Author: DarkOwl Content Team

[Presentation Transcription] Importance of Darknet Data in OSINT Investigations

July 09, 2024

The KeyNorth Group hosted DarkOwl’s Director of Intelligence and Collections for an exclusive community webinar in May. We are excited to share the transcription of the presentation below.

The internet is a vast realm that extends far beyond the surface web we commonly explore. Beneath the surface lies the darknet, a hidden network that poses significant challenges but also holds immense potential for open-source intelligence (OSINT) investigations. Join DarkOwl’s Director of Intelligence to learn how the darknet expands the scope of information available to researchers and analysts.
In this session, Erin covers how darknet data:

  • Enhances OSINT investigations by unveiling hidden information
  • Strengthens our ability to combat cybercrime and protect individuals and organizations
  • Enhances threat intelligence and helps maintain a safer digital ecosystem
  • Is utilized in identity theft, fraud, compromised accounts and other real-world examples

Lorena Rivera (KeyNorth Group): I’m pretty sure you all recognize DarkOwl as a worldwide provider of darknet data. Some of you know they’re working, providing data for government agencies as well. So today we are really happy to have Erin, Director of Intelligence and Collections at DarkOwl. Erin has more than 10 years of experience working in intelligence and conducting closed-source and open-source investigations. So, without further ado, please join me in welcoming Erin.

Erin (DarkOwl): Thank you. And so, thank you everybody for joining today. I really appreciate you taking time out of your day to learn a little bit more about the dark web. What I’m gonna cover in the session today is a bit of the background on of what is the dark web? And why is it important? And then I’m gonna go through some use cases and real world examples.

As Lorena said, if anyone has any questions throughout, please add them in the chat and I will be more than happy to answer them as I go along.

I’m the Director of Collections and Intelligence at DarkOwl, and I’ve been an intelligence analyst for over 12 years. I worked for the UK Government before working for a number of other companies doing OSINT investigations.

Just to give you a bit of background before we dive into the dark web information, I just wanted to give you a little bit of information about DarkOwl. We are a dark web company and our primary goal is to collect as much darknet data as possible that is relevant to use cases of criminal activity and make that available to individuals through our Vision platform and our APIs. We’ve been around since 2012 and pioneered that darknet collection, so we have a lot of historical data as well as the most recent data that’s available and you can view that through our Vision platform and also through APIs and datafeeds. If anyone would like to know more about DarkOwl again, please add it into the chat and we’d be more than happy to talk you through that.

Jumping into the main event of what we’re talking about, let’s start with what is the darknet and how is that different to the surface web and other things that we’re able to to view? So, no OSINT presentation is complete, I feel, without showing some kind of an iceberg. I feel like everyone does that these days, but it really does demonstrate the different levels of the Internet and the different areas that we can kind of examine.

The surfacenet is websites that we use on a daily basis, they’re indexed by search engines, and you know you can go to Google, you can go to Bing and search for something, and that information will appear for you. So, it’s very easy to access. And the deep net is content that is accessed via a login or behind some kind of wall. So, its credential protected or it’s a database, so it’s not commonly indexed by those search engines. And then the darknet is a hidden service where you need to download software in order to be able to access it and it’s not indexed. It’s a lot more difficult to find URLs. URLs are a random string of characters and numbers, and therefore it’s not an intuitive process to search through it. Although we are a darknet company and that is our primary focus, we do actually collect data from across these three areas and as long as they are relevant in terms of treat actors are accessing them or nefarious activity is taking place.

So with that said, let’s delve into the dark web and what can be found there. So, this gives you a brief history.

And so, the dark web has been around since the early 2000s. It was actually created as a project by the US government in order to share information in an anonymous and secure fashion, but it was released to the public in around 2006 through the TOR project. The TOR project is a not-for-profit organization that manages Tor or the Onion router. It manages the software, and it creates a tunnel for individuals and to access and remain as unknown as possible. The way tool works is it goes through three relays and so you will start on your computer. You’ll type in a message, it will go through three different relays and come out at where you’re attempting to go. So it makes it a lot more difficult to track that traffic.

It is worth noting, and I’d like to point out, that although there is a lot of nefarious activity on the dark web, there are also legitimate uses for it. A lot of individuals that are in countries where their internet access is restricted and the types of sources they’re able to access is restricted, can view some of those things through the dark web. You know, there are news organizations and social media platforms that do have websites on the dark web that people can access, but it is also, as you know, we all know and why we’re here, a place where nefarious activity does take place.

And in the mid 2000s, that was when we started to see marketplaces emerging with cryptocurrency being created that gave people a more anonymous way to transact on the dark web. We’ve started to see data breaches and information being shared there and we can see certain groups not just kind of criminal activity but extremist activity and terrorism activity taking place on there as well.

But law enforcement have started to crack down on this and have been able to and see some of the sights, starting with Silk Road and Alpha Bay. And you know, as recently as two weeks ago, BreachForums were seized. So there’s a lot of information that’s gone. This only shows up to 2020, but obviously you know it’s still a very active place.

So, what can actually be found there? So, I kind of already mentioned, information and social media is available on the dark web, but the things that we’re probably more familiar with people talking about and more relevant to us are things like dark web marketplaces, where drugs, counterfeit goods, data is freely available and for sale. We have forums and where threat actors are discussing and talking about things and usually also selling goods. We see a lot of data leaks and ransomware sites on the dark web, so ransomware walls of shame, we should say, and are available in dark web. And then there’s also a lot of cryptocurrency activity on there. So, things like mixers and tumblers, which help users to obfuscate and their cryptocurrency more so, although there are still ways that you are able to kind of follow that money.

So, to show you some examples of what this actually looks like here are some things that I found on the dark web just kind of give you a flavor of what it looks like.

You can see, even though it’s not indexed and it’s more difficult to find, there are websites that are set up like any other websites that you would see on the surface web. They have reviews, they have payment systems, they have login information and captchas, etcetera. So, here you can see we’ve got a site that’s selling human organs, which I like to think is not real, but it definitely exists out there. We have people selling drugs. We can see people selling and IDs and counterfeit documents as well as selling cash payments and things like that and then going on to the next one.

These are what some of the marketplace homepages look like. So, you see a lot of advertisements. You can see the different types of cryptocurrency Minero, Bitcoin, Dutch, White Coin that are being affected. They do accept a wide range of cryptocurrencies, although Bitcoin is still the dominant currency of choice. You can see credit cards, counterfeit money, and data being shared on all of these sites. So, there’s a huge amount of information out there and it is kind of set up in a way that people can go in and select what they want. You can see the different categories there and how many listings there are for those different categories, and then you can go in and purchase that information and they do tend to ship worldwide.

As well as those specific dark web sites and forums that you get on TOR and Onion, we do also look at dark web adjacent sites. They are the sites we refer to and which are not on the dark web themselves, but they are still being used by the same individuals and in the same nefarious ways. So, looking at things like messaging apps and Telegram is obviously huge at the moment, but we also see things like ICQ, jabber, matrix, element, rocket chat where we’re seeing extremist activity being discussed and criminal networks are operating in announcing activities. That’s also true of some gaming app. So, while there’s a legitimate purpose for that and you know we do see information being shared on things like Discord and Twitch. Obviously, famously, government U.S. was leaked on Discord, so they do try to clamp down on that activity since that happened.

And then also a lot of threat actors will use the surface web to have their marketplaces, their vendor shops and their forums. And they feel that if they are using bulletproof hosting that it can’t be taken down, and especially if they’re in non-extradition company countries, they often feel that they don’t need to use the dark web as that extra level of security. So we do see marketplaces, forums, vendor shops that appear on the surface web and things like Doxbin, and Paste bin, where information was shared as well. So we do collect from all of these different areas as well as from the dark web itself.

So just to kind of summarize that, there’s a lot of data that comes from the darknet and so you know there’s a lot of raw data, and there’s a lot of new things that we’re seeing emerge. So PII (personal identifiable information), I think is the main one that people are concerned about. Data leaks are being sold on a daily basis. They do include some very sensitive information in them as well, as you know some more generic things such as emails. You can get banking and transaction information as well as credit card data. We do see a lot of financial apps being transferred as well. So, accounts such as Cash app and Zelle and others are being transacted all the time. Corporate data, this is especially true with ransomware data,and where they’re basically just take everything they can from a victim and make that available.

We also see a lot of threat actors selling malware and toolkits, and then obviously ransomware as a service as well as selling those tools, we also see a lot of tutorials and that individuals on how to conduct attacks and you know the more traditional kind of script kiddies where they’re able to purchase these tools and instructions on how to use them and use them very successfully. Especially when those credentials are out there and that’s the easiest way for cybercriminal to get into a network or get into where they want is to have credentials rather than having to kind of use and exploit to get in there.
But we are also seeing more cyberattacks happening, DNS hijacking, cyber espionage. Although it’s harder to identify and as hacked to this, groups and others are kind of getting more into that realm and the line I would say is blurring for some countries between stay actors and criminal actors and that from the same area we are seeing some overlaps with that. And of course, there’s always DDoS attacks and cyber threats.

So, just to give you an idea of the landscape and how it works, these are different areas that we collect from everything that is highlighted in red are the areas where we focus.

But there are other areas out there, so I’ve mentioned Tor primarily, and that’s the one where we see most activity occurring. There are other Darknet software providers out there. So, we do also collect from I2P and ZeroNet. We have heard from some of our law enforcement partners, ZeroNet is actually, and I2P are increasingly being used for CSAM material, but TOR is still primarily used by most threat actors. But Freenet, Loki, Unigrid, Mysterium they are also available. We don’t see the same level of activity happening on those and the same chatter about them. And so, we don’t kind of direct our resources there, but should that change, we would increase our coverage of those areas.

