Author: DarkOwl Content Team

July 09, 2024

The KeyNorth Group hosted DarkOwl’s Director of Intelligence and Collections for an exclusive community webinar in May. We are excited to share the transcription of the presentation below.

The internet is a vast realm that extends far beyond the surface web we commonly explore. Beneath the surface lies the darknet, a hidden network that poses significant challenges but also holds immense potential for open-source intelligence (OSINT) investigations. Join DarkOwl’s Director of Intelligence to learn how the darknet expands the scope of information available to researchers and analysts.
In this session, Erin covers how darknet data:

• Enhances OSINT investigations by unveiling hidden information
• Strengthens our ability to combat cybercrime and protect individuals and organizations
• Enhances threat intelligence and helps maintain a safer digital ecosystem
• Is utilized in identity theft, fraud, compromised accounts and other real-world examples

---

Lorena Rivera (KeyNorth Group): I’m pretty sure you all recognize DarkOwl as a worldwide provider of darknet data. Some of you know they’re working, providing data for government agencies as well. So today we are really happy to have Erin, Director of Intelligence and Collections at DarkOwl. Erin has more than 10 years of experience working in intelligence and conducting closed-source and open-source investigations. So, without further ado, please join me in welcoming Erin.

Erin (DarkOwl): Thank you. And so, thank you everybody for joining today. I really appreciate you taking time out of your day to learn a little bit more about the dark web. What I’m gonna cover in the session today is a bit of the background on of what is the dark web? And why is it important? And then I’m gonna go through some use cases and real world examples.

As Lorena said, if anyone has any questions throughout, please add them in the chat and I will be more than happy to answer them as I go along.

I’m the Director of Collections and Intelligence at DarkOwl, and I’ve been an intelligence analyst for over 12 years. I worked for the UK Government before working for a number of other companies doing OSINT investigations.

Just to give you a bit of background before we dive into the dark web information, I just wanted to give you a little bit of information about DarkOwl. We are a dark web company and our primary goal is to collect as much darknet data as possible that is relevant to use cases of criminal activity and make that available to individuals through our Vision platform and our APIs. We’ve been around since 2012 and pioneered that darknet collection, so we have a lot of historical data as well as the most recent data that’s available and you can view that through our Vision platform and also through APIs and datafeeds. If anyone would like to know more about DarkOwl again, please add it into the chat and we’d be more than happy to talk you through that.

Jumping into the main event of what we’re talking about, let’s start with what is the darknet and how is that different to the surface web and other things that we’re able to to view? So, no OSINT presentation is complete, I feel, without showing some kind of an iceberg. I feel like everyone does that these days, but it really does demonstrate the different levels of the Internet and the different areas that we can kind of examine.

The surfacenet is websites that we use on a daily basis, they’re indexed by search engines, and you know you can go to Google, you can go to Bing and search for something, and that information will appear for you. So, it’s very easy to access. And the deep net is content that is accessed via a login or behind some kind of wall. So, its credential protected or it’s a database, so it’s not commonly indexed by those search engines. And then the darknet is a hidden service where you need to download software in order to be able to access it and it’s not indexed. It’s a lot more difficult to find URLs. URLs are a random string of characters and numbers, and therefore it’s not an intuitive process to search through it. Although we are a darknet company and that is our primary focus, we do actually collect data from across these three areas and as long as they are relevant in terms of treat actors are accessing them or nefarious activity is taking place.

So with that said, let’s delve into the dark web and what can be found there. So, this gives you a brief history.

And so, the dark web has been around since the early 2000s. It was actually created as a project by the US government in order to share information in an anonymous and secure fashion, but it was released to the public in around 2006 through the TOR project. The TOR project is a not-for-profit organization that manages Tor or the Onion router. It manages the software, and it creates a tunnel for individuals and to access and remain as unknown as possible. The way tool works is it goes through three relays and so you will start on your computer. You’ll type in a message, it will go through three different relays and come out at where you’re attempting to go. So it makes it a lot more difficult to track that traffic.

It is worth noting, and I’d like to point out, that although there is a lot of nefarious activity on the dark web, there are also legitimate uses for it. A lot of individuals that are in countries where their internet access is restricted and the types of sources they’re able to access is restricted, can view some of those things through the dark web. You know, there are news organizations and social media platforms that do have websites on the dark web that people can access, but it is also, as you know, we all know and why we’re here, a place where nefarious activity does take place.

And in the mid 2000s, that was when we started to see marketplaces emerging with cryptocurrency being created that gave people a more anonymous way to transact on the dark web. We’ve started to see data breaches and information being shared there and we can see certain groups not just kind of criminal activity but extremist activity and terrorism activity taking place on there as well.

But law enforcement have started to crack down on this and have been able to and see some of the sights, starting with Silk Road and Alpha Bay. And you know, as recently as two weeks ago, BreachForums were seized. So there’s a lot of information that’s gone. This only shows up to 2020, but obviously you know it’s still a very active place.

So, what can actually be found there? So, I kind of already mentioned, information and social media is available on the dark web, but the things that we’re probably more familiar with people talking about and more relevant to us are things like dark web marketplaces, where drugs, counterfeit goods, data is freely available and for sale. We have forums and where threat actors are discussing and talking about things and usually also selling goods. We see a lot of data leaks and ransomware sites on the dark web, so ransomware walls of shame, we should say, and are available in dark web. And then there’s also a lot of cryptocurrency activity on there. So, things like mixers and tumblers, which help users to obfuscate and their cryptocurrency more so, although there are still ways that you are able to kind of follow that money.

So, to show you some examples of what this actually looks like here are some things that I found on the dark web just kind of give you a flavor of what it looks like.

You can see, even though it’s not indexed and it’s more difficult to find, there are websites that are set up like any other websites that you would see on the surface web. They have reviews, they have payment systems, they have login information and captchas, etcetera. So, here you can see we’ve got a site that’s selling human organs, which I like to think is not real, but it definitely exists out there. We have people selling drugs. We can see people selling and IDs and counterfeit documents as well as selling cash payments and things like that and then going on to the next one.

These are what some of the marketplace homepages look like. So, you see a lot of advertisements. You can see the different types of cryptocurrency Minero, Bitcoin, Dutch, White Coin that are being affected. They do accept a wide range of cryptocurrencies, although Bitcoin is still the dominant currency of choice. You can see credit cards, counterfeit money, and data being shared on all of these sites. So, there’s a huge amount of information out there and it is kind of set up in a way that people can go in and select what they want. You can see the different categories there and how many listings there are for those different categories, and then you can go in and purchase that information and they do tend to ship worldwide.

As well as those specific dark web sites and forums that you get on TOR and Onion, we do also look at dark web adjacent sites. They are the sites we refer to and which are not on the dark web themselves, but they are still being used by the same individuals and in the same nefarious ways. So, looking at things like messaging apps and Telegram is obviously huge at the moment, but we also see things like ICQ, jabber, matrix, element, rocket chat where we’re seeing extremist activity being discussed and criminal networks are operating in announcing activities. That’s also true of some gaming app. So, while there’s a legitimate purpose for that and you know we do see information being shared on things like Discord and Twitch. Obviously, famously, government U.S. was leaked on Discord, so they do try to clamp down on that activity since that happened.

And then also a lot of threat actors will use the surface web to have their marketplaces, their vendor shops and their forums. And they feel that if they are using bulletproof hosting that it can’t be taken down, and especially if they’re in non-extradition company countries, they often feel that they don’t need to use the dark web as that extra level of security. So we do see marketplaces, forums, vendor shops that appear on the surface web and things like Doxbin, and Paste bin, where information was shared as well. So we do collect from all of these different areas as well as from the dark web itself.

