The internet is a vast realm that extends far beyond the surface web we commonly explore. Beneath the surface lies the darknet, a hidden network that poses significant challenges but also holds immense potential for open-source intelligence (OSINT) investigations.
In the digital age, understanding user behavior and engagement within online communities is crucial for any OSINT or dark web investigator. Increasingly, Telegram channels have been used by threat actors to communicate, sell illicit goods, share disinformation, and generally communicate among other activities. Monitoring of these channels is important to track the activities of these groups and mitigate any threats they may pose to individuals and/or organizations.
However, the amount of data that can be included in these channels can be very large in volume. DarkOwl, therefore, wanted to establish if AI (artificial intelligence) could be used to analyze the data included in a specific channel and what could be discerned from that data.
Disclaimer: This blog is based on A.I analysis of a Telegram channel content. This covered the period of August 2022 to February 2024. DarkOwl does not take responsibility for the analysis conducted and is shared for informational purposes only. Other AI platforms are available.
The Telegram channel “Star Fraud Chat” was selected as a channel to analyze to see what information could be gleaned about this group from their activity on Telegram. This group have been attributed by security researchers to a group known as Scattered Spider which is assessed to have been responsible for the attack on MGM Casinos. Furthermore, they are assessed to be part of a group which describes itself as “the Com” who are reported to conduct cyber attacks as well as cyber bullying and swatting attacks.
DarkOwl analysts used open-source tools to extract a download of the Telegram chat content from when it was started in August 2022 to February 2024. This generated a CSV file which included the usernames of participants, timestamps of activity, content, media shares, replies, and reactions. ChatGPT was then used to analyze the CSV file, with specific questions being asked to identify what information could be gleaned.
This blog was written with a mix of AI analysis produced directly by ChatGPT as well as analyst review and enrichment.
ChatGPT was asked to analyze the CSV file to see what information could be found. It initially had issues due to the formatting of the document but was able to overcome these issues after a few tries.
ChatGPT said:
The initial attempt to read the CSV file encountered issues due to irregularities in the data format, such as varying numbers of fields per line and improperly escaped or quoted strings. By inferring the delimiter and adjusting parsing strategies, we successfully re-parsed the data using a semicolon (;) as the delimiter. This correction allowed us to structure the dataset properly, revealing 56,210 rows and 42 columns, including information on message IDs, display names, user IDs, message texts, timestamps, and reactions.
First, we wanted to understand which topics were most commonly being discussed in this Telegram channel to understand what threat that the users of this channel could pose. We therefore asked ChatGPT to analyze the message content itself and provide us with a summary of what was discussed.
ChatGPT said:
The most common words in the messages are general and do not provide specific insight into the topics discussed. To better understand the themes, we should look for specific terms and phrases related to the context of the chat.
We wanted more information, so we then asked ChatGPT to do a deeper analysis of the text used related to fraud and take samples of the data. ChatGPT itself suggested ways in which we may be able to conduct further analysis. The output was as follows:
ChatGPT said:
The chat primarily revolves around fraudulent activities, including the sale of financial and personal information, hacking services, social engineering techniques, and requests for various account types. There is also a market for managing and providing access to certain panels or services related to these activities. This environment indicates a highly active and diverse exchange of illegal services and information.
Once the document had been reviewed and we understood what information was being discussed, we then wanted to understand more about the users of the channel. We began to ask ChatGPT specific questions about the users starting with an analysis of which users were the most active.
ChatGPT said:
The analysis determined the most active users based on the number of messages sent. The top 10 most active users are:
1. **”.”** – 1,076 messages
2. **netbox** – 1,062 messages
3. **ㅤ** (a whitespace character) – 718 messages
4. **MY UZI HOLDS A HUNDRED ROUND CONSCIENCE** – 697 messages
5. **ʹ** (a single quote) – 504 messages
6. **Osama (GENERATING)** – 469 messages
7. **Perc** – 468 messages
8. **bloed** – 347 messages
9. **Systoned** – 327 messages
10. **boomb** – 320 messages
These users have significantly contributed to the conversation, making them central figures in the community.
The analysis highlighted that many of the most active users didn’t have a specific display name, with punctuation or blank spaces being used. This analysis also did not account for the fact that users are able to change their display names, so there may be messages within the data from the same user that appear to be different. It is possible to conduct this analysis based on the user IDs as that was included in the data extracted from Telegram.
The admins of the account are listed on the Telegram channel, this includes a bot which is likely used to administer new joiners etc. None of these appear in the most active users:
We then wanted to establish if we could look at the activity on the channel from a different perspective, not just who had posted in the chat, but who had provided a reaction. Telegram users can react to posts on Telegram using emojis etc. We looked at which users post had received the most reactions from other users.