I’ve also mentioned the high-risk surface web areas. So ,things like paste-sites and discussion boards and there are a lot of extremist activities and protest groups and that are using violent means rather than peaceful protests that are discussing information on discussion boards. So, we want to make sure that we’ve got coverage of those and then the deep web also. We do avoid social media and there are a lot of other companies out there that do that and in such high volumes – we do try to target our collection to dark web and also messaging apps. Telegram is huge for us and we collect from almost 5000 channels. Those are curated to make sure that they’re relevant, and we do add new channels all of the time. But we are seeing a huge volume of actors using Telegram as a way of communicating. And I already mentioned BreachForums being seized a couple of weeks ago and as soon as that happened, you know, and interestingly, one of the Telegram channels was taken over as well. But we did see new Telegram channels popping up. That was how the treat actors were communicating. That was how the new Onion address for BreachForums were shared, and so it’s definitely very much intertwined. We will see a lot of ransomware groups and marketplace vendors have a Telegram ID on their dark web marketplaces, advertising that as a way to talk to them, as a way to do escrow payments and things like that.

Lorena: So you have this all these different sources. Where or how do you store all the data?

Erin: We store the data in the US, we use a AWS, so it’s all US based. We collect that information and host it with AWS.

So why is dark web data important? Hopefully you are already getting a sense of that, but one of the things I always say as analyst is different bits of data or different tools are one tool in the toolbox and you need to bring everything together to to be able to get a full picture. So, darknet data is definitely one element of that OSINT investigation that should be looked at. And corporations are being talked about, individuals are operating and discussing. You can get pattern of life information. You can get identifiers and also you can learn about what illicit activities are taking place. You know what the trends in terms of different malware or different attacks that are being talked about? Who are the primary targets? And it can really help law enforcement understand how groups are operating, and it can help corporations understand how they should protect themselves and given things that are taking place.

Being able to access those forums, those marketplaces, those communication channels and see how these threat actors are interacting, what they’re discussing and what they’re doing and also being able to target that illicit activity and obtain that information as evidence of of what they are conducting. So, it really does provide insight into cyber attacks, data breaches and drug trafficking, human trafficking. You know, there are a wide range of activities that are taking place on the darknet, and if that information isn’t being viewed, you’re not seeing the whole picture, I would say in most cases.

So, with that said, I wanted to jump into a couple of use cases and walk you through how you can use dark web data. So, we’re starting here with a LockBit affiliate, so LockBit is probably one of the most active groups out there. They were subject to law enforcement activity, and earlier this year, unfortunately, they did come back fairly quickly and and created a new kind of leak site, albeit a little bit more rudimentary than the one that they previously had. And as a side note, I loved what law enforcement did to their leak, in terms of using how they just set it up to advertise.

But here we’re looking at one of the affiliates that was indicted and added to the sanctions list in the US. So, it was a threat actor known as BASSTERLORD and searching on that username, we are able to see because we have that historic collection and that he appears over 8000 times in our data. So, a very active user across and multiple sites, but particularly Exploit and XSS forum on the dark web which are Russian language forums, a lot of them are invite only and so you need to have quite of the access to be able to get into those and see the information that’s being discussed and we could see through those discussions and you can see an example in in Cyrillic on the right hand side of the screen discussions that he’s having with other threat actors discussing malware he’s created and the hacking operations that he has conducted. Looking at his real name and identity that was released in the sanctions. We were also able to identify that his name appeared in several leaks. So, we were able to see information about him and also identify through those leaks, some of the social media presence that he had. And as an aside, again, just because I think it’s interesting LockBit actually put out a message saying that they would give money to anyone that got a tattoo of LockBit and several people did that and posted it online and which is insane to me, but I thought I would share that it kind of gives you an idea of the communities and how they operate and also what they will do for money.

I’m sticking with LockBit and they’re filiates and the second use case. This was another individual. He was sanctioned and so again, you know, we can search on that email address and see that he appears in several leaks with his full name in Cyrillic and also his phone number. So, we’re also able to pull out user agents and things like that. So, obviously this is after the fact, he was also already identified by law enforcement, but hopefully you can see I’m trying to highlight that if you did have an email address or a phone number for a suspect being able to look at this leak data, which you know unfortunately has been stolen and shared and can be a really useful tool for law enforcement and for attribution in terms of identifying more information about an individual and obviously you’d need to validate that in other ways. A leak is only one source, and it’s only as good as you know the threat actor that’s stolen it in some cases, but it really can give you a lot of information about specific individuals based on selectors on monikers that you’re able to identify as part of your investigation.

I mentioned that cryptocurrency is the main way that people transact on the dark web, and I wanted to give you a little bit of information about how we can kind of use OSINT tools and the information that’s out there on the blockchain to look at a particular cryptocurrency address or site. This is an Onion site. I don’t think it’s surface web, called Kiwi Farms. It’s predominantly used by extremists who have fairly difficult opinions. I would say and they share those actively on the site. So, it’s a forum where individuals can share information.

So, on the left-hand side of the screen you can see our platform, Vision, where we’re able to search. You can search specifically by cryptocurrency addresses and so I searched to see where cryptocurrency addresses appeared, and then I also wanted to see what the site actually looked like. So, we do have a feature within the platform called Direct to Darknet, which you can click on, and it will show you if the site is live, what the live site actually looks like. This is what the forum looks like on the dark web. We can see that there was a cryptocurrency address that was shared on this page.

Next, I wanted to delve into that and look into it in a bit more detail. So, using an open-source investigations tool, I searched that cryptocurrency address and can see that someone had already tagged it as Kiwi farms. So, it’s actually donation address at the forum was asking for and in order to keep their site up and going. Using open-source, crowd sourced information, you could see that it’d been labeled as Kiwi Farms. We were able to verify that because it came from the site itself and you can see the total amount of cryptocurrency that they’ve if received and that most of that has just gone straight out of the account. What I found interesting in this; is I was trying to figure out where they cashed out these funds to see if you could identify who was operating the forum. There were several exchanges that were where they cashed out, so Binance, Kraken, but one of them Bovada this specific address had been listed as related to terrorist activity and so you would need to dig into that more. And again, it’s unvalidated information, but it can highlight that nexus between what is being referred to as terrorist activity and then an extremist forum. So again, really highlighting that nexus between dark web data and other OSINT information that you can use.

I felt like I would be remiss without mentioning the Israel Hamas conflict as that as something that has been very prevalent on the dark web, but primarily Telegram. Ever since the attacks in October last year,  we’ve seen a lot of hacktivist activity and also a lot of data breaches that are being shared on Telegram. These are just some examples in terms of data that’s being leaked, defacement attacks that are being promoted, but also stolen information of probably high value targets within their countries that are being added on Telegram. You can see there at the bottom there’s also a Maltego graph, we’re seeing a lot of these activist groups operating together and we’re seeing them sharing different information and mentioning each other and crediting each other in the attacks that are happening. So, it really starts to build that kind of network and of activity and that link analysis of the threat actors out there and you know, they have the defacement where they put their username, so you can associate individuals to that particular group. So, they have websites as well and some of them are also active on social media and they’ll provide that information that’s Twitter accounts or Instagram account. It provides that nexus.

I think that the other thing that was interesting with this conflict and Telegram in particular is it was a way that information was being shared a lot quicker than by mainstream media. Obviously, that needs to be taken with a pinch of salt in terms of if it is true information or not, but it was certainly a way things were being shared and very early on in the conflict. Images were being shared online of Hamas coming through fences and gates and images of hostages, etcetera were being shown. So, it is a way that people are getting media. So not just looking at the threat active perspective, but also the disinformation and especially as we come into kind of an election year, it’s something I think to be aware of.

Again, I feel like I would be remiss if I didn’t mention drugs. I’m not going to say a lot about them, but the sale of drugs on the dark web is massively prevalent, and there are many, many marketplaces where drugs are their specialty and they do provide images of the drugs, details of how to ship them and where they will ship to, how to circumvent law enforcement, finding them, how to use drop addresses and things like that. And again, this is just highlighting how we can search within Vision for particular drug information and then view that on the dark web itself and see how their advertising it and you can see some of the prices here are actually really quite low.

And another group that I wanted to mention, this is the name given by cybersecurity researchers, Scattered Spider. They’ve been very active in the last year or two and have had some very high-profile attacks. MGM Grand and Caesars Palace in Vegas are probably the largest one and they have adopted social engineering and phishing techniques very successfully. They’re quite well known for bringing up help desks and convincing people to share passwords with them, but they also can be quite violent and extreme in terms of bullying individuals once they get their phone numbers and constantly messaging them and asking them for information until they share it. They’ve also been linked to swathing activity and been linked to a kind of a wider organization on the web, and Telegram in particular, known as the “Com”.

And so, there’s quite a lot of different groups that fit into that and as well as doing cyber attacks and they’ve also been doing some pretty nasty and other attacks in times of encouraging people to self-harm and conducting other acts and which are really quite awful. But again, it gives you that insight into not only the activities that they’re doing, but also how they’re operating, the kind of personalities that they have and how they’re communicating with each other and where their motivation comes from, and we see that you know very much through a number of different and telegram and discord and channels. But then they’re also linked to very large affiliates, like Black Cat and Alf and so they use their ransomware in their MGM ground attack. This is just an example of some of the administrators of one of the telegram channels, and that is linked to the COM and Scattered Spider. And so, you see, they’re kind of hiding in plain sight and obviously their images are of them and their names are not real, but the fact that you can even see here is admins are and they’re very cocky. They have egos, I think it’s the main thing.

I also wanted to mention seeing some kind of environmental crimes. I know that that is where a lot of the audience comes from. So, these are just some examples of where we have seen environmental crimes being shown on the dark web, on forums and on Telegram as well. So, you can see an image from a marketplace that is selling animal goods, illegal animal goods such as ivory and fur. We can also see advertisements. A lot of those on forums are the things like dogfights, cock fighting, and also animals for sale, and I would say that we do see this information and it is prevalent on the dark web, but we do also see a lot of that happening on the more mainstream sites such as TikTok and Instagram. But it’s certainly something on the forums and I would say Telegram and that other messaging apps in particular areas where we’re seeing that kind of activity and channels being set up to discuss both activities as well.

And then finally, given the audience, I wanted to give a couple examples that were specific to Canada. And so, I did a really simple search to highlight some of the things that are happening in terms of looking at Canada in our data and seeing where it appeared.