So just to kind of summarize that, there’s a lot of data that comes from the darknet and so you know there’s a lot of raw data, and there’s a lot of new things that we’re seeing emerge. So PII (personal identifiable information), I think is the main one that people are concerned about. Data leaks are being sold on a daily basis. They do include some very sensitive information in them as well, as you know some more generic things such as emails. You can get banking and transaction information as well as credit card data. We do see a lot of financial apps being transferred as well. So, accounts such as Cash app and Zelle and others are being transacted all the time. Corporate data, this is especially true with ransomware data,and where they’re basically just take everything they can from a victim and make that available.

We also see a lot of threat actors selling malware and toolkits, and then obviously ransomware as a service as well as selling those tools, we also see a lot of tutorials and that individuals on how to conduct attacks and you know the more traditional kind of script kiddies where they’re able to purchase these tools and instructions on how to use them and use them very successfully. Especially when those credentials are out there and that’s the easiest way for cybercriminal to get into a network or get into where they want is to have credentials rather than having to kind of use and exploit to get in there.
But we are also seeing more cyberattacks happening, DNS hijacking, cyber espionage. Although it’s harder to identify and as hacked to this, groups and others are kind of getting more into that realm and the line I would say is blurring for some countries between stay actors and criminal actors and that from the same area we are seeing some overlaps with that. And of course, there’s always DDoS attacks and cyber threats.

So, just to give you an idea of the landscape and how it works, these are different areas that we collect from everything that is highlighted in red are the areas where we focus.

But there are other areas out there, so I’ve mentioned Tor primarily, and that’s the one where we see most activity occurring. There are other Darknet software providers out there. So, we do also collect from I2P and ZeroNet. We have heard from some of our law enforcement partners, ZeroNet is actually, and I2P are increasingly being used for CSAM material, but TOR is still primarily used by most threat actors. But Freenet, Loki, Unigrid, Mysterium they are also available. We don’t see the same level of activity happening on those and the same chatter about them. And so, we don’t kind of direct our resources there, but should that change, we would increase our coverage of those areas.

I’ve also mentioned the high-risk surface web areas. So ,things like paste-sites and discussion boards and there are a lot of extremist activities and protest groups and that are using violent means rather than peaceful protests that are discussing information on discussion boards. So, we want to make sure that we’ve got coverage of those and then the deep web also. We do avoid social media and there are a lot of other companies out there that do that and in such high volumes – we do try to target our collection to dark web and also messaging apps. Telegram is huge for us and we collect from almost 5000 channels. Those are curated to make sure that they’re relevant, and we do add new channels all of the time. But we are seeing a huge volume of actors using Telegram as a way of communicating. And I already mentioned BreachForums being seized a couple of weeks ago and as soon as that happened, you know, and interestingly, one of the Telegram channels was taken over as well. But we did see new Telegram channels popping up. That was how the treat actors were communicating. That was how the new Onion address for BreachForums were shared, and so it’s definitely very much intertwined. We will see a lot of ransomware groups and marketplace vendors have a Telegram ID on their dark web marketplaces, advertising that as a way to talk to them, as a way to do escrow payments and things like that.

Lorena: So you have this all these different sources. Where or how do you store all the data?

Erin: We store the data in the US, we use a AWS, so it’s all US based. We collect that information and host it with AWS.

So why is dark web data important? Hopefully you are already getting a sense of that, but one of the things I always say as analyst is different bits of data or different tools are one tool in the toolbox and you need to bring everything together to to be able to get a full picture. So, darknet data is definitely one element of that OSINT investigation that should be looked at. And corporations are being talked about, individuals are operating and discussing. You can get pattern of life information. You can get identifiers and also you can learn about what illicit activities are taking place. You know what the trends in terms of different malware or different attacks that are being talked about? Who are the primary targets? And it can really help law enforcement understand how groups are operating, and it can help corporations understand how they should protect themselves and given things that are taking place.

Being able to access those forums, those marketplaces, those communication channels and see how these threat actors are interacting, what they’re discussing and what they’re doing and also being able to target that illicit activity and obtain that information as evidence of of what they are conducting. So, it really does provide insight into cyber attacks, data breaches and drug trafficking, human trafficking. You know, there are a wide range of activities that are taking place on the darknet, and if that information isn’t being viewed, you’re not seeing the whole picture, I would say in most cases.

So, with that said, I wanted to jump into a couple of use cases and walk you through how you can use dark web data. So, we’re starting here with a LockBit affiliate, so LockBit is probably one of the most active groups out there. They were subject to law enforcement activity, and earlier this year, unfortunately, they did come back fairly quickly and and created a new kind of leak site, albeit a little bit more rudimentary than the one that they previously had. And as a side note, I loved what law enforcement did to their leak, in terms of using how they just set it up to advertise.

But here we’re looking at one of the affiliates that was indicted and added to the sanctions list in the US. So, it was a threat actor known as BASSTERLORD and searching on that username, we are able to see because we have that historic collection and that he appears over 8000 times in our data. So, a very active user across and multiple sites, but particularly Exploit and XSS forum on the dark web which are Russian language forums, a lot of them are invite only and so you need to have quite of the access to be able to get into those and see the information that’s being discussed and we could see through those discussions and you can see an example in in Cyrillic on the right hand side of the screen discussions that he’s having with other threat actors discussing malware he’s created and the hacking operations that he has conducted. Looking at his real name and identity that was released in the sanctions. We were also able to identify that his name appeared in several leaks. So, we were able to see information about him and also identify through those leaks, some of the social media presence that he had. And as an aside, again, just because I think it’s interesting LockBit actually put out a message saying that they would give money to anyone that got a tattoo of LockBit and several people did that and posted it online and which is insane to me, but I thought I would share that it kind of gives you an idea of the communities and how they operate and also what they will do for money.

I’m sticking with LockBit and they’re filiates and the second use case. This was another individual. He was sanctioned and so again, you know, we can search on that email address and see that he appears in several leaks with his full name in Cyrillic and also his phone number. So, we’re also able to pull out user agents and things like that. So, obviously this is after the fact, he was also already identified by law enforcement, but hopefully you can see I’m trying to highlight that if you did have an email address or a phone number for a suspect being able to look at this leak data, which you know unfortunately has been stolen and shared and can be a really useful tool for law enforcement and for attribution in terms of identifying more information about an individual and obviously you’d need to validate that in other ways. A leak is only one source, and it’s only as good as you know the threat actor that’s stolen it in some cases, but it really can give you a lot of information about specific individuals based on selectors on monikers that you’re able to identify as part of your investigation.

I mentioned that cryptocurrency is the main way that people transact on the dark web, and I wanted to give you a little bit of information about how we can kind of use OSINT tools and the information that’s out there on the blockchain to look at a particular cryptocurrency address or site. This is an Onion site. I don’t think it’s surface web, called Kiwi Farms. It’s predominantly used by extremists who have fairly difficult opinions. I would say and they share those actively on the site. So, it’s a forum where individuals can share information.

So, on the left-hand side of the screen you can see our platform, Vision, where we’re able to search. You can search specifically by cryptocurrency addresses and so I searched to see where cryptocurrency addresses appeared, and then I also wanted to see what the site actually looked like. So, we do have a feature within the platform called Direct to Darknet, which you can click on, and it will show you if the site is live, what the live site actually looks like. This is what the forum looks like on the dark web. We can see that there was a cryptocurrency address that was shared on this page.

