digital fingerprints” or “clues” left behind by an attacker and help security be able to determine if an attack has taken place. 

Indicators of compromise help security professions in several ways. They are essential for detecting both ongoing and past cyberattacks, even if the initial breach went unnoticed. Once an IoC is identified, it serves as a guide for incident response teams, helping them understand the full scope, nature, and methods of the attack. This understanding allows them to effectively contain the threat, eradicate the malicious presence, and recover compromised systems. Furthermore, by analyzing IoCs from previous incidents, organizations can proactively strengthen their defenses, updating security tools such as firewalls, intrusion detection systems, and antivirus software to prevent similar attacks in the future. Finally, sharing IoCs within the cybersecurity community is important to help other organizations defend against the same evolving threats, fostering a stronger collective defense across the digital landscape and keep up to date with the latest TTPs (tactics, techniques and procedures) of threat actors. 

It’s important to distinguish IoCs from Indicators of Attack (IoAs). While IoCs tell you that a compromise has already happened, IoAs focus on the behaviors and tactics that suggest an attack is currently in progress or about to occur. Both are crucial for a comprehensive cybersecurity strategy. We will dive into IoAs in an upcoming blog. 

IoCs in the Wild 

Crowdstrike IoC list 

Data purported to be from CrowdStrike was posted on BreachForum, a hacking forum, on July 28, 2024. According to the post, UsDoD claims to have the entire IoC (Indicator of Compromise) list from Crowdstrike but only released the first 100,000 records. Data exposed includes indicators, types of malware, actors, reports, kill chains, published dates, latest updates, and labels. Read more. 

CISA and FBI: Ghost ransomware breached orgs in 70 countries 

On February 19 this year, the Cybersecurity & Infrastructure Agency (CISA), Federal Bureau of Investigation (FBI), and Multi-State Information Sharing and Analysis Center (MS-ISAC) released a joint advisory detailing indicators of compromise (IOCs) and tactics, techniques, and procedures (TTPs) associated with Ghost (Cring) Ransomware. Since 2021, threat actors utilizing Ghost ransomware have targeted organizations in more than 70 countries. Victims have included organizations in a variety of sectors, including critical infrastructure, education, and healthcare.

SolarWinds 

As was seen during the SolarWinds hack, monitoring the darknet for malicious discussions enables organizations to understand when and if they’re a target, and prepare accordingly. In the case of SolarWinds, we have evidence that they have been a target by hackers for a number of years. A few searches in DarkOwl Vision’s database of darknet content reveal glaring potential indicators of compromise that, when taken seriously, could have been leveraged by their customers as a cue to safeguard themselves against what ultimately resulted in the devastating hack that transpired this year. 

DarkOwl Vision has collected 98 documents from a single popular zero-day marketplace with mentions of SolarWinds-specific vulnerabilities since February 2020 (shown below). 

Tracking and Sharing IoCs 

As shared above, sharing IoCs within the cybersecurity community is vital to developing collective defenses and sharing best practices. By keeping to date with IoCs in the wild, organizations can expand their understanding of current attack vectors, speed up their own incident response, avoid analyzing threats that have already been analyzed, and improve their overall security posture. 

One way for tracking and sharing IoCs is through TIPs (Threat Intelligence Platforms). These specialized platforms are designed to collect, process, and disseminate crucial threat intelligence, including IoCs, to the wider community. To ensure efficient and interoperable sharing, IoCs are often exchanged using standardized formats and protocols. For instance, STIX (Structured Threat Information eXchange) provides a common language for representing and sharing cyber threat intelligence, encompassing not only IoCs but also threat actors and their tactics. The TAXII (Trusted Automated eXchange of Intelligence Information) protocol then facilitates the secure transmission of this STIX-formatted data between different organizations or security platforms. 