You can see a couple of different examples here. One of them is extremist, anti-Semitic rhetoric from individuals that are, I assume living in Canada and the discussions that they’re having on the forum. This is the image on the left and it’s from 4Chan, which is a well-known extremist forum. In the middle, Styx Market is one of the larger markets on the dark web that sells drugs, counterfeit goods, hacking tools, etcetera. You can see here they are selling Canadian passports and drivers licenses and they’re providing it with a selfie as well so that you can use it to get around KYC controls. But we see these sold all the time and you can see they’re not very expensive. How legitimate they are? I’m not sure, but that’s the kind of thing that we see and then also you can see false information being sold. So again, for identity theft and financial fraud, fullz is all the information about the individual – it’s got employer info as well as, Social Security numbers and names, addresses, etcetera, and that obviously is the image that’s come specifically from the dark web, I think it’s DarkDock Market. You can see is where it’s come from, and so you know you can use those keywords and that information to drill down into what you’re searching for. If you need to make sure that something has a nexus to calendar or the this the area that you operate in, and you can include that in your searches to make sure that it’s returning that information. One of the things I would say about the dark web is it is somewhat anonymous and it’s very difficult to know where people are coming from and so with all kind of cyber information, it’s difficult to know if an individual is a Canadian citizen or U.S. Citizen and so that can cause challenges, but you can search on those keywords and do what you can to find that information.

Lorena: Is it possible to turn on and off services within the platform to comply with Canadian law?

Erin: So I’m not sure the specificity of the Canadian law in terms of what that refers to but what I mentioned at the end there, we make all of our data available so it would be a case of focusing your searches to fit in with what’s acceptable and Canadian law. We do follow very strict guidelines in terms of the information that we collect and how we operate and to make sure that’s legally and ethically done and we comply with things like GDPR, I know that’s more European relevant, but you know data laws are becoming a thing everywhere so that is something that we certainly try to comply with and we could work with anyone in terms of you know what laws we needed to work around to, to make sure that we can support that.

Lorena: We can imagine that the amount of data you can find changes between one language and the other. But do you have any example or experience? If you have to manage in the past Investigations where you need to use two different languages like it is an example here in Canada like French and English and what features does this platform have and how to manage these types of investigations.

Erin: Yes. We collect all of the data and as it is, and we don’t make any changes to it. I think it’s important, as investigators and analysts, to see the raw data as it was written by the individuals and not changed in any way, and that’s one of the reasons we don’t offer any kind of translation services, but we do support over 50 languages now within the platform. For example, if you were doing English and French, you could search in both of those languages to see if information was returned in French or if it was returned in English. One of the features that we have in the platform also is what we refer to as Search Blocks, you can create search terms related to specific activities and we also supply some of those within the platform, things like drugs, counterfeit goods, hacking and generic terms, but we do provide those in multiple languages. We support English, French, Arabic, Russian, Chinese, I believe German for those Search Blocks, so that’s how we add that in to be able to search in in those different languages. And I should say as well that we make every effort to make sure that the data we’re collecting is as global as possible. We do try to make sure that we collect things that are in other languages and are going to be relevant to law enforcement and corporations globally.

Lorena: Can you please expand on current tools you use to navigate search the darknet?

Erin: The main tool we have is Vision, my team it’s obviously looking and sourcing that information all of the time and part of that is reviewing our collection that we already have and seeing other marketplaces and things that people are talking about and making sure that we can identify that, review that and see if it’s worth adding to our collection. There are some lists or websites that will list Tor or Onion URLs that you can use to find information as well and so we do review those periodically. We constantly search for new URLs that are created as well within the dark web and review those to see if they are applicable and then for things like Telegram and Discord and you know we do keyword searches and we have analysts that are operating in these channels and on these sites that are seeing mentions and discussions and identifying things that way. So I wouldn’t say there’s specific tools that we used and to navigate the dark web in terms of our collection efforts, but I would say that is the primary goal of the Vision platform that DarkOwl provides is to allow you to search the dark web and in a in a safe and secure way and you don’t need to worry about sock puppets or your VPNs or your proxies, but you’re able to see all of the data that’s being shared on the dark web.

Lorena: Can the information be used as intelligence in a court of law?

Erin: So, we’ve never tested that to be honest. We haven’t been asked to do that and it is something that we would support if we could. One of the things that we ensure that we do as part of our collection is maintain all of the metadata associated with the data that we’ve collected. So we’ll have the original URL, the date that it was collected, the method that was used to collect it, and you know other things that show where we got it from and where it was stored to have that providence and data because we know that that’s important to our law enforcement and customers, but we yes, it’s never been tested. So, we’ve never been asked to present it in a court of law to date.

Lorena: How do you deal with the ephemeral nature of onion sites? Similarly, how do you like some anonymous users from different sites? Neither sites nor users will cryptographically sign their pages messages to validate identity or do they?

Erin: The ephemeral nature of Onion sites, it’s just constantly reviewing them. They do go up and down. Because of the coverage that we have, we’re able to quickly identify when new sites are created or if they changed. A lot of the sites as well will also provide a list of validated mirrors and information as such as that that we will record. We do maintain a database of all of the sites that are most relevant, and the mirrors associated with them, but it is a constant thing to be able to kind of keep on top of that and how they’re moving. And as I mentioned, being part of those communities with anonymous accounts allows us to see what people are talking about and what the latest trend is.

And in terms of the anonymous users and I’m not sure, I got that entirely. But I think what you are asking is how do we know that individuals are who they say they are? And I think basically we don’t, we do see a lot of threat actors that will use PGP keys in order to validate the messages that they’re sharing. And you know, we’ve seen that with the administrators of breach forums and others and where they’ll put messages on Telegram, and they’ll sign it with a PGP key and they’ll have a website that that validates it. So, you can do that in in some ways, but I think you know very nature of the dark web anyone can create an account. You know some of these forums they do validate their members in terms of they’re trying to weed out law enforcement or cyber security professionals. So, they do make you come up with the back story and things like that. So, it can be difficult to access these sites, but I think the nature of it is you’re not necessarily going to know exactly who they are. They could be using multiple usernames; they could have different usernames across different platforms, and you know that’s one of the reasons they use it. My experience though has been – when it comes to attribution, a lot of these threat actors make mistakes and you know they may in some way connect a username to their true identity and that’s where things like leaks can be really beneficial or you know if there are on X or something like that, they have the accounts for a really long time sometimes you can identify phone numbers or email addresses that are associated with them. So, I’m not sure that really answered the question, but I think it’s the very nature of the dark web and the way that these user names are set up, it’s difficult to know exactly who they are and to validate who they are.

Lorena: How do you know a user for example, Baster, is same person on two different sites at and not a second person impersonating the first one.

Erin: Yeah, there’s no way to know that really. I think the only way to know that really would be with human analysis of interacting with them on both forums and seeing if there’s any similarities in language and things like that and if they’re using the same information, but it could, it could very well be an impersonation. They do try to validate some of the larger actors, more prevalent actors, where they’re operating and what they’re doing. I would say the dark web is very much built on reputation, and the threat actors like to show off and say what they’ve done and where they’re active and where you can get information from them but with all kinds of investigations, you need to validate that data and you have to view it with some skepticism. And so, unless you have, followed evidence that the suggests they are the same individual is gonna be difficult to do that.

Lorena: Are you using any generative AI or AI in general as a part of your platform or across the research you do?

Erin: Yeah. So, I think AI is definitely the buzzword of the moment in terms of everyone is jumping on that bandwagon and I personally think AI is really useful and a really exciting development and I think a tool that can definitely assist analysts in terms of their investigations with helping to write scripts and review images and things like that, I’ve seen a lot of demonstrations of how it can be beneficial and I’ve used it in some capacities myself. We don’t currently have it available in Vision through the tool. It is something that we are analyzing in terms of how we can use AI to best enrich our data and the information that we have. We don’t wanna rush into it in terms of adding just AI for the sake of AI. We want to make sure that it’s something that is beneficial to our users and so and as I said, we’re analyzing it and seeing what the best approach is. But you know, I can certainly think of some ways in terms of, to that previous question of threat actors, of having it analyze language patterns and things like that to see if there are correlations. Being able to identify particular attributes within kind of the data that we’re collecting, etcetera. So yeah, not something that we currently support, but definitely something that we are actively looking to support in the future.

Lorena: How can users on the dark web trust each other and coordinate?

Erin: I don’t think they can trust each other. To be honest, I mean, these groups are very nebulous. You constantly see chatter between these groups, accusing each other of being FBI agents or other law enforcement. They all think that people are watching them, which is probably true. And so I think the way that they probably grow those relationships that we see is, is taking the conversations and the communications to more direct messaging. So, something that we wouldn’t necessarily have site of recovery job, but I as I kind of alluded to before, a lot of it is built on reputation and trust and there are reviews. So, for instance, if you’re a seller of malware or drugs or something like that, people leave reviews. And if you haven’t spent, if you’ve stolen the money and not sent the goods, that will be reflected. If you have sent something that’s not good quality, you’ll get those reviews as well and these threat actors can be pretty and vindictive. So, you know, you do get people getting doxed all of their information being shared and being accused of, of certain things, their personal addresses being put out on the Internet. And you know, there have been cases of real-world attacks where someone will say this person lives here and they have this much Bitcoin and people have tried to kidnap them. So, I think they you can’t really trust anyone, and you have to be very careful. But that’s kind of the community and the activity that they enter into, to be honest.


Check out our 1-Pager on why darknet data is important in OSINT investigations.

Gaming and the Darknet

July 08, 2024

In celebration of National Video Game Day on July 8th, this blog examines the intersection between gaming and darknet communities, notably instances of criminal activity targeting gamers or carried out by gamers themselves. This blog will highlight the prevalence of hacking in gaming communities—stolen accounts, pirated games, leaked data, etc.—as well as the infiltration of violent extremist ideologies into certain gaming communities. Our previous blog looking at the intersection of streaming, gaming, and the darknet can be found here.