Next, I wanted to delve into that and look into it in a bit more detail. So, using an open-source investigations tool, I searched that cryptocurrency address and can see that someone had already tagged it as Kiwi farms. So, it’s actually donation address at the forum was asking for and in order to keep their site up and going. Using open-source, crowd sourced information, you could see that it’d been labeled as Kiwi Farms. We were able to verify that because it came from the site itself and you can see the total amount of cryptocurrency that they’ve if received and that most of that has just gone straight out of the account. What I found interesting in this; is I was trying to figure out where they cashed out these funds to see if you could identify who was operating the forum. There were several exchanges that were where they cashed out, so Binance, Kraken, but one of them Bovada this specific address had been listed as related to terrorist activity and so you would need to dig into that more. And again, it’s unvalidated information, but it can highlight that nexus between what is being referred to as terrorist activity and then an extremist forum. So again, really highlighting that nexus between dark web data and other OSINT information that you can use.

I felt like I would be remiss without mentioning the Israel Hamas conflict as that as something that has been very prevalent on the dark web, but primarily Telegram. Ever since the attacks in October last year,  we’ve seen a lot of hacktivist activity and also a lot of data breaches that are being shared on Telegram. These are just some examples in terms of data that’s being leaked, defacement attacks that are being promoted, but also stolen information of probably high value targets within their countries that are being added on Telegram. You can see there at the bottom there’s also a Maltego graph, we’re seeing a lot of these activist groups operating together and we’re seeing them sharing different information and mentioning each other and crediting each other in the attacks that are happening. So, it really starts to build that kind of network and of activity and that link analysis of the threat actors out there and you know, they have the defacement where they put their username, so you can associate individuals to that particular group. So, they have websites as well and some of them are also active on social media and they’ll provide that information that’s Twitter accounts or Instagram account. It provides that nexus.

I think that the other thing that was interesting with this conflict and Telegram in particular is it was a way that information was being shared a lot quicker than by mainstream media. Obviously, that needs to be taken with a pinch of salt in terms of if it is true information or not, but it was certainly a way things were being shared and very early on in the conflict. Images were being shared online of Hamas coming through fences and gates and images of hostages, etcetera were being shown. So, it is a way that people are getting media. So not just looking at the threat active perspective, but also the disinformation and especially as we come into kind of an election year, it’s something I think to be aware of.

Again, I feel like I would be remiss if I didn’t mention drugs. I’m not going to say a lot about them, but the sale of drugs on the dark web is massively prevalent, and there are many, many marketplaces where drugs are their specialty and they do provide images of the drugs, details of how to ship them and where they will ship to, how to circumvent law enforcement, finding them, how to use drop addresses and things like that. And again, this is just highlighting how we can search within Vision for particular drug information and then view that on the dark web itself and see how their advertising it and you can see some of the prices here are actually really quite low.

And another group that I wanted to mention, this is the name given by cybersecurity researchers, Scattered Spider. They’ve been very active in the last year or two and have had some very high-profile attacks. MGM Grand and Caesars Palace in Vegas are probably the largest one and they have adopted social engineering and phishing techniques very successfully. They’re quite well known for bringing up help desks and convincing people to share passwords with them, but they also can be quite violent and extreme in terms of bullying individuals once they get their phone numbers and constantly messaging them and asking them for information until they share it. They’ve also been linked to swathing activity and been linked to a kind of a wider organization on the web, and Telegram in particular, known as the “Com”.

And so, there’s quite a lot of different groups that fit into that and as well as doing cyber attacks and they’ve also been doing some pretty nasty and other attacks in times of encouraging people to self-harm and conducting other acts and which are really quite awful. But again, it gives you that insight into not only the activities that they’re doing, but also how they’re operating, the kind of personalities that they have and how they’re communicating with each other and where their motivation comes from, and we see that you know very much through a number of different and telegram and discord and channels. But then they’re also linked to very large affiliates, like Black Cat and Alf and so they use their ransomware in their MGM ground attack. This is just an example of some of the administrators of one of the telegram channels, and that is linked to the COM and Scattered Spider. And so, you see, they’re kind of hiding in plain sight and obviously their images are of them and their names are not real, but the fact that you can even see here is admins are and they’re very cocky. They have egos, I think it’s the main thing.

I also wanted to mention seeing some kind of environmental crimes. I know that that is where a lot of the audience comes from. So, these are just some examples of where we have seen environmental crimes being shown on the dark web, on forums and on Telegram as well. So, you can see an image from a marketplace that is selling animal goods, illegal animal goods such as ivory and fur. We can also see advertisements. A lot of those on forums are the things like dogfights, cock fighting, and also animals for sale, and I would say that we do see this information and it is prevalent on the dark web, but we do also see a lot of that happening on the more mainstream sites such as TikTok and Instagram. But it’s certainly something on the forums and I would say Telegram and that other messaging apps in particular areas where we’re seeing that kind of activity and channels being set up to discuss both activities as well.

And then finally, given the audience, I wanted to give a couple examples that were specific to Canada. And so, I did a really simple search to highlight some of the things that are happening in terms of looking at Canada in our data and seeing where it appeared.

You can see a couple of different examples here. One of them is extremist, anti-Semitic rhetoric from individuals that are, I assume living in Canada and the discussions that they’re having on the forum. This is the image on the left and it’s from 4Chan, which is a well-known extremist forum. In the middle, Styx Market is one of the larger markets on the dark web that sells drugs, counterfeit goods, hacking tools, etcetera. You can see here they are selling Canadian passports and drivers licenses and they’re providing it with a selfie as well so that you can use it to get around KYC controls. But we see these sold all the time and you can see they’re not very expensive. How legitimate they are? I’m not sure, but that’s the kind of thing that we see and then also you can see false information being sold. So again, for identity theft and financial fraud, fullz is all the information about the individual – it’s got employer info as well as, Social Security numbers and names, addresses, etcetera, and that obviously is the image that’s come specifically from the dark web, I think it’s DarkDock Market. You can see is where it’s come from, and so you know you can use those keywords and that information to drill down into what you’re searching for. If you need to make sure that something has a nexus to calendar or the this the area that you operate in, and you can include that in your searches to make sure that it’s returning that information. One of the things I would say about the dark web is it is somewhat anonymous and it’s very difficult to know where people are coming from and so with all kind of cyber information, it’s difficult to know if an individual is a Canadian citizen or U.S. Citizen and so that can cause challenges, but you can search on those keywords and do what you can to find that information.

Lorena: Is it possible to turn on and off services within the platform to comply with Canadian law?

Erin: So I’m not sure the specificity of the Canadian law in terms of what that refers to but what I mentioned at the end there, we make all of our data available so it would be a case of focusing your searches to fit in with what’s acceptable and Canadian law. We do follow very strict guidelines in terms of the information that we collect and how we operate and to make sure that’s legally and ethically done and we comply with things like GDPR, I know that’s more European relevant, but you know data laws are becoming a thing everywhere so that is something that we certainly try to comply with and we could work with anyone in terms of you know what laws we needed to work around to, to make sure that we can support that.

Lorena: We can imagine that the amount of data you can find changes between one language and the other. But do you have any example or experience? If you have to manage in the past Investigations where you need to use two different languages like it is an example here in Canada like French and English and what features does this platform have and how to manage these types of investigations.