Beyond specialized platforms, many cybersecurity vendors, research organizations, and government agencies provide Threat Intelligence Feeds. These feeds deliver real-time or near real-time updates of IoCs directly to an organization’s security tools. Information Sharing and Analysis Centers (ISACs) and Information Sharing and Analysis Organizations (ISAOs) play a critical role as well. These sector-specific or cross-sector organizations create trusted environments for their members to share sensitive threat information, including IoCs, and collaborate on defense strategies. For example, there are dedicated ISACs for sectors like finance, energy, and healthcare. Governments also contribute significantly; many have Government Initiatives to facilitate threat intelligence sharing, such as CISA’s Automated Indicator Sharing (AIS) in the United States, which provides federal agencies and partners with machine-readable cyber threat indicators. 

Finally, the broader Security Research and Open-Source Communities are invaluable contributors. Independent security researchers, ethical hackers, and open-source projects frequently discover and publish IoCs through various channels like blogs, online forums, GitHub repositories, and specialized websites. 

Product Highlight: Entity API 

Entity API enables the identification and contextualization of specific entities—such as email addresses, IP addresses, and domains—within DarkOwl’s darknet data. This tool is invaluable for incident responders and threat hunters seeking to correlate Indicators of Compromise (IOCs) and assess potential threats.  

Investigators can gather IOCs from dark web sources and link them to threat actors or campaigns. This helps in profiling the activities, tactics, and techniques of adversaries, enabling proactive threat hunting and vulnerability assessments. 

One of the most prevalent use cases for insight into DarkOwl’s data is the recent persistent rise in cybercriminal activity as a whole, and specifically ransomware activity, which largely presents itself in the dark web. The global dark web intelligence market size is expected to raise at a CAGR rate of 22.3% by 2028, to the total of $1.3 billion. 

Other recent reporting from Kaspersky maintains that the most common attack vector for all ransomware attacks continues to be via account takeover utilizing stolen or brute forced credentials. Entity API will empower threat intelligence teams with the tools to determine when such account information has been compromised, and take remediation steps accordingly.  

Monitor Cryptocurrency Mentions Using Entity API 

With Entity API, users have access highly-targeted, structured information from the largest commercially available collection of darknet and deep web sources. This includes Tor, I2P, Zeronet, Data Breaches, encrypted chats, IRC, and authenticated forums. Users can search for a crypto address that DarkOwl has captured from darknet sources including illegal marketplaces and vendor forums to detect wallets with problematic activity. Cryptocurrency address endpoints allow users to see if specific cryptocurrency addresses have been exposed.  

Cryptocurrency types include: 

• Bitcoin 
• Ethereum 
• Monero 
• zCash 
• Litecoin 
• Dash 

Figure 2: Request to see all instances of a specific cryptocurrency address appearing on the darknet (or other underground networks). Sample responses pictured above. 

---

For those in charge of monitoring for critical information regarding their business or their customers, having access to DarkOwl’s darknet data means access to near real-time data from exclusive dark web sources including authenticated forums and emerging chat networks. Contact us to learn more. 

July 22, 2025

In an increasingly volatile cyber security landscape, no organization is safe from cyber attacks. One group of organizations which has been increasingly targeted by ransomware groups and other threat actors is UK councils which are the local level of government in the UK.  

In this blog we will explore what UK councils are and how they have been subjected to cyber attacks in recent times.  

What are UK Councils? 

Councils, which are also known as local authorities are the local level of government in the UK. They are responsible for delivering public services, which can range from social care and schools to roads and transport, trash collection and recycling, housing and planning permission as well as the management of parks, recreational areas and libraries. They are responsible for large swathes of local life in the UK, and all residents pay a council tax in order to receive and maintain services.  

Councils are run by locally elected officials, who are responsible for making decisions on budgets, policies and the services that are provided. Often councils will have a lead, often the mayor who is either directly elected by local residents or selected from the councilors. There will also be non-political officers, or civil servants, that will run day to day operations.  

There are also different types of councils depending on where they are located and the communities that they support.  In England these form a tier system:  

• Two-tier system (mainly in shire counties like Kent or Hampshire): 
  • County Councils 
    • Handle large-scale services like education, social care, and transport. 
  • District/Borough Councils 
    • Handle local services like housing, waste collection, and planning. 