Open-source research reveals an extensive game-hacking community on the deep and dark web. The community consists of individuals on forums, channels, servers, and marketplaces that target gamers and gaming software to gain unauthorized access to systems and accounts. The targets of these hacking efforts most often include user accounts on a variety of online games, notably League of Legends, Minecraft, Fortnite, and Roblox. Hackers may “crack” accounts by utilizing usernames and passwords previously leaked in data breaches or by targeting young or naïve players through chat features. These “cracked” accounts are subsequently sold on the darknet, where their prices are determined by factors such as account level, collection of rare characters, amount of in-game currency, or inventory of in-game items (such as collectable character “skins”).

Figure 1: Genshin Impact account for sale; Source: DarkOwl Vision

Recent data points to an increase in compromised accounts over the past few years across several games. Figures released in 2024 revealed that Roblox, one of the most targeted online games, saw a 231% increase in hacked accounts in 2023 compared to 2021. In addition to the games themselves, gaming platforms such as Steam have also been increasingly targeted; these accounts are often even more appealing to hackers as they may be linked to credit cards and can thus allow for real-money theft as well as in-game currency theft.

In addition to hacking users’ gaming accounts and selling them on the dark web, hackers also target the games themselves. “Cracked” or pirated games are frequently distributed by hackers on the darknet either for free or at a reduced cost. Not all games, however, are hacked with the intention of distributing pirated software; malicious actors also target game servers in the interest of leaking data. In June of 2023, for instance, hackers carried out a cyberattack against GSC Game World—the Ukrainian video game developer behind S.T.A.L.K.E.R 2: Heart of Chernobyl—and leaked builds from the game online. GSC Game World was also targeted by Russian hacktivists earlier that year, who threatened to release game data if their demands were not met by the developer. It’s worth noting that the malicious actors who engage in these leaks are not always hacktivists. Most recently, in June of 2024, Disney’s Confluence server was hacked by individuals believed to be fans of the massively multiplayer online game (MMO) Club Penguin. The hackers stole 415 MB of Club Penguin data from the server and the data was subsequently shared on 4chan.

Figure 2: Cracked Gaming Websites; Source: Dark Owl Vision

Unfortunately, game leaks are not always limited to game data. While the Club Penguin fans targeted data related to the game, they also stole and leaked internal, business-related Disney data. There have been other instances in which hackers have stolen and leaked not only the targeted company’s business data, but also its employees’ personal information. In 2023, the ransomware group “Rhysida” leaked 1.67 TB of data stolen from Insomniac Games, which—in addition to footage and images from the upcoming Wolverine game—also included employees’ personal information. Specifically, the leak included passport scans and HR files, thereby resulting in the doxing of more than 400 Insomniac Game employees.

In addition to continued hacking efforts, online gaming communities have been increasingly targeted and infiltrated by violent groups and individuals seeking to harass, extort, radicalize, promote hate, and inspire acts of violence. These violent extremist groups have successfully co-opted gaming aesthetics and features—such as leaderboards and livestreams—in an effort to gain supporters. For instance, the white supremacist “Terrorgram” network on Telegram consistently posts “Saints Calendars” and “Saints Cards” meant to commemorate individuals—dubbed “saints”—who have carried out far-right attacks. The militant accelerationist group engages in the gamification of violence by releasing saint cards in the style of trading cards and including details such as “kill counts.” The more victims a terrorist claims in an attack, the more “points” they receive and the more likely they are to receive the “saint” title.

Moreover, as highlighted in a 2023 Global Network on Extremism & Technology (GNET) report, this gamification is further achieved by the repeated live streaming of mass shootings, which allows viewers to experience the attack from a first-person shooter (FPS) perspective often utilized in games. This visual choice—as seen with the 2019 Christchurch attacks—can facilitate viewers’ identification with the perpetrator while simultaneously emotionally distancing them from the victims. The sheer reach of livestreamed attacks (the 2022 Buffalo shooting was viewed “more than 600,000 times in less than 24 hours”), combined with their ability to generate a connection between perpetrator and viewer, threatens to radicalize more individuals and inspire similar attacks.

Apart from the adoption of gaming aesthetics and features, the gamification of violent extremism is made even more apparent by the actual creation of new or “modified” violent games by extremist groups and individuals. Open-source research on the deep and dark web reveals a slew of video games created since the early 2000s which allow players to target at-risk communities. Targeted groups most often include the Jewish and LGBTQ+ communities, with the 2002 anti-semitic video game Ethnic Cleansing being one of the notorious. Many of these games also recreate previous attacks—including the Christchurch shootings and the Pittsburgh synagogue shooting—in existing games like Roblox. Such modifications of existing games are referred to as “mods.” Other than white supremacist groups and individuals, Foreign Terrorist Organizations (FTOs) including ISIS and Hezbollah have also created extremist video games meant to radicalize and inspire. While it is believed that the vast majority of these games reach a self-selected audience with an existing interest in violent extremism, they may nonetheless play a key part in further radicalizing individuals and bringing them closer to carrying out attacks in the real world.

Figure 3: Antisemitic Video Game; Source: Dark Owl Vision

In addition to the creation of extremist video games, gaming platforms used by gamers to communicate have also been infiltrated by individuals seeking to identify targets for radicalization and exploitation. This targeting is particularly prevalent on the darknet adjacent platform Discord, where there have been numerous instances of children being groomed for violence and/or sexual exploitation. Among these violent groups is the notorious web of Discord servers originating from, or affiliated with, the group “764,” which has become increasingly active since late 2023. The 764 network overlaps with violent extremist and militant accelerationist movements—notably the Satanist, neo-Nazi group Order of the Nine Angles (O9A). In September of 2023, the Federal Bureau of Investigation released a Public Service Announcement warning of the 764 network’s ability to use “extortion and blackmail tactics, such as threatening to SWAT or DOX the minor victims […] [to] manipulate and extort minors.” Victims are often pressured to engage in self-harm and animal cruelty, share sexually explicit images or videos, and commit suicide. Members of affiliated Discord servers and Telegram channels have also been observed engaging in mass swatting and doxing efforts, most often targeting one another.

Open-source research reveals overlap between gaming communities and criminal activity on the deep and dark web. Instances of hacked gaming systems and accounts remain prevalent, with recent figures highlighting an increase in hacked gaming accounts over the past few years. Gaming platforms have proven to be desirable targets for hackers seeking to sell cracked accounts and engage in real-money theft. Hackers also continue to successfully carry out cyberattacks against video game developers, often releasing company data and employees’ personally identifying information (PII) in ensuing leaks. As such, it is recommended that organizations be on alert for any possible leaks affecting their data.

Research also points to a persistent infiltration of violent extremist ideologies into gaming platforms. Many gaming communities have become hotbeds for violent extremist groups and individuals, who utilize chat-enabled online spaces to promote violent narratives and radicalize users. Young gamers are particularly vulnerable to radicalization and recruitment efforts, as evidenced by numerous instances of teenagers being groomed for violence and sexual exploitation across multiple platforms. Continued reports of harmful and criminal activities carried out by individuals in the gaming space signals a need to address the rampant exploitation of gaming by criminals. It is critical to emphasize that these activities do not represent the entire gaming space: for many, gaming is a key source not only of enjoyment, but of community. In an interconnected world, online games have the ability to bring together individuals from around the world and foster a sense of belonging. So, rather than vilifying gaming communities, it is vital that steps are taken to address the infiltration of criminal activities, hate, and violence in order to combat the victimization of gamers.


Don’t miss any research from DarkOwl analysts. Subscribe to email.

Security Threats Emerging from AI

July 02, 2024

At the beginning of 2024, the National Institute of Standards and Technology (NIST) issued a warning about cybercriminals and other nefarious actors using Artificial Intelligence (AI) and Adversarial Machine Learning technologies to enhance their malicious operations. There are, of course, state-sponsored threat actors and actor groups who are also focusing on the malicious use of AI in their operations. These include Russia’s Fancy Bear a.k.a. Forrest Blizzard, North Korea’s Kimsuky a.k.a.Emerald Sleet, and Crimson Sandstorm.

DarkOwl, leading experts of the underground digital realm, witnessed threat actors of both groups (state-sponsored and government agnostic, independent actors) actively trading tips on various dark web platforms about the best AI tools to use, as well as effective tactics, techniques, and procedures (TTPs). Throughout the first part of 2024, threats to security stemming from AI have been frequently discussed, and tools were sold on the dark web and dark web adjacent chat platforms, such as Telegram.

This blog aims to take a high-level look at the types of conversations threat actors are having, as well as the tools they are selling, to carry out their mission(s) using malicious techniques and AI tools, so that we can best share the typical uses of AI in malicious operations.

AI trains on massive amounts of data, so a logical threat to begin with is data poisoning. This involves manipulating the information used to train systems, because what is put in shapes the output. Malicious actors intentionally inputting erroneous, biased, or hateful data spreads misinformation, degrades overall performance, and results in biases that can divide and harm society. Online groups have been observed attempting to poison information to produce pro-extremist, pro-violence, pro-war, racist and misogynistic related themes and output at large scale, using AI tools:

Figure 1: A March 2024 Telegram user claims that training AI to only produce material that society claims is acceptable is not the goal, and that they want [sic] “uncut, explicit, super controversial content”; Source: DarkOwl Vision
Figure 2: A Telegram user posts that Google’s Gemini tool is being fed “woke” material to spread diversity to society; Source: DarkOwl Vision

Extremist views regarding AI, and what these extremists view as countering “wokeness” are discussed across 4chan, Discord, and the aforementioned Telegram platform, as well as on underground forums.