Erin: Yes. We collect all of the data and as it is, and we don’t make any changes to it. I think it’s important, as investigators and analysts, to see the raw data as it was written by the individuals and not changed in any way, and that’s one of the reasons we don’t offer any kind of translation services, but we do support over 50 languages now within the platform. For example, if you were doing English and French, you could search in both of those languages to see if information was returned in French or if it was returned in English. One of the features that we have in the platform also is what we refer to as Search Blocks, you can create search terms related to specific activities and we also supply some of those within the platform, things like drugs, counterfeit goods, hacking and generic terms, but we do provide those in multiple languages. We support English, French, Arabic, Russian, Chinese, I believe German for those Search Blocks, so that’s how we add that in to be able to search in in those different languages. And I should say as well that we make every effort to make sure that the data we’re collecting is as global as possible. We do try to make sure that we collect things that are in other languages and are going to be relevant to law enforcement and corporations globally.

Lorena: Can you please expand on current tools you use to navigate search the darknet?

Erin: The main tool we have is Vision, my team it’s obviously looking and sourcing that information all of the time and part of that is reviewing our collection that we already have and seeing other marketplaces and things that people are talking about and making sure that we can identify that, review that and see if it’s worth adding to our collection. There are some lists or websites that will list Tor or Onion URLs that you can use to find information as well and so we do review those periodically. We constantly search for new URLs that are created as well within the dark web and review those to see if they are applicable and then for things like Telegram and Discord and you know we do keyword searches and we have analysts that are operating in these channels and on these sites that are seeing mentions and discussions and identifying things that way. So I wouldn’t say there’s specific tools that we used and to navigate the dark web in terms of our collection efforts, but I would say that is the primary goal of the Vision platform that DarkOwl provides is to allow you to search the dark web and in a in a safe and secure way and you don’t need to worry about sock puppets or your VPNs or your proxies, but you’re able to see all of the data that’s being shared on the dark web.

Lorena: Can the information be used as intelligence in a court of law?

Erin: So, we’ve never tested that to be honest. We haven’t been asked to do that and it is something that we would support if we could. One of the things that we ensure that we do as part of our collection is maintain all of the metadata associated with the data that we’ve collected. So we’ll have the original URL, the date that it was collected, the method that was used to collect it, and you know other things that show where we got it from and where it was stored to have that providence and data because we know that that’s important to our law enforcement and customers, but we yes, it’s never been tested. So, we’ve never been asked to present it in a court of law to date.

Lorena: How do you deal with the ephemeral nature of onion sites? Similarly, how do you like some anonymous users from different sites? Neither sites nor users will cryptographically sign their pages messages to validate identity or do they?

Erin: The ephemeral nature of Onion sites, it’s just constantly reviewing them. They do go up and down. Because of the coverage that we have, we’re able to quickly identify when new sites are created or if they changed. A lot of the sites as well will also provide a list of validated mirrors and information as such as that that we will record. We do maintain a database of all of the sites that are most relevant, and the mirrors associated with them, but it is a constant thing to be able to kind of keep on top of that and how they’re moving. And as I mentioned, being part of those communities with anonymous accounts allows us to see what people are talking about and what the latest trend is.

And in terms of the anonymous users and I’m not sure, I got that entirely. But I think what you are asking is how do we know that individuals are who they say they are? And I think basically we don’t, we do see a lot of threat actors that will use PGP keys in order to validate the messages that they’re sharing. And you know, we’ve seen that with the administrators of breach forums and others and where they’ll put messages on Telegram, and they’ll sign it with a PGP key and they’ll have a website that that validates it. So, you can do that in in some ways, but I think you know very nature of the dark web anyone can create an account. You know some of these forums they do validate their members in terms of they’re trying to weed out law enforcement or cyber security professionals. So, they do make you come up with the back story and things like that. So, it can be difficult to access these sites, but I think the nature of it is you’re not necessarily going to know exactly who they are. They could be using multiple usernames; they could have different usernames across different platforms, and you know that’s one of the reasons they use it. My experience though has been – when it comes to attribution, a lot of these threat actors make mistakes and you know they may in some way connect a username to their true identity and that’s where things like leaks can be really beneficial or you know if there are on X or something like that, they have the accounts for a really long time sometimes you can identify phone numbers or email addresses that are associated with them. So, I’m not sure that really answered the question, but I think it’s the very nature of the dark web and the way that these user names are set up, it’s difficult to know exactly who they are and to validate who they are.

Lorena: How do you know a user for example, Baster, is same person on two different sites at and not a second person impersonating the first one.

Erin: Yeah, there’s no way to know that really. I think the only way to know that really would be with human analysis of interacting with them on both forums and seeing if there’s any similarities in language and things like that and if they’re using the same information, but it could, it could very well be an impersonation. They do try to validate some of the larger actors, more prevalent actors, where they’re operating and what they’re doing. I would say the dark web is very much built on reputation, and the threat actors like to show off and say what they’ve done and where they’re active and where you can get information from them but with all kinds of investigations, you need to validate that data and you have to view it with some skepticism. And so, unless you have, followed evidence that the suggests they are the same individual is gonna be difficult to do that.

Lorena: Are you using any generative AI or AI in general as a part of your platform or across the research you do?

Erin: Yeah. So, I think AI is definitely the buzzword of the moment in terms of everyone is jumping on that bandwagon and I personally think AI is really useful and a really exciting development and I think a tool that can definitely assist analysts in terms of their investigations with helping to write scripts and review images and things like that, I’ve seen a lot of demonstrations of how it can be beneficial and I’ve used it in some capacities myself. We don’t currently have it available in Vision through the tool. It is something that we are analyzing in terms of how we can use AI to best enrich our data and the information that we have. We don’t wanna rush into it in terms of adding just AI for the sake of AI. We want to make sure that it’s something that is beneficial to our users and so and as I said, we’re analyzing it and seeing what the best approach is. But you know, I can certainly think of some ways in terms of, to that previous question of threat actors, of having it analyze language patterns and things like that to see if there are correlations. Being able to identify particular attributes within kind of the data that we’re collecting, etcetera. So yeah, not something that we currently support, but definitely something that we are actively looking to support in the future.

Lorena: How can users on the dark web trust each other and coordinate?

Erin: I don’t think they can trust each other. To be honest, I mean, these groups are very nebulous. You constantly see chatter between these groups, accusing each other of being FBI agents or other law enforcement. They all think that people are watching them, which is probably true. And so I think the way that they probably grow those relationships that we see is, is taking the conversations and the communications to more direct messaging. So, something that we wouldn’t necessarily have site of recovery job, but I as I kind of alluded to before, a lot of it is built on reputation and trust and there are reviews. So, for instance, if you’re a seller of malware or drugs or something like that, people leave reviews. And if you haven’t spent, if you’ve stolen the money and not sent the goods, that will be reflected. If you have sent something that’s not good quality, you’ll get those reviews as well and these threat actors can be pretty and vindictive. So, you know, you do get people getting doxed all of their information being shared and being accused of, of certain things, their personal addresses being put out on the Internet. And you know, there have been cases of real-world attacks where someone will say this person lives here and they have this much Bitcoin and people have tried to kidnap them. So, I think they you can’t really trust anyone, and you have to be very careful. But that’s kind of the community and the activity that they enter into, to be honest.

---

Check out our 1-Pager on why darknet data is important in OSINT investigations.

July 08, 2024

In celebration of National Video Game Day on July 8^th, this blog examines the intersection between gaming and darknet communities, notably instances of criminal activity targeting gamers or carried out by gamers themselves. This blog will highlight the prevalence of hacking in gaming communities—stolen accounts, pirated games, leaked data, etc.—as well as the infiltration of violent extremist ideologies into certain gaming communities. Our previous blog looking at the intersection of streaming, gaming, and the darknet can be found here.