• Single-tier system (in cities and urban areas): 
  • Unitary Authorities 
    • Handle all services. 
  • Metropolitan Boroughs 
    • Do everything in large urban areas (e.g., Manchester, Birmingham). 
  • London Boroughs 
    • Each borough (like Camden or Croydon) has its own council. 
  • Greater London Authority (GLA) 
    • Oversees strategic issues like transport (TfL), policing, and planning. 

UK councils face a wide range of cybersecurity threats due to the large volumes of sensitive data they manage (e.g. social services, housing, benefits, and education). 

Cyber Security Threats 

There are multiple types of cyber threats that can affect local councils, here we summarize some of the common attacks we have seen conducted.  

Ransomware Attacks 

Ransomware attacks happen when a threat group obtains access to a network and encrypts the data demanding a ransom to return the information to the owner. More and more these attacks also include the theft of data and making this available on Dark web sites. This can have very serious ramifications for councils given the services that they support. It can stop them being able to carry out these services as well as exposing sensitive personal information.  

Figure 1: InterLock Ransomware group share data from West Lothian Council 

Data Breaches 

A data breach can occur in many ways but ultimately is when sensitive or protected data is made publicly available when it should not be. Councils can fall victim to this either through bad security practices or because they are victim of a hacking attack.  

Recently the Oxford City Council reported that attackers had been able to access PII data through a breach of some of their legacy systems. The information targeted largely related to individuals who had worked on local elections, including ballot counters and poll station workers.

Distributed Denial of Service (DDoS) Attacks 

A Denial-of-Service attack is when a website or service is overloaded, making the services unavailable. This can lead to council websites, where many local residents will access services and obtain support can be unavailable. Recently hacktivist groups which are associated with countries involved in conflict such as Russia, Ukraine, Palestine, Iran and Israel have been known to conduct these DDoS attacks. In some cases, they have successfully targeted council websites.  

Figure 2: Proof of DDOS against London Borough of Harrow from Palestinian affiliated hacktivist group 

Real World Incident:  

• Perpetrator: Hacktivist group NoName057(16). 
• Targets: Multiple local councils including Blackburn with Darwen, Exeter, and Arun District Council. 
• Impact: Temporary website outages and service disruptions; attacks were politically motivated in response to the UK’s support for Ukraine 

Misconfigured Systems and Insider Threats 

Misconfiguration of systems can lead to public access to sensitive data due to poor configuration of databases or file-sharing platforms. When systems are not configured properly it may be possible for individuals who should not have access to this data. Similarly, an insider threat is where unintentional staff errors or malicious actors (disgruntled employees) can leak or share sensitive information or accesses.  

Supply Chain Attacks 

A supply chain attack is when an organization is targeted because of their position in the supply chain to another organization. This is usually because the targeted organization has less security and is an easier target – but can lead to information and data from other organizations in the chain being exposed.  

Real World Incident:  

• Incident: Cyberattack on Locata, a housing service provider. 
• Impact: Disruption of housing services for Manchester, Salford, and Bolton councils; users received phishing emails attempting to harvest personal information 

Phishing & Spear Phishing 

Phishing attacks are when emails or other communications are sent to an individual in order to gain information. They can either “trick” individuals into sharing information they shouldn’t usually by posing as someone in the organization or containing malicious links which people inadvertently click on allowing hackers to gain access to networks.  

Council members and staff are often targeted in these types of attacks. In February 2025 Hammersmith and Fulham Council reported that they face around 20,000 attempted cyber-attacks a day, and that the majority of these consist of phishing attempts. 

Conclusion 

Local authorities have become a popular target for cyber criminals in recent years, thanks to the large amount of valuable personal data they hold, often-outdated IT systems, and comparatively poor cybersecurity budgets. Councils need to take more proactive measures to combat the increasing threat. Some of the actions that can be taken: 

• Adopting advanced threat detection systems and regular security assessments. 
• Conducting cybersecurity awareness programs for staff to prevent phishing and other social engineering attacks. 
• Developing and regularly updating incident response plans to swiftly address breaches. 
• Working closely with national bodies to share intelligence and best practices. The NCSC is the point of contact for cyber incidents in the UK. 

---

Curious to learn more? Contact us.