ChatGPT said:
Reactions to messages indicate the level of engagement and resonance of user contributions. The users who received the most reactions are:
1. **Star Sanctuary** – 34 reactions
2. **netbox** – 15 reactions
3. **Jack** – 12 reactions
4. **ㅤ** (a whitespace character) – 9 reactions
5. **.** (a period) – 8 reactions
6. **Perc** – 6 reactions
7. **digital cannibal** – 6 reactions
8. **MY UZI HOLDS A HUNDRED ROUND CONSCIENCE** – 6 reactions
9. **Stardusts in my memoryCard** – 5 reactions
10. **Panama Creative** – 5 reactions
This list highlights the users whose contributions garnered the most engagement from others.
This did include posts by some of the admins, the number of reactions given the volume of posts appeared to be relatively low.
We then wanted to understand how the users were interacting to do this we asked ChatGPT to analyze replies between users. However, this did not take into consideration the nature of the posts, as some posts may garner more interest than others. Added context would be needed to understand how they users were interacting.
ChatGPT said:
Understanding who interacts with whom provides insights into the community dynamics. The top user interactions, based on reply activity, include:
1. **’** replied to **fan (real)** – 6 times
2. **Perc** replied to **netbox** – 5 times
3. **nef** replied to **boxingloves** – 5 times
4. **Systoned** replied to **Osama (GENERATING)** – 5 times
5. **ㅤ** (whitespace character) replied to **Osama (GENERATING)** – 4 times
6. **Osama (GENERATING)** replied to **Systoned** – 4 times
7. **ㅤ** replied to **geekypoo** – 3 times
8. **Osama (GENERATING)** replied to **ㅤ RR BB** – 3 times
9. **King** replied to **𐕣₩** – 3 times
10. **netbox** replied to **Uno[Shop in Bio]** – 3 times
These interactions highlight the most engaged pairs of users within the community.
However, this again did not take into consideration that display names could change, nor does it factor in who made the most replies. Which user generally received the most replies and to what content. It is possible that this information could be obtained from the data using ChatGPT with more precise questions.
We wanted to see if it was possible to visualize these interactions, network analysis is a really useful tool for analysts see connections between individuals and identify who is communicating with who and if patterns can be identified. So, we asked ChatGPT to create this visualization and to clean it up.
ChatGPT said:
A network graph was created to visualize the interactions between users. Each node represents a user, and each directed edge indicates that one user has replied to another. This graph illustrates the structure of interactions, showing which users are more centrally involved in conversations and how clusters of users interact more closely with each other.
Being able to review this information can be incredibly useful for analysis and gives us an insight into which users in the StarFraud chat interact the most and are the most active on the channel. Being able to manipulate this graph and see which users are most active could give analysts a starting point for which users it may be most useful to investigate.
We then wanted to know if it was possible to identify the time that the chat was most active, as this could maybe help us identify which time zone the users were in helping us to narrow down a location. We therefore asked ChatGPT to review the timestamps.
ChatGPT said:
Analyzing the timestamp data revealed that users are most active at 1 AM, with a total of 3,973 messages sent during this hour. This peak in activity suggests that the majority of users might be located in a specific time zone or find this time particularly convenient for engaging in conversations.
However, it was not possible to ChatGPT to identify the time zone without additional context. The timestamp provided by Telegram appeared to use GMT however which would indicate that most of the posts were made during the early hours of the morning in Europe or late afternoon US time.
As this analysis was inconclusive, we wanted to see if there was any information in the messages sent which may link to a location. So, we asked ChatGPT to look for this information within the posts.
ChatGPT said:
A search for location-related keywords identified 152 messages referencing specific locations. Examples include:
– ““victory park” its a 2 story police department…”
– “u in middle of street”
– “ghost town”
– “smh u the same ni**a scared to meet up and we …”
– “**🎉 Get the Best RDP/VPS Deal with StealthRDP!…”
These references vary in context, ranging from conversational mentions to specific addresses or locations.
This analysis did not add much value as the locations mentioned were very generic in nature, again more specific questions and directions may be beneficial to improve results here, perhaps focusing on country or city locations rather than more generic terms.
The analysis of StarFraud Chat provides valuable insights into user activity, engagement, and interaction patterns. By understanding the most active users, the times of peak activity, and the dynamics of user interactions, we can better understand how this group is operating and where best to focus our analysis. We can also analyze the topics discussed to understand what threats this group poses.
This also highlights how AI can be used by analysts to assist in their investigations, allowing them to speed up how long it takes so review large amounts of data. However, these specific examples also highlight the importance of asking AI models very specific questions and ensure they understand the information you are seeking to obtain, these models are only as good as the seed questions that are being asked.
DarkOwl analysts regularly follow darknet threat actors, marketplaces and sites. Such analysis helps DarkOwl’s collection team direct crawlers and technical resources to potentially actionable and high-value content for the Vision platform and its clients.