Hacking: “Cracked” Accounts, Pirated Games, and Gaming Leaks

Open-source research reveals an extensive game-hacking community on the deep and dark web. The community consists of individuals on forums, channels, servers, and marketplaces that target gamers and gaming software to gain unauthorized access to systems and accounts. The targets of these hacking efforts most often include user accounts on a variety of online games, notably League of Legends, Minecraft, Fortnite, and Roblox. Hackers may “crack” accounts by utilizing usernames and passwords previously leaked in data breaches or by targeting young or naïve players through chat features. These “cracked” accounts are subsequently sold on the darknet, where their prices are determined by factors such as account level, collection of rare characters, amount of in-game currency, or inventory of in-game items (such as collectable character “skins”).

Figure 1: Genshin Impact account for sale; Source: DarkOwl Vision

Recent data points to an increase in compromised accounts over the past few years across several games. Figures released in 2024 revealed that Roblox, one of the most targeted online games, saw a 231% increase in hacked accounts in 2023 compared to 2021. In addition to the games themselves, gaming platforms such as Steam have also been increasingly targeted; these accounts are often even more appealing to hackers as they may be linked to credit cards and can thus allow for real-money theft as well as in-game currency theft.

In addition to hacking users’ gaming accounts and selling them on the dark web, hackers also target the games themselves. “Cracked” or pirated games are frequently distributed by hackers on the darknet either for free or at a reduced cost. Not all games, however, are hacked with the intention of distributing pirated software; malicious actors also target game servers in the interest of leaking data. In June of 2023, for instance, hackers carried out a cyberattack against GSC Game World—the Ukrainian video game developer behind S.T.A.L.K.E.R 2: Heart of Chernobyl—and leaked builds from the game online. GSC Game World was also targeted by Russian hacktivists earlier that year, who threatened to release game data if their demands were not met by the developer. It’s worth noting that the malicious actors who engage in these leaks are not always hacktivists. Most recently, in June of 2024, Disney’s Confluence server was hacked by individuals believed to be fans of the massively multiplayer online game (MMO) Club Penguin. The hackers stole 415 MB of Club Penguin data from the server and the data was subsequently shared on 4chan.

Figure 2: Cracked Gaming Websites; Source: Dark Owl Vision

Unfortunately, game leaks are not always limited to game data. While the Club Penguin fans targeted data related to the game, they also stole and leaked internal, business-related Disney data. There have been other instances in which hackers have stolen and leaked not only the targeted company’s business data, but also its employees’ personal information. In 2023, the ransomware group “Rhysida” leaked 1.67 TB of data stolen from Insomniac Games, which—in addition to footage and images from the upcoming Wolverine game—also included employees’ personal information. Specifically, the leak included passport scans and HR files, thereby resulting in the doxing of more than 400 Insomniac Game employees.

Infiltration of Violent Groups into Games and Gaming Platforms

In addition to continued hacking efforts, online gaming communities have been increasingly targeted and infiltrated by violent groups and individuals seeking to harass, extort, radicalize, promote hate, and inspire acts of violence. These violent extremist groups have successfully co-opted gaming aesthetics and features—such as leaderboards and livestreams—in an effort to gain supporters. For instance, the white supremacist “Terrorgram” network on Telegram consistently posts “Saints Calendars” and “Saints Cards” meant to commemorate individuals—dubbed “saints”—who have carried out far-right attacks. The militant accelerationist group engages in the gamification of violence by releasing saint cards in the style of trading cards and including details such as “kill counts.” The more victims a terrorist claims in an attack, the more “points” they receive and the more likely they are to receive the “saint” title.

Moreover, as highlighted in a 2023 Global Network on Extremism & Technology (GNET) report, this gamification is further achieved by the repeated live streaming of mass shootings, which allows viewers to experience the attack from a first-person shooter (FPS) perspective often utilized in games. This visual choice—as seen with the 2019 Christchurch attacks—can facilitate viewers’ identification with the perpetrator while simultaneously emotionally distancing them from the victims. The sheer reach of livestreamed attacks (the 2022 Buffalo shooting was viewed “more than 600,000 times in less than 24 hours”), combined with their ability to generate a connection between perpetrator and viewer, threatens to radicalize more individuals and inspire similar attacks.

Apart from the adoption of gaming aesthetics and features, the gamification of violent extremism is made even more apparent by the actual creation of new or “modified” violent games by extremist groups and individuals. Open-source research on the deep and dark web reveals a slew of video games created since the early 2000s which allow players to target at-risk communities. Targeted groups most often include the Jewish and LGBTQ+ communities, with the 2002 anti-semitic video game Ethnic Cleansing being one of the notorious. Many of these games also recreate previous attacks—including the Christchurch shootings and the Pittsburgh synagogue shooting—in existing games like Roblox. Such modifications of existing games are referred to as “mods.” Other than white supremacist groups and individuals, Foreign Terrorist Organizations (FTOs) including ISIS and Hezbollah have also created extremist video games meant to radicalize and inspire. While it is believed that the vast majority of these games reach a self-selected audience with an existing interest in violent extremism, they may nonetheless play a key part in further radicalizing individuals and bringing them closer to carrying out attacks in the real world.

Figure 3: Antisemitic Video Game; Source: Dark Owl Vision

In addition to the creation of extremist video games, gaming platforms used by gamers to communicate have also been infiltrated by individuals seeking to identify targets for radicalization and exploitation. This targeting is particularly prevalent on the darknet adjacent platform Discord, where there have been numerous instances of children being groomed for violence and/or sexual exploitation. Among these violent groups is the notorious web of Discord servers originating from, or affiliated with, the group “764,” which has become increasingly active since late 2023. The 764 network overlaps with violent extremist and militant accelerationist movements—notably the Satanist, neo-Nazi group Order of the Nine Angles (O9A). In September of 2023, the Federal Bureau of Investigation released a Public Service Announcement warning of the 764 network’s ability to use “extortion and blackmail tactics, such as threatening to SWAT or DOX the minor victims […] [to] manipulate and extort minors.” Victims are often pressured to engage in self-harm and animal cruelty, share sexually explicit images or videos, and commit suicide. Members of affiliated Discord servers and Telegram channels have also been observed engaging in mass swatting and doxing efforts, most often targeting one another.

Conclusion

Open-source research reveals overlap between gaming communities and criminal activity on the deep and dark web. Instances of hacked gaming systems and accounts remain prevalent, with recent figures highlighting an increase in hacked gaming accounts over the past few years. Gaming platforms have proven to be desirable targets for hackers seeking to sell cracked accounts and engage in real-money theft. Hackers also continue to successfully carry out cyberattacks against video game developers, often releasing company data and employees’ personally identifying information (PII) in ensuing leaks. As such, it is recommended that organizations be on alert for any possible leaks affecting their data.

Research also points to a persistent infiltration of violent extremist ideologies into gaming platforms. Many gaming communities have become hotbeds for violent extremist groups and individuals, who utilize chat-enabled online spaces to promote violent narratives and radicalize users. Young gamers are particularly vulnerable to radicalization and recruitment efforts, as evidenced by numerous instances of teenagers being groomed for violence and sexual exploitation across multiple platforms. Continued reports of harmful and criminal activities carried out by individuals in the gaming space signals a need to address the rampant exploitation of gaming by criminals. It is critical to emphasize that these activities do not represent the entire gaming space: for many, gaming is a key source not only of enjoyment, but of community. In an interconnected world, online games have the ability to bring together individuals from around the world and foster a sense of belonging. So, rather than vilifying gaming communities, it is vital that steps are taken to address the infiltration of criminal activities, hate, and violence in order to combat the victimization of gamers.