July 08, 2025

Cybersecurity might as well have its own language. There are so many acronyms, terms, sayings that cybersecurity professionals and threat actors both use that unless you are deeply knowledgeable, have experience in the security field or have a keen interest, one may not know. Understanding what these acronyms and terms mean is the first step to developing a thorough understanding of cybersecurity and in turn better protecting yourself, clients, and employees.

In this blog series, we aim to explain and simplify some of the most commonly used terms. Previously, we have covered bullet proof hosting, CVEs, APIs, brute force attacks, zero-day exploits, and doxing. In this edition, we dive into data harvesting.

Data Harvesting 101

Data harvesting refers to the automated collection of data from digital sources, such as websites, apps, APIs, databases, or public records, with the goal of drawing inferences. It’s often accomplished using tools like web scrapers, crawlers, or specialized software. There are legitimate reasons for data harvesting as well as nefarious purposes. We will dive into both.

The What and How

Data harvested without consent sourced from data breaches, phishing scams or malware – like personal information, login credentials, credit card numbers, location data, social data (such as likes, posts and connections), behavioral data (such as browsing history and habits), or medical records.

Data harvesting is carried out through various methods, each with different levels of transparency and legality. One of the most common tools is cookies and trackers, which are embedded in websites to monitor user behavior, such as browsing patterns, clicks, and time spent on pages. APIs and scrapers are also widely used to systematically extract data from online platforms, often automating the collection of vast amounts of information in a short time. Apps and connected devices can harvest data through user-granted permissions—or sometimes through hidden scripts—gathering information like contacts, location, and device usage. More maliciously, phishing campaigns and malware can deceive users into giving up sensitive information or infect their systems to extract data covertly, posing significant security and privacy risks.

Legitimate Reasons for Data Harvesting

• Marketing and Advertising: Businesses use it to understand consumer behavior, market trends, competitor pricing, and product performance. Companies use this harvested data to build detailed consumer profiles and deliver targeted ads. By understanding your interests, habits, and demographics, advertisers can increase the chances of clicks and sales.
• Lead Generation: Collecting contact information for sales and marketing outreach.
• Research: Academics and researchers use it to gather data for studies in various fields, such as social science, economics, and healthcare. AI Training is another upcoming field – large datasets are fed into AI models for training. This includes data scraped from the web (like text, images, or behavior patterns) to build chatbots, recommendation engines, and facial recognition systems.
• Content Aggregation: Collecting content from multiple sources to create news aggregators or comparison websites.
• Improving User Experience: Understanding user preferences and behavior to enhance websites and applications. Organizations analyze the data to uncover trends, improve services, forecast demand, or enhance customer experience. For example, a retailer might use browsing and purchase data to optimize inventory or personalize recommendations.
• Data Brokerage: Data brokers collect and aggregate data from many sources, then sell it to third parties—like marketers, insurers, employers, or political campaigns.

Nefarious Reasons for Data Harvesting

• Identity Theft and Fraud: Harvesting personal information (names, addresses, email, payment details) to commit identity theft or fraudulent activities.
• Spam: Collecting email addresses for mass unsolicited emails.
• Intellectual Property Theft: Scraping proprietary content, product designs, or strategic plans from competitors.
• Data Breaches: If harvested data is not adequately secured, it can be vulnerable to breaches, exposing sensitive information.

Harvested data is often sold on darknet marketplaces. Once the data is harvested by “harvesters,” they often will dump this data on the darknet and provide it for sale across different marketplaces, often with the idea of financial gain. Collected data could be used for blackmail, doxing or stalking. Data collected by political extremists or activist groups may use the data for targeted attacks and campaigns.

To the left we see an example of a combolist (a list of email addresses and password combinations that may be used in a brute force attempt or credential stuffing operations to gain unauthorized access to servers and services) that was leaked and posted on a darknet site. Databases from data harvesting will often include usernames and passwords, fullz (full identity profiles), financial records or health records. These are all often highly confidential or sensitive and can cause a lot of harm and headache when posted without consent.