A separate threat concerns prompt injection, which helps shape the output of AI systems by feeding a system meticulously crafted prompts or cues. When prompts are malicious in nature, this results in malicious output. Incidents involving this could include prompting a system to reveal sensitive, personal data:

Figure 3: A Telegram user discusses a prompt injection game in February, 2024, with the intent of getting AI to give away “sensitive data”; Source: DarkOwl Vision

Or prompting a system to output racist/sexist hate speech based on biases and maladaptive thinking:

Figure 4: A 4chan user discusses the possibility of using a racist LLM to call out certain groups of people in April, 2024; Source: DarkOwl Vision

Nightshade, mentioned in the figure below, is a specific tool discussed and sold on the dark web as well as its adjacent platforms. Nightshade arose as a vehicle to help content creators prevent their content from being automatically included into generative AI. Nightshade turns images into “poisoned” samples. If AI using images to train does so without the artists’ consent, or without respect to copyright, these “poisoned” images introduce unexpected and abnormal behavior, changing the image output and introducing errors, degrading the accuracy of the output. Nightshade is considered an offensive tool:

Figure 5: Users in a Russian telegram channel discuss the Nightshade AI tool in February 2024, specifically and intentionally used for data poisoning; Source: DarkOwl Vision

WormGPT emerged as one of the most public, malicious adaptations of an AI model. Unlike other AI tools, the author of WormGPT included no limitations to the tool, which means WormGPT users can use it for malware generation, among other criminal operations. Protective efforts toward another emerging threat, which is automated malware generation, also have a large presence on the dark web and its adjacent platforms. Since inception, certain language models have proved a limited proficiency in computer coding/programming. The more these initial efforts are corrected, trained, and improved, the better the models get at producing malware, and increasing the attack surface. As of now, the cost for many AI tools online is not super expensive, allowing for high sales volume and elevated use:

Figure 6: A Telegram user advertises Worm GPT for sale for $17 USD in April, 2024; Source: DarkOwl Vision
Figure 7: A user on a criminal forum asks for help procuring various malicious AI tools (while reviewing their capabilities) in April, 2024; Source: DarkOwl Vision

Protecting systems from malicious AI and enhancing overall security features is still a work in progress when it comes to AI and machine learning in general. The good news is that as quickly as the discussion and implementation of AI tools emerged, simultaneous conversations occurred surrounding the security and protection of these AI tools and systems. The traditional cybersecurity threat intelligence community, still grappling with protecting traditional cyber platforms and tracking bad actors, immediately set to work issuing warnings about the threats facing AI. However, the essential need for this was recognized, and conversations are happening at every level to properly protect AI and machine learning while taking advantage of its benefits.


Don’t miss any research from DarkOwl. Subscribe to email.

Threat Intelligence RoundUp: June

July 01, 2024

Our analyst team shares a few articles each week in our email newsletter which goes every Thursday. Make sure to register! This blog highlights those articles in order of what was the most popular in our newsletter – what our readers found the most intriguing. Stay tuned for a recap every month. We hope sharing these resources and news articles emphasizes the importance of cybersecurity and sheds light on the latest in threat intelligence.

1. Police arrest Conti and LockBit ransomware crypter specialist – Bleeping Computer

The Dutch police and the Ukraine cyber police revealed this week that they arrested a man in April, 2024, who worked with both Conti and LockBit ransomware gangs. The man, whose name has not yet been revealed, made ransomware payloads fully undetectable, and sold his skills to both groups. He also directly participated in at least one ransomware attack himself. Full article here.

2. Rockwell’s ICS Directive Comes as Critical Infrastructure Risk Peaks – Dark Reading

With increased geopolitical tensions around the globe and constant connectedness of devices, industrial control system (ICS) experts Rockwell Automation emphasized Cybersecurity and Infrastructure Security Agency’s (CISA) previous warning about water supplies, telecommunications companies, power plants, and more sensitive, daily life services coming under digital attack. Russia, Iran, and China are all leading malicious campaigns to disrupt daily services and stoke fear among civilian populations. Read more.

3. CISA warns of criminals impersonating its employees in phone calls – Bleeping Computer

The Cybersecurity and Infrastructure Security Agency (CISA) publicly warned that threat actors are impersonating CISA employees for financial gain. Actors are calling people and asking for cryptocurrency, gift cards, cash, and other financial resources. CISA provided a hotline for individuals to call, and report attempted impersonation and scam phone calls. This is the second such campaign in a year. Article here.

4. ONNX phishing service targets Microsoft 365 accounts at financial firms – Bleeping Computer

A new Phishing-as-a-service (PhaaS) platform, ONNX Store, is using Microsoft 365 accounts to target employees of the financial sector using malicious QR codes in PDF attachments. The operation uses Telegram bots and can bypass multi-factor authentication (MFA). The main threat is the bots posing as an HR employee, offering “raises” or salary discussion to employees of credit unions, banks, and other financial firms. Read article.

5. Chinese and N. Korean Hackers Target Global Infrastructure with Ransomware – The Hacker News

Governments and critical infrastructure around the globe were heavily targeted between 2021 and 2023 by gangs such as ChamelGang (CamoFei), and a ransomware variant known as CatB. The goal of these attacks, conducted by both Chinese and North Korean actors who have a suspected overlap, was espionage. ChamelGang also uses Cobalt Strike in its operations. Full article here.

6. Microsoft Uncovers ‘Moonstone Sleet’ — New North Korean Hacker Group – The Hacker News

“Moonstone Sleet” recently debuted as one of the newest North Korean hacker groups. Thus far, the group has been observed using fake companies to lure possible job applicants as targets, and then deploys trojans and in some instances, a new custom ransomware. Microsoft states that the new collective also has overlap with Lazarus group, in some instances. However, it has its own unique tactics, techniques, and procedures (TTPs) which occur on completely different infrastructure than Lazarus Group. Code reuse from the Comebacker malware also targets security researchers. Full article.

7. BreachForums Returns Just Weeks After FBI Seizure – Honeypot or Blunder? – The Hacker News

Only two weeks after an international law enforcement operation took the onion website and Telegram channel for BreachForums offline, one of the domains – breachforums[.]st – returned to operation with a user named “ShinyHunters” operating it. This time, however, users are required to establish a user account before viewing the site’s content. Read more.

8. Empire Market owners charged for enabling $430M in dark web transactions – Bleeping Computer

Continuing the global trend of cracking down on online criminal marketplaces and actors, actors “Dopenugget”, real name Thomas Pavey, and “Sydney/Zero Angel”, real name Raheim Hamilton, were charged by the US Department of Justice. While it is suspected they began their activity on AlphaBay, the men eventually went on to facilitate transactions for stolen credit card numbers, narcotics purchases, and other criminal underground material on Empire Market with a value of approximately $430 million dollars. Read here.

A new “V3B” phishing kit is on Telegram, used to target financial institutions in the Netherlands, Austria and Germany, Finland, Italy, and several other European countries. The kit runs between $130 – $450 a month and has customization options. The Telegram channel selling it has approximately 1,250 members as of the time of this writing and is expected to grow due to ease of use and availability. Read more.


Make sure to register for our weekly newsletter to get access to what our analysts are reading on a weekly basis.

DarkOwl Deepens International Relationships at ISS World Europe

June 28, 2023

Earlier this month, DarkOwl participated in ISS World Europe in Prague. ISS World Europe prides themselves on being “the world’s largest gathering of Regional Law Enforcement, Intelligence and Homeland Security Analysts, Telecoms as well as Financial Crime Investigators responsible for Cyber Crime Investigation, Electronic Surveillance and Intelligence Gathering.” ISS World events focus on the latest in cyber tools and methodologies specifically for law enforcement, public safety, government and private sector intelligence communities. The first full day of ISS events is dedicated to training and in-depth sessions. Trainings and topics covered throughout the event include how to use cyber to combat drug trafficking, cyber money laundering, human trafficking, terrorism and other nefarious activity that occurs all across the internet.

Representing DarkOwl this year at ISS World Europe was David Alley, CEO of DarkOwl FZE based in Dubai, Magnus Svärd, Director of Strategic Partnerships, and Caryn Farino, Director of Client Engagement, both based out of DarkOwl’s headquarters in Denver, CO.

As is the norm at ISS Prague, the networking opportunities with current clients, partners, opportunities and net new prospects alike are well worth the travel across the pond. The team saw great international attendance and interest this year, with visitors to the booth from Sweden, Germany, Italy, Turkey, Hungary, The Czech Republic, Serbia, Spain, South Africa, Latvia, Lithuania, Estonia, The Netherlands, France, UK, Poland, Ukraine, Romania, Bosnia-Herzegovina, Saudi Arabia, Israel, among others. For the time at any ISS event, Magnus noted, “Our number of engagements on the booth needed a minimum of two people on the booth; three would be better as we were not able to engage with everyone that came to the booth.” What an incredible turn out! The team is excited to nurture these conversations and needless to say, looks forward to next year’s event! In addition the great conversations at the booth, the team hosted a dinner with Pegasus Intelligence, who DarkOwl works with to provide cutting-edge security solutions to government and military clients.

Throughout the event, top minds of the space share the latest technology, trends and thought leadership in the cyber community. Tracks this year included: Investigating DarkWeb, Bitcoin, Altcoin and Blockchain Transaction, Threat Intelligence Gathering and Cyber Security Product Training, Social Network Monitoring, Artificial Intelligence and Analytics Product Training, LEA, Defense and Intelligence Analyst Product Presentations, Lawful Interception and Criminal Investigation Training, Mobile Signal Intercept Product Training and Presentations, Electronic Surveillance Training and Product Presentations, and 5G Lawful Interception Product Training.

Due to the layer of anonymity it provides, the darknet is often a hub for illegal activity. However, investigating crime on the darknet and deep web poses technical challenges, including the fact that darknet sites are continually coming on and offline with pages vanishing from one minute to the next. The technology DarkOwl leverages to scrape and index hidden digital undergrounds are key to the mission of obtaining proactive situational awareness for protection of the nation’s security initiatives. DarkOwl Vision UI provides a user-friendly interface with powerful querying capabilities to search, monitor, and create alerts for critical information. DarkOwl Vision has been used to support local and federal police investigations, as well as work done in intelligence/fusion centers and federal agencies to uncover human trafficking, opioid selling, terrorism, security issues, and other illegal activity, making it the perfect tool for this audience to be able to dive into.