Don’t forget to subscribe to our blog at the bottom of this page to be notified as new blogs are published.
The site Doxbin is a paste site which allows users to post information in text format about other individuals, usually containing personal identifiable information (PII). Information is posted for a range of alleged reasons, which are usually provided in the title of the dox and can contain extensive information about individuals. Although this site is currently hosted on the clearnet and maintains an official Telegram channel, the site originally operated as an .onion site and is still used by dark web affiliated individuals.
In this blog, we explore the history of the site, who is behind it and the impact that it can have on the victims of a dox, as well as alleged recent activity related to the reported owner.
To understand the purpose of Doxbin and how it is used, we must first understand the concept of “Doxing”.
Doxing is the act of publicly providing PII and other data about an individual or organization without their consent. In recent years, this has predominantly been done using the internet and is a process that began in the late 1990s. The act of doxing an individual in of itself is not illegal depending on how the information shared is obtained. Most data shared is likely obtained from data brokers and social media sites. Although, others are obtained through illegal means. Regardless of the way the data is obtained, the purpose and outcomes are usually nefarious and used for online shaming, extortion, targeting, stalking, and hacktivism operations. The law has not yet caught up with this practice and it is difficult to prosecute the sharing of publicly available information. However, this is beginning to change as outlined below.
Doxbin is a site that facilitates doxing. It is a paste site that allows users to upload any text-based content relating to individuals. It is exclusively used to share data about others or elicit more information about others.
The current controllers of Doxbin state that any text can be uploaded to the site, with the only limitations being that it should not be spam, child explicit material (CSAM), or something that violates the hosting countries jurisdictional laws (Domain and IP analysis linked to the site suggests that it is hosted in Russia and uses a DDoS Guard to protect the site from bot attacks). They also state that support of terrorism or threats of physical violence are not allowed.
However, in practice there is very little that cannot be posted and often information is shared in the hope that an individual will be targeted in some way – including risks of physical violence. A reason does not need to be provided, although one often is, and nothing is validated.
The current administrators of Doxbin have posted a lengthy description on their site about how it was founded and is currently run. In this description, they describe this iteration of the site as having been active since early 2018, being created by kt and Brenton “as a place to store personal doxes as an alternative to platforms which were not satisfactory.”
However, the name/site “Doxbin” has a history that precedes this. Originally Doxbin was launched in May 2011 on the dark web by an individual using the alias “nachash” as a pastebin for people posting personal information of others. The site was eventually seized by law enforcement – with the FBI and Europol taking town Doxbin in November 2014 as part of Operation Onymous, which also took down several other .onion sites, primarily those related to the sale of drugs, and led to the arrest of several individuals.
In 2019 it was reported that Doxbin was being controlled by a white supremacist group, who were using the site to maintain a list of swatting (more on that later) targets. In 2020 the controller was arrested by the FBI.
In 2022, the site was reportedly purchased by a threat actor associated with the group Lapsus$, using the alias “White”. However, it is alleged that due to ban management of the site, users started to target White and he himself was doxed. Before this occurred, White leaked the Doxbin data set which included private doxes which had not been published. The information contained in the dox of White, which included videos of his home proved to be accurate. Arion Kurtaj was later arrested and prosecuted for his role in several data breaches as part of his association with Lapsus$.
The current iteration of the site, which is on the clearnet, rather than TOR states that it is no longer affiliated with “nachash”, and that he left the operation in 2015. It also describes how the original site was created and transferred, mentioning several different aliases that have been connected to the original site. They also claim that there was no legal reason for the original seizure of the site.
At the time of writing the site indicates that it has 308,681 registered users, although there is no need to register. Registered users are listed and broken down into tiers which include:
The oldest user – a founder – joined 5 years ago whereas the newest user joined 3 minutes ago (at time of writing). There is no description provided of the different tiers.
It is possible to search for users, as well as observe how many pastes that user has made and if they have commented on other’s posts. The most active user appears to be a user called “o” who is listed as a moderator. They have made 120 pastes and 3,333 comments, likely mostly in a moderator capacity. It is also possible to paste anonymously so there may be users that have made more posts.
At the time of writing, the site contains 157,225 pastes. Any text-based information can be uploaded very simply.
The site states that they provide users “the ability to upload text information without the fear of censorship. Most pastes won’t come down without a court order. What this means is that if your info goes up, it’s not coming down unless it’s inaccurate, breaks our TOS or we receive a court order from our server hosted country.” There are no details provided about how they validate if the information posted is accurate. However, there are terms that the site provides which users must stick to, if this is violated, in the opinion of the moderators, then it will be removed.
Examples of the type of information that are shared on Doxbin include full names, addresses, telephone numbers, IP addresses, account information including passwords and usernames commonly for streaming services and social media accounts, work locations, financial information, and email addresses. They often also post details of family members.