Anonymity Encourages Abuse

The darknet is a layer of the internet that was designed specifically for anonymity. It is more difficult to access than the surface web, and is accessible with only via special tools and software – specifically browsers and other protocols. You cannot access the darknet by simply typing a dark web address into your web browser. There are also darknet-adjacent networks, such as instant messaging platforms like Telegram, the deep web, some high-risk surface websites. Because of the anonymous nature of the darknet, data harvesters are able to go undetected, monetize data without revealing their identity and collaborate with others on the darknet.

Doxing Example

The darknet site, Doxbin, facilitates doxing by allowing users to upload text-based content related to individuals. The site claims to restrict content that is spam, child explicit material (CSAM), or violates the hosting country’s jurisdictional laws. However, in practice, there is minimal moderation, and information is often shared with the intent to target individuals.

The exposure of PII on Doxbin can lead to severe consequences for victims, including harassment, identity theft, and threats to personal safety. Victims may also be subjected to harassment through prank calls, spam emails, and cyberbullying on social media.

DarkOwl’s Use of Data Harvesting

DarkOwl data harvesting involves collecting information from the darknet, deep web, and high-risk surface web to provide intelligence to their customers. This data is used to identify threat actors, monitor cyber breaches, analyze darknet trends, and more. DarkOwl’s data collection process includes automated AI and manual analysis, with the goal of delivering high-quality, relevant, and timely intelligence. 

What DarkOwl Collects

• Darknet Data: The darknet is a layer of the Internet that cannot be accessed by traditional browsers and often requires specialized technology (proxies) – as well as a certain level of technical sophistication – to access. While the darknet is comprised of various darknets, Tor (or The Onion Router) is by far the most common. In addition to Tor, DarkOwl also scrapes content from peer-to-peer networks like I2P and Zeronet.
• Deep Web Data: The deep web is technically part of the surface web and can be best described as any content with a surface web that is not indexed or searchable via traditional search engines. This includes surface web paste sites and websites that we discovered via authenticated means, e.g. websites with a surface-level that require user registration and/or a login to access meaningful information from the site. DarkOwl has hundreds of ‘deep web’ sites including marketplaces and forums, from which a mixture of authenticated and manual crawlers obtain information.
• High-Risk Surface Web: Surface web content consists of anything on the “regular” internet that is public facing with a surface web top-level domain (TLD) and could be organically crawled/scraped by Google. This includes the landing pages and/or preview content for forums that DarkOwl also has curated deep web access to (i.e., registrations and authentication).
• Chat Platforms: Chat platforms are any website (be it on the deep web or darknet), app, or service that’s primary purpose is for instant messaging. This includes message exchanges between individual users or groups of users who interact in topic based channels and groups. Some chats are collected from Tor services that are enabled with real-time anonymous chat features, others from specialized instant messaging or proprietary protocols like IRC andTelegram.
• Breach Content: Data breaches are aggregate data files of information obtained without the owners’ consent. This can consist of commercial data leaks by threat actors (TAs) either after discovery of a non-secured database or misconfigured server, or by targeted malicious cybersecurity incident (direct breach). Such leaks include internal sensitive email records, usernames and passwords, personally identifiable information (PII), financial records, and more. Data breaches are often sold for profit on the darknet, although they are sometimes posted and leveraged by criminal actors for means other than financial gain or in the fallout of cyber warfare between nation-state sponsored cyber powers and hacktivists.
• Other Sources: DarkOwl also has limited documents in its Vision database collected from misconfigured FTP and alternative DNS servers, as well as open public S3 buckets. Collection from these sources is less real-time and intentional as the other data sources described above.

How DarkOwl Collects Data

• Automated AI: Automated tools and AI-powered engines to collect and process data in near real-time. 
• Manual Analysis: Human analysts augment automated collection, ensuring the quality and relevance of the data.  

How DarkOwl Processes and Structures Data

• Unstructured Data: DarkOwl collects data in its original, raw-text format. 
• Data Cleaning and Storage: Collected data is processed, cleaned, and stored in a secure environment. 
• Entity Extraction: DarkOwl identifies and extracts entities like email addresses, Social Security numbers, and cryptocurrencies. 
• Metadata and Context: Included metadata and source content provide context and allow users to quickly identify important data. 