---

Don’t miss any research from DarkOwl analysts. Subscribe to email.

July 02, 2024

At the beginning of 2024, the National Institute of Standards and Technology (NIST) issued a warning about cybercriminals and other nefarious actors using Artificial Intelligence (AI) and Adversarial Machine Learning technologies to enhance their malicious operations. There are, of course, state-sponsored threat actors and actor groups who are also focusing on the malicious use of AI in their operations. These include Russia’s Fancy Bear a.k.a. Forrest Blizzard, North Korea’s Kimsuky a.k.a.Emerald Sleet, and Crimson Sandstorm.

DarkOwl, leading experts of the underground digital realm, witnessed threat actors of both groups (state-sponsored and government agnostic, independent actors) actively trading tips on various dark web platforms about the best AI tools to use, as well as effective tactics, techniques, and procedures (TTPs). Throughout the first part of 2024, threats to security stemming from AI have been frequently discussed, and tools were sold on the dark web and dark web adjacent chat platforms, such as Telegram.

This blog aims to take a high-level look at the types of conversations threat actors are having, as well as the tools they are selling, to carry out their mission(s) using malicious techniques and AI tools, so that we can best share the typical uses of AI in malicious operations.

AI trains on massive amounts of data, so a logical threat to begin with is data poisoning. This involves manipulating the information used to train systems, because what is put in shapes the output. Malicious actors intentionally inputting erroneous, biased, or hateful data spreads misinformation, degrades overall performance, and results in biases that can divide and harm society. Online groups have been observed attempting to poison information to produce pro-extremist, pro-violence, pro-war, racist and misogynistic related themes and output at large scale, using AI tools:

Figure 1: A March 2024 Telegram user claims that training AI to only produce material that society claims is acceptable is not the goal, and that they want [sic] “uncut, explicit, super controversial content”; Source: DarkOwl Vision

Figure 2: A Telegram user posts that Google’s Gemini tool is being fed “woke” material to spread diversity to society; Source: DarkOwl Vision

Extremist views regarding AI, and what these extremists view as countering “wokeness” are discussed across 4chan, Discord, and the aforementioned Telegram platform, as well as on underground forums.

A separate threat concerns prompt injection, which helps shape the output of AI systems by feeding a system meticulously crafted prompts or cues. When prompts are malicious in nature, this results in malicious output. Incidents involving this could include prompting a system to reveal sensitive, personal data:

Figure 3: A Telegram user discusses a prompt injection game in February, 2024, with the intent of getting AI to give away “sensitive data”; Source: DarkOwl Vision

Or prompting a system to output racist/sexist hate speech based on biases and maladaptive thinking:

Figure 4: A 4chan user discusses the possibility of using a racist LLM to call out certain groups of people in April, 2024; Source: DarkOwl Vision

Specific, Named Tools Used to Carry Out Malicious Activity

Nightshade, mentioned in the figure below, is a specific tool discussed and sold on the dark web as well as its adjacent platforms. Nightshade arose as a vehicle to help content creators prevent their content from being automatically included into generative AI. Nightshade turns images into “poisoned” samples. If AI using images to train does so without the artists’ consent, or without respect to copyright, these “poisoned” images introduce unexpected and abnormal behavior, changing the image output and introducing errors, degrading the accuracy of the output. Nightshade is considered an offensive tool:

Figure 5: Users in a Russian telegram channel discuss the Nightshade AI tool in February 2024, specifically and intentionally used for data poisoning; Source: DarkOwl Vision

WormGPT emerged as one of the most public, malicious adaptations of an AI model. Unlike other AI tools, the author of WormGPT included no limitations to the tool, which means WormGPT users can use it for malware generation, among other criminal operations. Protective efforts toward another emerging threat, which is automated malware generation, also have a large presence on the dark web and its adjacent platforms. Since inception, certain language models have proved a limited proficiency in computer coding/programming. The more these initial efforts are corrected, trained, and improved, the better the models get at producing malware, and increasing the attack surface. As of now, the cost for many AI tools online is not super expensive, allowing for high sales volume and elevated use:

Figure 6: A Telegram user advertises Worm GPT for sale for $17 USD in April, 2024; Source: DarkOwl Vision

Figure 7: A user on a criminal forum asks for help procuring various malicious AI tools (while reviewing their capabilities) in April, 2024; Source: DarkOwl Vision

Conclusion

Protecting systems from malicious AI and enhancing overall security features is still a work in progress when it comes to AI and machine learning in general. The good news is that as quickly as the discussion and implementation of AI tools emerged, simultaneous conversations occurred surrounding the security and protection of these AI tools and systems. The traditional cybersecurity threat intelligence community, still grappling with protecting traditional cyber platforms and tracking bad actors, immediately set to work issuing warnings about the threats facing AI. However, the essential need for this was recognized, and conversations are happening at every level to properly protect AI and machine learning while taking advantage of its benefits.

---

Don’t miss any research from DarkOwl. Subscribe to email.

June 28, 2023

Earlier this month, DarkOwl participated in ISS World Europe in Prague. ISS World Europe prides themselves on being “the world’s largest gathering of Regional Law Enforcement, Intelligence and Homeland Security Analysts, Telecoms as well as Financial Crime Investigators responsible for Cyber Crime Investigation, Electronic Surveillance and Intelligence Gathering.” ISS World events focus on the latest in cyber tools and methodologies specifically for law enforcement, public safety, government and private sector intelligence communities. The first full day of ISS events is dedicated to training and in-depth sessions. Trainings and topics covered throughout the event include how to use cyber to combat drug trafficking, cyber money laundering, human trafficking, terrorism and other nefarious activity that occurs all across the internet.

Representing DarkOwl this year at ISS World Europe was David Alley, CEO of DarkOwl FZE based in Dubai, Magnus Svärd, Director of Strategic Partnerships, and Caryn Farino, Director of Client Engagement, both based out of DarkOwl’s headquarters in Denver, CO.

As is the norm at ISS Prague, the networking opportunities with current clients, partners, opportunities and net new prospects alike are well worth the travel across the pond. The team saw great international attendance and interest this year, with visitors to the booth from Sweden, Germany, Italy, Turkey, Hungary, The Czech Republic, Serbia, Spain, South Africa, Latvia, Lithuania, Estonia, The Netherlands, France, UK, Poland, Ukraine, Romania, Bosnia-Herzegovina, Saudi Arabia, Israel, among others. For the time at any ISS event, Magnus noted, “Our number of engagements on the booth needed a minimum of two people on the booth; three would be better as we were not able to engage with everyone that came to the booth.” What an incredible turn out! The team is excited to nurture these conversations and needless to say, looks forward to next year’s event! In addition the great conversations at the booth, the team hosted a dinner with Pegasus Intelligence, who DarkOwl works with to provide cutting-edge security solutions to government and military clients.

Throughout the event, top minds of the space share the latest technology, trends and thought leadership in the cyber community. Tracks this year included: Investigating DarkWeb, Bitcoin, Altcoin and Blockchain Transaction, Threat Intelligence Gathering and Cyber Security Product Training, Social Network Monitoring, Artificial Intelligence and Analytics Product Training, LEA, Defense and Intelligence Analyst Product Presentations, Lawful Interception and Criminal Investigation Training, Mobile Signal Intercept Product Training and Presentations, Electronic Surveillance Training and Product Presentations, and 5G Lawful Interception Product Training.