Live Demonstration of DarkOwl Vision: Darknet Intelligence Discovery and Collection

The first day of the event, before booths were open, David Alley was able to give a live presentation to attendees demonstrating DarkOwl Vision: Darknet Intelligence Discovery and Collection. The team is thrilled to share that the conference room was filled to the brim with standing room only. The goal of this session was to further educate the international intelligence community on how threat actors on the darknet are evolving in their use of new tools and methodologies.

Vision UI is the industry leading platform for analysts to simply, safely, and comprehensively search the largest commercially available source of darknet data. Vision provides a user friendly interface with powerful querying capabilities to search, monitor, and create alerts for critical information. You can read more about Vision UI here.


DarkOwl looks forward to continuing our global presence at ISS events, you can see where we will be next and request time to meet with us here.

Scattered Spider: Update on Arrests

June 27, 2024

As DarkOwl have previously reported, a group known as Scattered Spider have been attributed to several high-profile attacks including against MGM casinos and Caesars Palace. They are known to use social engineering techniques to target call center staff in order to gain access to systems. Active since early 2022, Scattered Spider is also known as Starfraud, UNC3944, Scatter Swine, and Muddled Libra and is largely financially motivated. 

Although many cyber security researchers hypothesized that the actors were Western-based, due to the times that they operated and the language used, little is known about the individuals behind the attacks. Although the group has been named Scattered Spider by researchers, it is thought that there are many different groups of individuals who have been involved in this and other nefarious activity.  

The FBI had announced in May that they were seeking to charge members of the Scattered Spider group. However, the first individual purported to be a member of Scattered Spider was arrested in January 2024 in Florida. Noah Michael Urban who is 19 years old was charged with stealing $800,000 from 5 victims. He is awaiting trial.  

On June 14th, the VX Underground reported via X (formerly Twitter) that a 22-year-old British man was arrested in Palma de Mallorca Spain. The arrest was reported to be part of a multi-agency operation between the FBI and Spanish authorities.  

An official statement stated that the individual was alleged to be behind a series of large enterprise “hacks” which resulted in the theft of corporate information. 

Further reporting indicated that the individual arrested used the alias “Tyler” and that he was a sim swapper allegedly involved in the Scattered Spider group. VX Underground reported: “Most notably he is believed to be a key component of the MGM ransomware attack, and is believed to be associated with several other high profile ransomware attacks performed by Scattered Spider.

A video was circulated online which purported to be this individual being arrested by Spanish authorities, which happened as he attempted to board a flight to Italy.  

Scattered Spider are also reported to be behind the Oktapus campaign which used SMS phishing campaign to target several high profile organizations. The arrested individual was reported to be active in sim swapping.  

Brian Krebs later reported that the individual arrested was Tyler Buchanan from Dundee, Scotland who used the alias “tylerb” on sim swapping channels. 

Searching for further information relating to Tyler Buchanan in DarkOwl Vision, highlights that individual was doxed in January of this year. Details were shared on the Doxbin site which included his full name, address, telephone numbers, email addresses, IP addresses, usernames and social media accounts.  

The post seems to have been made by a rival who appears to share the information in retaliation for Buchanan speaking about his and states that he has made money off him whereas Buchanan doesn’t have money.  

But this was not the first time this individual was victim of a dox, with other posts identified in 2023 which includes financial information and information about his family members. Another post was found as early as 2019. 

A review of the usernames listed highlights that Buchanan was also active on several dark web markets selling financial information.  

Further reporting from Krebs indicated that Buchanan had been subject to an attack from a rival trying to access his cryptocurrency keys. In that event his mother was assaulted highlighting the real-world risks that are posed by these criminal groups and sharing their information online. 

We will await further information from law enforcement on what Buchanan is charged with.  


Don’t miss any updates. Follow us on LinkedIn.

The Importance of Darknet Data in OSINT Investigations

The internet is a vast realm that extends far beyond the surface web we commonly explore. Beneath the surface lies the darknet, a hidden network that poses significant challenges but also holds immense potential for open-source intelligence (OSINT) investigations.


Investigators need to have access to the right sites, with many requiring high levels of authentication and the need to interact with threat actors. Navigating darknets can be frustrating and challenging. DarkOwl analysts have extensive experience working within darknets to ensure safely, compliance, and expert knowledge. Learn more about how we can help.

StarFraud Chat – Telegram Channel Analysis using A.I.

June 19, 2024

In the digital age, understanding user behavior and engagement within online communities is crucial for any OSINT or dark web investigator. Increasingly, Telegram channels have been used by threat actors to communicate, sell illicit goods, share disinformation, and generally communicate among other activities. Monitoring of these channels is important to track the activities of these groups and mitigate any threats they may pose to individuals and/or organizations.  

However, the amount of data that can be included in these channels can be very large in volume. DarkOwl, therefore, wanted to establish if AI (artificial intelligence) could be used to analyze the data included in a specific channel and what could be discerned from that data.  

Disclaimer: This blog is based on A.I analysis of a Telegram channel content. This covered the period of August 2022 to February 2024. DarkOwl does not take responsibility for the analysis conducted and is shared for informational purposes only. Other AI platforms are available.  

The Telegram channel “Star Fraud Chat” was selected as a channel to analyze to see what information could be gleaned about this group from their activity on Telegram. This group have been attributed by security researchers to a group known as Scattered Spider which is assessed to have been responsible for the attack on MGM Casinos. Furthermore, they are assessed to be part of a group which describes itself as “the Com” who are reported to conduct cyber attacks as well as cyber bullying and swatting attacks.  

Figure 1: Profile page for StarFraud Chat 

DarkOwl analysts used open-source tools to extract a download of the Telegram chat content from when it was started in August 2022 to February 2024. This generated a CSV file which included the usernames of participants, timestamps of activity, content, media shares, replies, and reactions. ChatGPT was then used to analyze the CSV file, with specific questions being asked to identify what information could be gleaned.  

This blog was written with a mix of AI analysis produced directly by ChatGPT as well as analyst review and enrichment.  

ChatGPT was asked to analyze the CSV file to see what information could be found. It initially had issues due to the formatting of the document but was able to overcome these issues after a few tries.  

The initial attempt to read the CSV file encountered issues due to irregularities in the data format, such as varying numbers of fields per line and improperly escaped or quoted strings. By inferring the delimiter and adjusting parsing strategies, we successfully re-parsed the data using a semicolon (;) as the delimiter. This correction allowed us to structure the dataset properly, revealing 56,210 rows and 42 columns, including information on message IDs, display names, user IDs, message texts, timestamps, and reactions. 

First, we wanted to understand which topics were most commonly being discussed in this Telegram channel to understand what threat that the users of this channel could pose. We therefore asked ChatGPT to analyze the message content itself and provide us with a summary of what was discussed.  

The most common words in the messages are general and do not provide specific insight into the topics discussed. To better understand the themes, we should look for specific terms and phrases related to the context of the chat. 

Key Observations: 

  1. Fraud-related Terms
  • Words like “debit,” “pin,” “balance,” “card,” and “verified” suggest discussions about fraudulent financial activities and the exchange of sensitive financial information. 
  1. Communications
  • Common conversational terms like “you,” “me,” “for,” “is,” and “on” indicate typical interactions among users. 
  • Informal and slang terms like “lol” and “bro” indicate casual communication. 
  1. User Mentions
  • Usernames and mentions, such as “@FENTOPENUPS” and “@bankopendropps,” likely reference specific users or groups within the chat. 

We wanted more information, so we then asked ChatGPT to do a deeper analysis of the text used related to fraud and take samples of the data. ChatGPT itself suggested ways in which we may be able to conduct further analysis. The output was as follows: 

Summary of Topics Discussed: 

  1. Sale of Financial and Personal Information
  • Users are discussing the sale and exchange of debit cards, ATM PINs, verified personal information (SSN, DOB), and related financial details. 
  1. Resetting and Hacking Services
  • Offers for resetting email accounts and other services for specific fees, indicating a market for hacking services. 
  1. Social Engineering Techniques
  • Strategies for social engineering and cashing out from accounts, including profit-sharing details and specific email domains targeted. 
  1. Account Requests
  • Requests for various types of accounts, such as Netflix, indicating a broader market for access to subscription services and accounts. 
  1. Panel Management and Availability
  • Discussions around the availability and longevity of panels, which could relate to account management services or access points for various fraudulent activities. 

The chat primarily revolves around fraudulent activities, including the sale of financial and personal information, hacking services, social engineering techniques, and requests for various account types. There is also a market for managing and providing access to certain panels or services related to these activities. This environment indicates a highly active and diverse exchange of illegal services and information.

Once the document had been reviewed and we understood what information was being discussed, we then wanted to understand more about the users of the channel. We began to ask ChatGPT specific questions about the users starting with an analysis of which users were the most active. 

The analysis determined the most active users based on the number of messages sent. The top 10 most active users are: 

1. **”.”** – 1,076 messages 

2. **netbox** – 1,062 messages 

3. **ㅤ** (a whitespace character) – 718 messages 

4. **MY UZI HOLDS A HUNDRED ROUND CONSCIENCE** – 697 messages 

5. **ʹ** (a single quote) – 504 messages 

6. **Osama (GENERATING)** – 469 messages 

7. **Perc** – 468 messages 

8. **bloed** – 347 messages 

9. **Systoned** – 327 messages 

10. **boomb** – 320 messages 

These users have significantly contributed to the conversation, making them central figures in the community. 

The analysis highlighted that many of the most active users didn’t have a specific display name, with punctuation or blank spaces being used. This analysis also did not account for the fact that users are able to change their display names, so there may be messages within the data from the same user that appear to be different. It is possible to conduct this analysis based on the user IDs as that was included in the data extracted from Telegram.  

The admins of the account are listed on the Telegram channel, this includes a bot which is likely used to administer new joiners etc. None of these appear in the most active users: 

Figure 2: List of StarFraud Chat admins 

We then wanted to establish if we could look at the activity on the channel from a different perspective, not just who had posted in the chat, but who had provided a reaction. Telegram users can react to posts on Telegram using emojis etc. We looked at which users post had received the most reactions from other users.  