Why DarkOwl’s Data is Valuable:

• Threat Intelligence: DarkOwl’s data can help organizations identify and understand emerging threats, including cyber breaches, ransomware attacks, and fraud. 
• OSINT Investigations: Darknet data is a vital part of OSINT (open-source intelligence) investigations to gather insights into specific individuals or groups, including their usernames, aliases, and online activity. 
• Digital Risk Assessment: DarkOwl’s data can help organizations assess their digital risk posture and identify vulnerabilities by seeing what information concerning them is available on the darknet.

How to Protect Yourself

1. Use privacy browsers and ad blockers
2. Regularly clear cookies and cache
3. Limit app permissions
4. Use strong, unique passwords and do not repeat password use
5. Use a password manager
6. Enable 2 factor authentication
7. Be cautious of phishing attempts

---

Curious to learn more? Contact us.

July 01, 2025

Our analyst team shares a few articles each week in our email newsletter which goes every Thursday. Make sure to register! This blog highlights those articles in order of what was the most popular in our newsletter – what our readers found the most intriguing. Stay tuned for a recap every month. We hope sharing these resources and news articles emphasizes the importance of cybersecurity and sheds light on the latest in threat intelligence.

1. Police arrests 20 suspects for distributing child sexual abuse content – Bleeping Computer

In a June 6 press release, INTERPOL announced the arrest of 20 suspects involved in the production and distribution of child sexual abuse material (CSAM). The international operation was led by the Spanish National Police, which initiated the investigation in late 2024 when it discovered several instant messaging groups dedicated to the circulation of CSAM. Seven of the identified suspects were arrested by Spanish authorities, 10 were arrested across seven Latin American countries, and “the remaining suspects were arrested elsewhere in Europe and the United States.” Read full article.

2. Police seizes Archetyp Market drug marketplace, arrests admin- Bleeping Computer

In a June 16 press release, Europol announced the disruption of the infamous darknet marketplace Archetyp Market in an international operation dubbed “Operation Deep Sentinel.” According to the statement, Germany, the Netherlands, Romania, Spain, and Sweden participated in a series of coordinated actions between June 11 and 13 “targeting the platform’s administrator, moderators, key vendors, and technical infrastructure.” The site’s suspected administrator—a 30-year-old German national—was also arrested in Barcelona. Article here.

3. FIN6 hackers pose as job seekers to backdoor recruiters’ devices – Bleeping Computer

Researchers have identified social engineering attacks carried out by the hacking group FIN6 (also known as Skeleton Spider) targeting recruiters by posing as job seekers. In 2019, the cybercrime group initially known for financial fraud expanded its operations to include ransomware attacks. Since then, the group has increasingly focused on social engineering campaigns. Its most recent campaigns have been used to deliver the JavaScript-based backdoor “more eggs,” which “facilitates credential theft, system access, and follow-on attacks, including ransomware deployment.” Read more here.

4. Russian hackers bypass Gmail MFA using stolen app passwords – Bleeping Computer

Researchers at Google Threat Intelligence Group (GTIG) have observed a suspected Russian state-sponsored threat actor impersonating U.S. Department of State officials. From April through June 2025, the threat actor has targeted “prominent academics and critics of Russia, often using extensive rapport building and tailored lures to convince the target to set up application specific passwords (ASPs).” After setting up the ASPs, the victims were instructed to share the ASP passcodes, thereby providing the threat actors with access to their emails. Read here.

6. Hackers switch to targeting U.S. insurance companies – Bleeping Computer

Researchers at Google Threat Intelligence Group (GTIG) have warned of hackers targeting insurance companies based in the U.S. GTIG is aware of multiple breaches impacting American companies “which bear all the hallmarks of Scattered Spider activity.” As highlighted by BleepingComputer, Scattered Spider is known for its sector-by-sector focus; the recent targeting of insurance companies signals that “the insurance industry should be on high alert.” Prior to the recent insurance industry breaches, Scattered Spider was observed targeting retail organizations in both the U.K. and U.S. Read full article.