Due to the layer of anonymity it provides, the darknet is often a hub for illegal activity. However, investigating crime on the darknet and deep web poses technical challenges, including the fact that darknet sites are continually coming on and offline with pages vanishing from one minute to the next. The technology DarkOwl leverages to scrape and index hidden digital undergrounds are key to the mission of obtaining proactive situational awareness for protection of the nation’s security initiatives. DarkOwl Vision UI provides a user-friendly interface with powerful querying capabilities to search, monitor, and create alerts for critical information. DarkOwl Vision has been used to support local and federal police investigations, as well as work done in intelligence/fusion centers and federal agencies to uncover human trafficking, opioid selling, terrorism, security issues, and other illegal activity, making it the perfect tool for this audience to be able to dive into.

Live Demonstration of DarkOwl Vision: Darknet Intelligence Discovery and Collection

---

DarkOwl looks forward to continuing our global presence at ISS events, you can see where we will be next and request time to meet with us here.

June 27, 2024

As DarkOwl have previously reported, a group known as Scattered Spider have been attributed to several high-profile attacks including against MGM casinos and Caesars Palace. They are known to use social engineering techniques to target call center staff in order to gain access to systems. Active since early 2022, Scattered Spider is also known as Starfraud, UNC3944, Scatter Swine, and Muddled Libra and is largely financially motivated. 

Although many cyber security researchers hypothesized that the actors were Western-based, due to the times that they operated and the language used, little is known about the individuals behind the attacks. Although the group has been named Scattered Spider by researchers, it is thought that there are many different groups of individuals who have been involved in this and other nefarious activity.  

Arrests 

The FBI had announced in May that they were seeking to charge members of the Scattered Spider group. However, the first individual purported to be a member of Scattered Spider was arrested in January 2024 in Florida. Noah Michael Urban who is 19 years old was charged with stealing $800,000 from 5 victims. He is awaiting trial.  

On June 14th, the VX Underground reported via X (formerly Twitter) that a 22-year-old British man was arrested in Palma de Mallorca Spain. The arrest was reported to be part of a multi-agency operation between the FBI and Spanish authorities.  

An official statement stated that the individual was alleged to be behind a series of large enterprise “hacks” which resulted in the theft of corporate information. 

Further reporting indicated that the individual arrested used the alias “Tyler” and that he was a sim swapper allegedly involved in the Scattered Spider group. VX Underground reported: “Most notably he is believed to be a key component of the MGM ransomware attack, and is believed to be associated with several other high profile ransomware attacks performed by Scattered Spider.“

A video was circulated online which purported to be this individual being arrested by Spanish authorities, which happened as he attempted to board a flight to Italy.  

Scattered Spider are also reported to be behind the Oktapus campaign which used SMS phishing campaign to target several high profile organizations. The arrested individual was reported to be active in sim swapping.  

Brian Krebs later reported that the individual arrested was Tyler Buchanan from Dundee, Scotland who used the alias “tylerb” on sim swapping channels. 

Tyler Buchanan 

Searching for further information relating to Tyler Buchanan in DarkOwl Vision, highlights that individual was doxed in January of this year. Details were shared on the Doxbin site which included his full name, address, telephone numbers, email addresses, IP addresses, usernames and social media accounts.  

The post seems to have been made by a rival who appears to share the information in retaliation for Buchanan speaking about his and states that he has made money off him whereas Buchanan doesn’t have money.  

But this was not the first time this individual was victim of a dox, with other posts identified in 2023 which includes financial information and information about his family members. Another post was found as early as 2019. 

A review of the usernames listed highlights that Buchanan was also active on several dark web markets selling financial information.  

Further reporting from Krebs indicated that Buchanan had been subject to an attack from a rival trying to access his cryptocurrency keys. In that event his mother was assaulted highlighting the real-world risks that are posed by these criminal groups and sharing their information online. 

We will await further information from law enforcement on what Buchanan is charged with.  

---

Don’t miss any updates. Follow us on LinkedIn.

June 19, 2024

In the digital age, understanding user behavior and engagement within online communities is crucial for any OSINT or dark web investigator. Increasingly, Telegram channels have been used by threat actors to communicate, sell illicit goods, share disinformation, and generally communicate among other activities. Monitoring of these channels is important to track the activities of these groups and mitigate any threats they may pose to individuals and/or organizations.  

However, the amount of data that can be included in these channels can be very large in volume. DarkOwl, therefore, wanted to establish if AI (artificial intelligence) could be used to analyze the data included in a specific channel and what could be discerned from that data.  

Disclaimer: This blog is based on A.I analysis of a Telegram channel content. This covered the period of August 2022 to February 2024. DarkOwl does not take responsibility for the analysis conducted and is shared for informational purposes only. Other AI platforms are available.  

Star Fraud Chat 

The Telegram channel “Star Fraud Chat” was selected as a channel to analyze to see what information could be gleaned about this group from their activity on Telegram. This group have been attributed by security researchers to a group known as Scattered Spider which is assessed to have been responsible for the attack on MGM Casinos. Furthermore, they are assessed to be part of a group which describes itself as “the Com” who are reported to conduct cyber attacks as well as cyber bullying and swatting attacks.  

Figure 1: Profile page for StarFraud Chat 

Data Analyzed and Methodology 

DarkOwl analysts used open-source tools to extract a download of the Telegram chat content from when it was started in August 2022 to February 2024. This generated a CSV file which included the usernames of participants, timestamps of activity, content, media shares, replies, and reactions. ChatGPT was then used to analyze the CSV file, with specific questions being asked to identify what information could be gleaned.  

This blog was written with a mix of AI analysis produced directly by ChatGPT as well as analyst review and enrichment.  

Parsing the Dataset: Challenges and Solutions 

ChatGPT was asked to analyze the CSV file to see what information could be found. It initially had issues due to the formatting of the document but was able to overcome these issues after a few tries.  

ChatGPT said: 

The initial attempt to read the CSV file encountered issues due to irregularities in the data format, such as varying numbers of fields per line and improperly escaped or quoted strings. By inferring the delimiter and adjusting parsing strategies, we successfully re-parsed the data using a semicolon (;) as the delimiter. This correction allowed us to structure the dataset properly, revealing 56,210 rows and 42 columns, including information on message IDs, display names, user IDs, message texts, timestamps, and reactions. 

Topic Analysis 

First, we wanted to understand which topics were most commonly being discussed in this Telegram channel to understand what threat that the users of this channel could pose. We therefore asked ChatGPT to analyze the message content itself and provide us with a summary of what was discussed.  

ChatGPT said: 

The most common words in the messages are general and do not provide specific insight into the topics discussed. To better understand the themes, we should look for specific terms and phrases related to the context of the chat. 

Key Observations: 

1. Fraud-related Terms: 

• Words like “debit,” “pin,” “balance,” “card,” and “verified” suggest discussions about fraudulent financial activities and the exchange of sensitive financial information. 

2. Communications: 

• Common conversational terms like “you,” “me,” “for,” “is,” and “on” indicate typical interactions among users. 
• Informal and slang terms like “lol” and “bro” indicate casual communication. 

3. User Mentions: 

• Usernames and mentions, such as “@FENTOPENUPS” and “@bankopendropps,” likely reference specific users or groups within the chat. 

We wanted more information, so we then asked ChatGPT to do a deeper analysis of the text used related to fraud and take samples of the data. ChatGPT itself suggested ways in which we may be able to conduct further analysis. The output was as follows: 

ChatGPT said: 

Summary of Topics Discussed: 

1. Sale of Financial and Personal Information: 

• Users are discussing the sale and exchange of debit cards, ATM PINs, verified personal information (SSN, DOB), and related financial details. 