Reactions to messages indicate the level of engagement and resonance of user contributions. The users who received the most reactions are: 

1. **Star Sanctuary** – 34 reactions 

2. **netbox** – 15 reactions 

3. **Jack** – 12 reactions 

4. **ㅤ** (a whitespace character) – 9 reactions 

5. **.** (a period) – 8 reactions 

6. **Perc** – 6 reactions 

7. **digital cannibal** – 6 reactions 

8. **MY UZI HOLDS A HUNDRED ROUND CONSCIENCE** – 6 reactions 

9. **Stardusts in my memoryCard** – 5 reactions 

10. **Panama Creative** – 5 reactions 

This list highlights the users whose contributions garnered the most engagement from others. 

This did include posts by some of the admins, the number of reactions given the volume of posts appeared to be relatively low.  

We then wanted to understand how the users were interacting to do this we asked ChatGPT to analyze replies between users. However, this did not take into consideration the nature of the posts, as some posts may garner more interest than others. Added context would be needed to understand how they users were interacting.  

Understanding who interacts with whom provides insights into the community dynamics. The top user interactions, based on reply activity, include: 

1. **’** replied to **fan (real)** – 6 times 

2. **Perc** replied to **netbox** – 5 times 

3. **nef** replied to **boxingloves** – 5 times 

4. **Systoned** replied to **Osama (GENERATING)** – 5 times 

5. **ㅤ** (whitespace character) replied to **Osama (GENERATING)** – 4 times 

6. **Osama (GENERATING)** replied to **Systoned** – 4 times 

7. **ㅤ** replied to **geekypoo** – 3 times 

8. **Osama (GENERATING)** replied to **ㅤ RR BB** – 3 times 

9. **King** replied to **𐕣₩** – 3 times 

10. **netbox** replied to **Uno[Shop in Bio]** – 3 times 

These interactions highlight the most engaged pairs of users within the community. 

However, this again did not take into consideration that display names could change, nor does it factor in who made the most replies. Which user generally received the most replies and to what content. It is possible that this information could be obtained from the data using ChatGPT with more precise questions. 

We wanted to see if it was possible to visualize these interactions, network analysis is a really useful tool for analysts see connections between individuals and identify who is communicating with who and if patterns can be identified. So, we asked ChatGPT to create this visualization and to clean it up.  

A network graph was created to visualize the interactions between users. Each node represents a user, and each directed edge indicates that one user has replied to another. This graph illustrates the structure of interactions, showing which users are more centrally involved in conversations and how clusters of users interact more closely with each other. 

Figure 3: ChatGPT generated visualization of user replies 

Being able to review this information can be incredibly useful for analysis and gives us an insight into which users in the StarFraud chat interact the most and are the most active on the channel. Being able to manipulate this graph and see which users are most active could give analysts a starting point for which users it may be most useful to investigate. 

We then wanted to know if it was possible to identify the time that the chat was most active, as this could maybe help us identify which time zone the users were in helping us to narrow down a location. We therefore asked ChatGPT to review the timestamps.  

Analyzing the timestamp data revealed that users are most active at 1 AM, with a total of 3,973 messages sent during this hour. This peak in activity suggests that the majority of users might be located in a specific time zone or find this time particularly convenient for engaging in conversations. 

Figure 4: ChatGPT generated timeline of posts 

However, it was not possible to ChatGPT to identify the time zone without additional context. The timestamp provided by Telegram appeared to use GMT however which would indicate that most of the posts were made during the early hours of the morning in Europe or late afternoon US time.  

As this analysis was inconclusive, we wanted to see if there was any information in the messages sent which may link to a location. So, we asked ChatGPT to look for this information within the posts.  

A search for location-related keywords identified 152 messages referencing specific locations. Examples include: 

– ““victory park” its a 2 story police department…” 

– “u in middle of street” 

– “ghost town” 

– “smh u the same ni**a scared to meet up and we …” 

– “**🎉 Get the Best RDP/VPS Deal with StealthRDP!…” 

These references vary in context, ranging from conversational mentions to specific addresses or locations. 

This analysis did not add much value as the locations mentioned were very generic in nature, again more specific questions and directions may be beneficial to improve results here, perhaps focusing on country or city locations rather than more generic terms.  

The analysis of StarFraud Chat provides valuable insights into user activity, engagement, and interaction patterns. By understanding the most active users, the times of peak activity, and the dynamics of user interactions, we can better understand how this group is operating and where best to focus our analysis. We can also analyze the topics discussed to understand what threats this group poses.  

This also highlights how AI can be used by analysts to assist in their investigations, allowing them to speed up how long it takes so review large amounts of data. However, these specific examples also highlight the importance of asking AI models very specific questions and ensure they understand the information you are seeking to obtain, these models are only as good as the seed questions that are being asked.  


Questions about AI impacts DarkOwl’s darknet data collection? Contact us.

Site Spotlight: Doxbin

June 15, 2024

DarkOwl analysts regularly follow darknet threat actors, marketplaces and sites. Such analysis helps DarkOwl’s collection team direct crawlers and technical resources to potentially actionable and high-value content for the Vision platform and its clients.

Don’t forget to subscribe to our blog at the bottom of this page to be notified as new blogs are published.


The site Doxbin is a paste site which allows users to post information in text format about other individuals, usually containing personal identifiable information (PII). Information is posted for a range of alleged reasons, which are usually provided in the title of the dox and can contain extensive information about individuals. Although this site is currently hosted on the clearnet and maintains an official Telegram channel, the site originally operated as an .onion site and is still used by dark web affiliated individuals. 

In this blog, we explore the history of the site, who is behind it and the impact that it can have on the victims of a dox, as well as alleged recent activity related to the reported owner.  

To understand the purpose of Doxbin and how it is used, we must first understand the concept of “Doxing”.  

Doxing is the act of publicly providing PII and other data about an individual or organization without their consent. In recent years, this has predominantly been done using the internet and is a process that began in the late 1990s. The act of doxing an individual in of itself is not illegal depending on how the information shared is obtained. Most data shared is likely obtained from data brokers and social media sites. Although, others are obtained through illegal means. Regardless of the way the data is obtained, the purpose and outcomes are usually nefarious and used for online shaming, extortion, targeting, stalking, and hacktivism operations. The law has not yet caught up with this practice and it is difficult to prosecute the sharing of publicly available information. However, this is beginning to change as outlined below.   

Doxbin is a site that facilitates doxing. It is a paste site that allows users to upload any text-based content relating to individuals. It is exclusively used to share data about others or elicit more information about others. 

The current controllers of Doxbin state that any text can be uploaded to the site, with the only limitations being that it should not be spam, child explicit material (CSAM), or something that violates the hosting countries jurisdictional laws (Domain and IP analysis linked to the site suggests that it is hosted in Russia and uses a DDoS Guard to protect the site from bot attacks). They also state that support of terrorism or threats of physical violence are not allowed.

However, in practice there is very little that cannot be posted and often information is shared in the hope that an individual will be targeted in some way – including risks of physical violence. A reason does not need to be provided, although one often is, and nothing is validated.  

The current administrators of Doxbin have posted a lengthy description on their site about how it was founded and is currently run. In this description, they describe this iteration of the site as having been active since early 2018, being created by kt and Brenton “as a place to store personal doxes as an alternative to platforms which were not satisfactory.”

However, the name/site “Doxbin” has a history that precedes this. Originally Doxbin was launched in May 2011 on the dark web by an individual using the alias “nachash” as a pastebin for people posting personal information of others. The site was eventually seized by law enforcement – with the FBI and Europol taking town Doxbin in November 2014 as part of Operation Onymous, which also took down several other .onion sites, primarily those related to the sale of drugs, and led to the arrest of several individuals.  

In 2019 it was reported that Doxbin was being controlled by a white supremacist group, who were using the site to maintain a list of swatting (more on that later) targets. In 2020 the controller was arrested by the FBI.

In 2022, the site was reportedly purchased by a threat actor associated with the group Lapsus$, using the alias “White”. However, it is alleged that due to ban management of the site, users started to target White and he himself was doxed. Before this occurred, White leaked the Doxbin data set which included private doxes which had not been published. The information contained in the dox of White, which included videos of his home proved to be accurate. Arion Kurtaj was later arrested and prosecuted for his role in several data breaches as part of his association with Lapsus$.

The current iteration of the site, which is on the clearnet, rather than TOR states that it is no longer affiliated with “nachash”, and that he left the operation in 2015. It also describes how the original site was created and transferred, mentioning several different aliases that have been connected to the original site. They also claim that there was no legal reason for the original seizure of the site.  

Founders, Administrators, Users 

At the time of writing the site indicates that it has 308,681 registered users, although there is no need to register. Registered users are listed and broken down into tiers which include: 

  • Admins 
  • Manage 
  • Mod 
  • Council 
  • Founder 
  • Clique 
  • Rich 
  • All Users 

The oldest user – a founder – joined 5 years ago whereas the newest user joined 3 minutes ago (at time of writing). There is no description provided of the different tiers.  

It is possible to search for users, as well as observe how many pastes that user has made and if they have commented on other’s posts. The most active user appears to be a user called “o” who is listed as a moderator. They have made 120 pastes and 3,333 comments, likely mostly in a moderator capacity. It is also possible to paste anonymously so there may be users that have made more posts.  

What? 

At the time of writing, the site contains 157,225 pastes. Any text-based information can be uploaded very simply. 

The site states that they provide users “the ability to upload text information without the fear of censorship. Most pastes won’t come down without a court order. What this means is that if your info goes up, it’s not coming down unless it’s inaccurate, breaks our TOS or we receive a court order from our server hosted country.” There are no details provided about how they validate if the information posted is accurate. However, there are terms that the site provides which users must stick to, if this is violated, in the opinion of the moderators, then it will be removed. 

Examples of the type of information that are shared on Doxbin include full names, addresses, telephone numbers, IP addresses, account information including passwords and usernames commonly for streaming services and social media accounts, work locations, financial information, and email addresses. They often also post details of family members.  