7. Iranian man pleads guilty in US to 2019 Baltimore ransomware attack – Reuters

An Iranian national pled guilty to participating in a ransomware attack using the Robinhood variant between 2019 and 2024. Sina Gholinejad, 37, was arrested in January 2025 at Raleigh-Durham International Airport. In a statement the DOJ stated that one of the attacks against Baltimore city “cost the city more than $19 million from damage to computer networks and disruptions to city services including the processing of property taxes, water bills, parking citations and other revenue-generating functions lasting many months. Read full article.

8. BidenCash carding market domains seized in international operation – Bleeping Computer

On June 04, the U.S. Department of Justice (DOJ) announced the seizure of “approximately 145 darknet and traditional internet domains, and cryptocurrency funds associated with the BidenCash marketplace.” As highlighted by BleepingComputer, the domains were seized as part of an operation led by the United States Secret Service (USSS) and the Federal Bureau of Investigation (FBI), with support from the Dutch National Police. The marketplace’s domain currently redirects to a U.S. law enforcement-controlled server. Learn more.

---

Make sure to register for our weekly newsletter to get access to what our analysts are reading on a weekly basis.

Updated June 22

On June 22 DHS released a National Terrorism Advisory System Bulletin highlighting the possible threat to the United States as a result of the ongoing conflict in Iran and the US missile attacks on key nuclear sites in Iran.

The bulletin highlighted the following risk:

Iran retaliated with an attack against a US airbase in Qatar, which was condemned by Qatar and reportedly intercepted. No US casualties were reported but it highlights increasing tensions in the region and active targeting by Iran of US assets.

DarkOwl continues to monitor the dark web and particularly Telegram in order to see what the reaction has been from hacktivist groups.

Reaction to US Missile Attacks

Despite the warning from DHS, DarkOwl have not observed a large increase in claims of US victims from known hacktivist groups in the wake of the US missile strikes on Iran. Although this could change.

Several of the pro Iran/Muslim groups made posts commenting on the US airstrikes in Iran, although the reaction did not appear as strong as it had been to the Israeli attacks the week before. No posts, in our collection, were identified threatening the US directly although as shown below there were some US victims. This appears to be different to how the groups reacted to previous military interventions.

Groups shared images of the tweets and messages on Truth Social made my President Trump to announce the military action. However, in this particular channel there did not appear to be any commentary on the announcement, some of the posts were translated into Arabic.

The same channel also posted information relating to a response from Iran’s Atomic Energy organization. Again, these posts were made without commentary.

Some groups appeared to target US organizations employing DDOS (Distributed Denial of Service) attacks in retaliation. Group 313 reported that it has taken down Truth Social. However, this was not corroborated, some other reports indicated that the site was down due to users trying to access up to date information. The group also shared media reports about the down time.

Another hacktivist group Keymous+ shared a number of US targets which they claimed to have targeted via DDOS. It was unclear why those specific targets had been selected.

Another group, Mr. Hamza, claimed to be targeting the US Airforce. However, they did not show any evidence of the attacks or if they were successful.

The same actor shared a further post in which they claimed that they had targeted the FBI. As part of the post, they shared the hashtag #OP_USA, which would indicate they are conducting a targeted operation against US entities.

President Trump has now stated on social media that there will be a ceasefire between Iran and Israel, channels are sharing his messages on Truth Social. At the time of writing none of the hacktivist groups appear to have reacted to the announcement. However, other channels which are predominantly used to share right wing messages are declaring that Trump has ended the war.

Updated June 20

As tensions continue to mount between Iran and Israel, with both side launching multiple missile attacks, groups on the dark net, specifically Telegram, continue to mount their own digital attacks against the opposing side.  

Last week we covered the outbreak of the war between Iran and Israel, now we review how the conflict has developed online.  

Telegram as a News Source

Telegram continues to be used by both source as a means of sharing breaking news stories. This includes areas that have been targeted by both sides. One image recently shared shows an explosion in the Haifa region of Israel.  

However there have also been multiple reports of disinformation and fake videos being shared online with reports of computer game videos and images from previous conflicts being shared and, in some cases, appearing to exaggerate the damage being inflicted.  