2. Resetting and Hacking Services: 

• Offers for resetting email accounts and other services for specific fees, indicating a market for hacking services. 

3. Social Engineering Techniques: 

• Strategies for social engineering and cashing out from accounts, including profit-sharing details and specific email domains targeted. 

4. Account Requests: 

• Requests for various types of accounts, such as Netflix, indicating a broader market for access to subscription services and accounts. 

5. Panel Management and Availability: 

• Discussions around the availability and longevity of panels, which could relate to account management services or access points for various fraudulent activities. 

The chat primarily revolves around fraudulent activities, including the sale of financial and personal information, hacking services, social engineering techniques, and requests for various account types. There is also a market for managing and providing access to certain panels or services related to these activities. This environment indicates a highly active and diverse exchange of illegal services and information.

Identifying the Most Active Users 

Once the document had been reviewed and we understood what information was being discussed, we then wanted to understand more about the users of the channel. We began to ask ChatGPT specific questions about the users starting with an analysis of which users were the most active. 

ChatGPT said:  

The analysis determined the most active users based on the number of messages sent. The top 10 most active users are: 

1. **”.”** – 1,076 messages 

2. **netbox** – 1,062 messages 

3. **ㅤ** (a whitespace character) – 718 messages 

4. **MY UZI HOLDS A HUNDRED ROUND CONSCIENCE** – 697 messages 

5. **ʹ** (a single quote) – 504 messages 

6. **Osama (GENERATING)** – 469 messages 

7. **Perc** – 468 messages 

8. **bloed** – 347 messages 

9. **Systoned** – 327 messages 

10. **boomb** – 320 messages 

These users have significantly contributed to the conversation, making them central figures in the community. 

The analysis highlighted that many of the most active users didn’t have a specific display name, with punctuation or blank spaces being used. This analysis also did not account for the fact that users are able to change their display names, so there may be messages within the data from the same user that appear to be different. It is possible to conduct this analysis based on the user IDs as that was included in the data extracted from Telegram.  

The admins of the account are listed on the Telegram channel, this includes a bot which is likely used to administer new joiners etc. None of these appear in the most active users: 

Figure 2: List of StarFraud Chat admins 

Users Receiving the Most Reactions 

We then wanted to establish if we could look at the activity on the channel from a different perspective, not just who had posted in the chat, but who had provided a reaction. Telegram users can react to posts on Telegram using emojis etc. We looked at which users post had received the most reactions from other users.  

ChatGPT said: 

Reactions to messages indicate the level of engagement and resonance of user contributions. The users who received the most reactions are: 

1. **Star Sanctuary** – 34 reactions 

2. **netbox** – 15 reactions 

3. **Jack** – 12 reactions 

4. **ㅤ** (a whitespace character) – 9 reactions 

5. **.** (a period) – 8 reactions 

6. **Perc** – 6 reactions 

7. **digital cannibal** – 6 reactions 

8. **MY UZI HOLDS A HUNDRED ROUND CONSCIENCE** – 6 reactions 

9. **Stardusts in my memoryCard** – 5 reactions 

10. **Panama Creative** – 5 reactions 

This list highlights the users whose contributions garnered the most engagement from others. 

This did include posts by some of the admins, the number of reactions given the volume of posts appeared to be relatively low.  

Key User Interactions 

We then wanted to understand how the users were interacting to do this we asked ChatGPT to analyze replies between users. However, this did not take into consideration the nature of the posts, as some posts may garner more interest than others. Added context would be needed to understand how they users were interacting.  

ChatGPT said: 

Understanding who interacts with whom provides insights into the community dynamics. The top user interactions, based on reply activity, include: 

1. **’** replied to **fan (real)** – 6 times 

2. **Perc** replied to **netbox** – 5 times 

3. **nef** replied to **boxingloves** – 5 times 

4. **Systoned** replied to **Osama (GENERATING)** – 5 times 

5. **ㅤ** (whitespace character) replied to **Osama (GENERATING)** – 4 times 

6. **Osama (GENERATING)** replied to **Systoned** – 4 times 

7. **ㅤ** replied to **geekypoo** – 3 times 

8. **Osama (GENERATING)** replied to **ㅤ RR BB** – 3 times 

9. **King** replied to **𐕣₩** – 3 times 

10. **netbox** replied to **Uno[Shop in Bio]** – 3 times 

These interactions highlight the most engaged pairs of users within the community. 

However, this again did not take into consideration that display names could change, nor does it factor in who made the most replies. Which user generally received the most replies and to what content. It is possible that this information could be obtained from the data using ChatGPT with more precise questions. 

Visualization of Interactions 

We wanted to see if it was possible to visualize these interactions, network analysis is a really useful tool for analysts see connections between individuals and identify who is communicating with who and if patterns can be identified. So, we asked ChatGPT to create this visualization and to clean it up.  

ChatGPT said: 

A network graph was created to visualize the interactions between users. Each node represents a user, and each directed edge indicates that one user has replied to another. This graph illustrates the structure of interactions, showing which users are more centrally involved in conversations and how clusters of users interact more closely with each other. 

Figure 3: ChatGPT generated visualization of user replies 

Being able to review this information can be incredibly useful for analysis and gives us an insight into which users in the StarFraud chat interact the most and are the most active on the channel. Being able to manipulate this graph and see which users are most active could give analysts a starting point for which users it may be most useful to investigate. 

Peak Activity Times 

We then wanted to know if it was possible to identify the time that the chat was most active, as this could maybe help us identify which time zone the users were in helping us to narrow down a location. We therefore asked ChatGPT to review the timestamps.  

ChatGPT said: 

Analyzing the timestamp data revealed that users are most active at 1 AM, with a total of 3,973 messages sent during this hour. This peak in activity suggests that the majority of users might be located in a specific time zone or find this time particularly convenient for engaging in conversations. 

Figure 4: ChatGPT generated timeline of posts 

However, it was not possible to ChatGPT to identify the time zone without additional context. The timestamp provided by Telegram appeared to use GMT however which would indicate that most of the posts were made during the early hours of the morning in Europe or late afternoon US time.  

Location Mentions 

As this analysis was inconclusive, we wanted to see if there was any information in the messages sent which may link to a location. So, we asked ChatGPT to look for this information within the posts.  

ChatGPT said: 

A search for location-related keywords identified 152 messages referencing specific locations. Examples include: 

– ““victory park” its a 2 story police department…” 

– “u in middle of street” 

– “ghost town” 

– “smh u the same ni**a scared to meet up and we …” 

– “**🎉 Get the Best RDP/VPS Deal with StealthRDP!…” 

These references vary in context, ranging from conversational mentions to specific addresses or locations. 

This analysis did not add much value as the locations mentioned were very generic in nature, again more specific questions and directions may be beneficial to improve results here, perhaps focusing on country or city locations rather than more generic terms.  

Conclusion 

The analysis of StarFraud Chat provides valuable insights into user activity, engagement, and interaction patterns. By understanding the most active users, the times of peak activity, and the dynamics of user interactions, we can better understand how this group is operating and where best to focus our analysis. We can also analyze the topics discussed to understand what threats this group poses.  

This also highlights how AI can be used by analysts to assist in their investigations, allowing them to speed up how long it takes so review large amounts of data. However, these specific examples also highlight the importance of asking AI models very specific questions and ensure they understand the information you are seeking to obtain, these models are only as good as the seed questions that are being asked.  

---

Questions about AI impacts DarkOwl’s darknet data collection? Contact us.