The information included in a Dox generally comes from a range of locations, usually open-source information from data brokers or social media, but some of the information is stolen through hacking activities.  

Who? 

Anyone can be the victim of a Dox.  

Many individuals from the hacking community are targeted by their associates, the site has a section which it refers to as the “Hall of Autism” where it provides a list of individuals they have targeted. This area includes images of the individuals, their name, alias and a description of why they are included. This area of the website also has a song…

Celebrities and politicians are also often targets, employees of prominent organizations, and law enforcement agencies and officers, but any individuals can be targeted and often are.  

Why? 

The motivations for doxing someone can be very varied. On the site itself, a very common reason to share the data is because the individual is alleged to be a pedophile, however there is usually no evidence supplied to support this and is likely used as a means to encourage others to target the individuals.  

Other reasons provided are that they have no hacking skills, they have done something to annoy the poster, they are accused of being bullies or of being scammers. The reasons can vary and likely there is very little behind why some of the individuals are targeted. However, posting this information can have real dangerous consequences.  

Although this information is posted online, it can have very real consequences for the individuals whose information is posted.  

The owners of the original Doxbin used it to target individuals they were not happy with. In June 2014, after their Twitter account was suspended, information relating to the founders and CEO of Twitter was posted on Doxbin. That same year, information relating to a federal judge who had presided over the case against Silk Road was shared on Doxbin leading to death threats and swatting attempts. 

Swatting is the practice of reporting a serious crime at an individual’s address which leads to a strong response by law enforcement often with SWAT teams surrounding the area. The practice has become more and more commonplace, with the current version of Doxbin often being used as a source of information to conduct these swatting attacks. These attacks can be very damaging to the victims and can be dangerous. However, law enforcement has sought to prosecute these crimes and ensure prison sentences for the perpetrators.

Another impact of doxing is identity theft and financial crime, as all information about an individual is provided, criminals can use this data to conduct financial crimes. This can be a difficult thing to identify and recover from, with funds often taken before an individual even knows their data has been shared.  

The posts can also cause reputational damage, sharing information an individual may not want shared with their friends and family. There is also the possibility that material could be shared which may affect an individuals employment status.  

Furthermore, this data can be used to stalk and harass individuals, some of the posts on Doxbin actively encourage others to target individuals. This can leave the victims open to threats of physical violence as well as the trauma of knowing that someone knows where they live and work and could attempt to contact them at any time. Victims are often also subjected to harassment through prank/harassing phone calls, spam emails, and online harassment and cyber bullying through social media. 

These threats can have a lasting emotional impact on individuals.   

In mid-May the Doxbin site was briefly taken offline. A post on the official Telegram channel indicated that the administrators had taken it offline for security reasons.  

Soon after images began to circulate on Telegram alleging that one of the “current” owners of Doxbin “Operator” had been kidnapped. The images showed an unknown individual wrapped in trash bags as well as videos that were claimed to be of the kidnapping, showing him being beaten. However, this could not be validated and many online question if this was actually some kind of exit scam.   

After this was posted, not much further information was shared. The site came back up and is currently operating as normal. It is unclear if this video was real. 

Doxbin is a site which exists on the clear net and has been used to target countless individuals for largely unknown reasons. The site facilitates individuals who wish to cause harm to others through a variety of different reasons. Once this data is shared on the site, it is all but impossible to have it removed. Meaning that the victims can be subject to harassment and threats not just by the original poster but also by other viewers of the site. Much of the time this data is used by threat actors to torment victims and conduct swatting attacks seemingly for personal entertainment.  

Constant monitoring of this site is recommended to ensure company and employee data is not shared.  


Curious how DarkOwl analysts can help monitor Doxbin for your organization? Contact us.

[Interview Transcription] OSINT in Government: Industry Insights on Challenges and Opportunities

June 12, 2024

Francis Rose of Fed Gov Today, recently sat down with DarkOwl CEO and Co-Founder, Mark Turnage, to discuss the current state of open-source intelligence (OSINT) in government. You can check out the article from Fed Gov Today here.

The link to the YouTube video, and the transcription can be found below.

NOTE: Some content has been edited for length and clarity.


Francis: Mark Turnage, Welcome. It’s great to talk to you. What’s the current state, do you think, of the government getting the data that it needs and deciding what sources it’s going to draw that data from, open sources, proprietary information and so on?

Mark: That’s a great question. And you know, I think there’s been a big change in the government in their approach to OSINT in general, and frankly, their understanding of the need for OSINT and the value of OSINT. And we live in an environment where data, broadly speaking, and OSINT, broadly speaking, is growing dramatically. The amount of data, the types of data, and so the government, in some respects, is playing catch up in trying to understand how to use it, how to aggregate it, how to analyze it. And that’s a big change that is underway. But gaps, gaps in the government’s collection. We’re [DarkOwl] a darknet data collection company. We collect data from 30,000 plus sites a day in the darknet, and we provide that to the government and other commercial users. And just that one tiny sliver of OSINT alone can tax any organization’s ability to integrate data, store it, and then manage it. So that’s it. That’s a tiny little example of some of the challenges that the government faces.

Francis: One of the things I think has been interesting about tracking this over time is that organizations, for example, like NGA, have not fought the change in the lines of delineation what used to be open or what used to be proprietary is now open-source and so on they’ve kind of said we have to get with the game and them and go with it. Has that helped, do you think, organizations in government to go through this change?

Mark: I think it’s been a big culture shift for them. I mean, NGA in particular, but other organizations as well. Take the examples of satellite data, satellite imagery. What’s available today commercially is better than what was available, on the high side, 10 years ago. And that is only going to keep happening. Using a cell phone, you can get battlefield information on the front lines in the Ukraine that’s far more detailed and far more timely than what is what then what our analysts have access to here in the US, you know from high-side data. So, I think any organization that understands that, then has to embrace it fully and start to use those commercial sources and integrate them fully into their with their high-side data. And then they’ll, then they have the best of both worlds, to be honest.

Francis: Take me farther into that definition of embracing that fully. What does that mean to those organizations to do from a tactical perspective?

Mark: Well, first of all, there’s a culture shift. I’m not sure that’s tactical, but there’s a, there’s a cultural shift that’s necessary. But once that cultural shift, once they actually understand it and get it in their DNA, I think there’s a couple of things. Number one, don’t fear it. Don’t fear open-source data. Embrace it. Buy it. Integrate it. Use it. And by the way, part of that is also staying on top of what open-source data is out there and available because it changes and it shifts dramatically as time goes on. Secondly, integrate it with your high-side data. Look at them side by side. Understand that that data, sometimes that commercially available data is better than what you have and sometimes it’s very complementary to what you have. It makes your analyst team far more powerful looking at both sets of data and correlating them together. But embracing, I think, means buying, understanding it, buying it, integrating it.

Francis: That integration process, it sounds like when you use the term changes and shifts dramatically, it sounds like that integration process may be the key factor to all of the ones that you just laid out there. Is that a fair read?

Mark: That is an absolutely fair statement. I think understanding what that technology or that tech stack is that you need to build and maintain to integrate open-source data is a journey that all the federal agencies we work with are on right now.

Francis: What does the technological underpinning of this infrastructure underpinning? And is that changing over time as well?

Mark: It’s likely to change over time, but the technological underpinning is you have to have the ability to integrate extremely large data streams, parse those data streams, store them in a secure environment, and then make them available through whatever interface or tools to your analysts that are available. You make them available in live time to your analysts. So, there are off the shelf products that allow you to do that. And obviously there are cloud data storage capability available to the government through a number of different avenues. The one interesting thing that is a challenge for many of these agencies is how do you integrate open-source data coming from the low side with high-side data? How do you cross that chasm? Because taking OSINT intelligence into a skiff, and then trying to correlate it with high-side data becomes a real challenge, you would rather have them on the same screen. So that creates a completely different technological challenge, I think, for many of these organizations.

Francis: I want to come back to that idea, but you talked about analysts and the importance of the analysts a number of times in this conversation already. What does the skill set for the analyst of the future look like potentially compared to the analyst of today given the advances that you’ve discussed?

Mark: That’s a really good question. And obviously, AI is front and center in that process. I would say that the analyst of the future needs to be able to contextualize the intelligence that they are getting. And in fact, a good chunk of that data of that intelligence they’re getting is going to be AI generated. But they have to contextualize it, and they also have to be able to keep it honest. When you have AI hallucination and other things, and you don’t have a trained analyst who doesn’t understand the context in which this is being done, you could go down a rat hole pretty quickly. So, the world of the future is going to be divided between, broadly, between people who can use AI to be more productive and those who can’t. And that’s the new social split that we’re coming to as a society, that’s no different with an analyst. They have to understand how AI works. They have to understand the data AI is looking at. They have to understand the output, and they have to then stress test that output.

Francis: You mentioned the desire to mash up high-side data with open-source data. What is the challenge potentially, if any, to maintaining, I guess, tagging is the best word I can think of, so that one knows throughout the entire data stream this piece is just for us to see and this stuff is okay for others to see when you’re combining?

Mark: When you combine those datasets, you have to tag it, you have to give them metadata so that an analyst a month out or a year out or five years out knows where that data came from, knows the source, knows the provenance of the data, and obviously can distinguish between a sentence which may have been come from high-side and a sentence that’s right, immediately adjacent to it, that came from the open-source. So that’s obviously a real challenge, but there are technical, that’s actually, I think that’s relatively solvable with metadata and tagging that’s available. If you don’t pay attention to it, going to be an analyst down the road in five years who’s going to get himself in real trouble or herself in real trouble.

Francis: Mark, it’s great to talk to you. Thanks for your time.

Mark: Really nice to talk to you as well.


Interested in learning more? Contact us.

Copyright © 2024 DarkOwl, LLC All rights reserved.
Privacy Policy
DarkOwl is a Denver-based company that provides the world’s largest index of darknet content and the tools to efficiently find leaked or otherwise compromised sensitive data. We shorten the timeframe to detection of compromised data on the darknet, empowering organizations to swiftly detect security gaps and mitigate damage prior to misuse of their data.