Organizations in Israel and Iran Targeted

Groups from both sides of the conflict have sought to target organizations and websites withing their opposing country. The groups have shared information regarding their victims and the method of attack on their Telegram channels. The allegedly successful attacks are usually shared by other groups with the same outlook.  

Iranian Crypto Exchange Targeted 

The Iranian cryptocurrency exchange Nobitex was reportedly targeted by the pro-Israeli hacktivist group, Predatory Sparrow. Iran’s largest cryptocurrency exchange suffered a major hack on 18 June. With cyber security researchers reporting that $90 million was sent from Nobitex wallets to known hacker addresses. The group shared reports of the hack on their dedicated Telegram channel.  

Use of AI generated Images 

As is common with other hacktivist groups, those reporting attacks on organizations and website have been using AI generated images to publicize their posts on telegram. Although these are clearly auto generated it does highlight how this technology could be used for other means.  

Data for Sale 

As well as the DDOS attacks being promoted on Telegram, DarkOwl analysts have identified an increase of data leaks allegedly from both Israeli and Iranian organizations being shared on the dark Web. These posts are being made available for free as well as being sold and claim to contain PII relating to individuals associated with the organizations.  

Co-ordinating Groups 

A number of the groups also appear to be coordinating and conducting attacks together as well as forming alliances. The majority of these alliances had previously been created in response to the October 7 attacks although new groups have emerged. 

Mentions of Foreign Policy 

As well as sharing information about their cyber attacks, some of the groups are also discussing information about the current events and the role that the US could take in the conflict. The opinion is split along country lines.  

---

Keep up to date. Follow us on LinkedIn.

June 23, 2025

In a major blow to the online drug trade, law enforcement agencies across Europe and the U.S. have taken down Archetyp Market, one of the most active and profitable dark web drug markets of the past five years. 

Launched in 2020, Archetyp wasn’t just another black market, it was the market. With over ~600,000 users and ~3,200 vendors, the platform facilitated transactions involving cocaine, meth, MDMA, and other narcotics. By its final days, it had moved an estimated $~250–290 million in illicit goods, making it a titan among darknet marketplaces. 

But Its End Came Swiftly

From June 11–13, 2025, Operation Deep Sentinel, led by Germany’s BKA and supported by Europol, Eurojust, Homeland Security Investigation (HSI) and law enforcement from five other countries, executed a coordinated takedown. Servers were seized in the Netherlands, digital assets frozen, and the suspected site administrator, a 30-year-old German, was arrested in Barcelona. In addition, authorities confiscated millions in cryptocurrency, luxury vehicles, phones, and drugs in sweeping raids. 

A curious twist: law enforcement published an animated video at operation-deepsentinel.com, loosely depicting the takedown. Many speculate the video served less as documentation and more as a taunt to the dark web community. 

Confusion swirled on dark web forums when the site went offline under the guise of “maintenance” a classic precursor to an exit scam. Then came an even stranger development. 

Before any official press release, a post appeared on the dark web forum Dread, allegedly from Archetyp’s administrator. It claimed the site was down, the admin had been arrested, and he had already been released. Users were quick to point out the implausibility of the story—especially the idea that a darknet market admin could be arrested, released  and back on the dark web within 24 hours.

This raised an intriguing question…

Did law enforcement impersonate the admin and post on Dread? 

Adding to the mystery, both the Dread post and the animated video referenced a “Deadpool” a pool on when Archetyp would go down. Was this an inside joke among investigators? A psychological tactic to sow distrust? 

What’s Next? 

Based on chatter in vendor “proof-of-life” posts, Abacus and Drughub are emerging as the likely successors to Archetyp. This is based off site mentions. Abacus, while notoriously difficult to access due to aggressive CAPTCHA and account requirements, is seeing a surge in mentions. 

Only time will tell which market takes the title. 

Despite massive seizures of drugs, crypto, phones, and vehicles, the takedown is a setback, not a solution. Darknet operators are nimble and decentralized already whispering across Telegram, Signal, and encrypted forums. 

Still, for a brief moment, the shadows flickered. 
And one of the internet’s most notorious drug market is down. 

---

Stay up to date. Follow Us on LinkedIn.