The information included in a Dox generally comes from a range of locations, usually open-source information from data brokers or social media, but some of the information is stolen through hacking activities.
Anyone can be the victim of a Dox.
Many individuals from the hacking community are targeted by their associates, the site has a section which it refers to as the “Hall of Autism” where it provides a list of individuals they have targeted. This area includes images of the individuals, their name, alias and a description of why they are included. This area of the website also has a song…
Celebrities and politicians are also often targets, employees of prominent organizations, and law enforcement agencies and officers, but any individuals can be targeted and often are.
The motivations for doxing someone can be very varied. On the site itself, a very common reason to share the data is because the individual is alleged to be a pedophile, however there is usually no evidence supplied to support this and is likely used as a means to encourage others to target the individuals.
Other reasons provided are that they have no hacking skills, they have done something to annoy the poster, they are accused of being bullies or of being scammers. The reasons can vary and likely there is very little behind why some of the individuals are targeted. However, posting this information can have real dangerous consequences.
Although this information is posted online, it can have very real consequences for the individuals whose information is posted.
The owners of the original Doxbin used it to target individuals they were not happy with. In June 2014, after their Twitter account was suspended, information relating to the founders and CEO of Twitter was posted on Doxbin. That same year, information relating to a federal judge who had presided over the case against Silk Road was shared on Doxbin leading to death threats and swatting attempts.
Swatting is the practice of reporting a serious crime at an individual’s address which leads to a strong response by law enforcement often with SWAT teams surrounding the area. The practice has become more and more commonplace, with the current version of Doxbin often being used as a source of information to conduct these swatting attacks. These attacks can be very damaging to the victims and can be dangerous. However, law enforcement has sought to prosecute these crimes and ensure prison sentences for the perpetrators.
Another impact of doxing is identity theft and financial crime, as all information about an individual is provided, criminals can use this data to conduct financial crimes. This can be a difficult thing to identify and recover from, with funds often taken before an individual even knows their data has been shared.
The posts can also cause reputational damage, sharing information an individual may not want shared with their friends and family. There is also the possibility that material could be shared which may affect an individuals employment status.
Furthermore, this data can be used to stalk and harass individuals, some of the posts on Doxbin actively encourage others to target individuals. This can leave the victims open to threats of physical violence as well as the trauma of knowing that someone knows where they live and work and could attempt to contact them at any time. Victims are often also subjected to harassment through prank/harassing phone calls, spam emails, and online harassment and cyber bullying through social media.
These threats can have a lasting emotional impact on individuals.
In mid-May the Doxbin site was briefly taken offline. A post on the official Telegram channel indicated that the administrators had taken it offline for security reasons.
Soon after images began to circulate on Telegram alleging that one of the “current” owners of Doxbin “Operator” had been kidnapped. The images showed an unknown individual wrapped in trash bags as well as videos that were claimed to be of the kidnapping, showing him being beaten. However, this could not be validated and many online question if this was actually some kind of exit scam.
After this was posted, not much further information was shared. The site came back up and is currently operating as normal. It is unclear if this video was real.
Doxbin is a site which exists on the clear net and has been used to target countless individuals for largely unknown reasons. The site facilitates individuals who wish to cause harm to others through a variety of different reasons. Once this data is shared on the site, it is all but impossible to have it removed. Meaning that the victims can be subject to harassment and threats not just by the original poster but also by other viewers of the site. Much of the time this data is used by threat actors to torment victims and conduct swatting attacks seemingly for personal entertainment.
Constant monitoring of this site is recommended to ensure company and employee data is not shared.
Francis Rose of Fed Gov Today, recently sat down with DarkOwl CEO and Co-Founder, Mark Turnage, to discuss the current state of open-source intelligence (OSINT) in government. You can check out the article from Fed Gov Today here.
The link to the YouTube video, and the transcription can be found below.
NOTE: Some content has been edited for length and clarity.
Francis: Mark Turnage, Welcome. It’s great to talk to you. What’s the current state, do you think, of the government getting the data that it needs and deciding what sources it’s going to draw that data from, open sources, proprietary information and so on?
Mark: That’s a great question. And you know, I think there’s been a big change in the government in their approach to OSINT in general, and frankly, their understanding of the need for OSINT and the value of OSINT. And we live in an environment where data, broadly speaking, and OSINT, broadly speaking, is growing dramatically. The amount of data, the types of data, and so the government, in some respects, is playing catch up in trying to understand how to use it, how to aggregate it, how to analyze it. And that’s a big change that is underway. But gaps, gaps in the government’s collection. We’re [DarkOwl] a darknet data collection company. We collect data from 30,000 plus sites a day in the darknet, and we provide that to the government and other commercial users. And just that one tiny sliver of OSINT alone can tax any organization’s ability to integrate data, store it, and then manage it. So that’s it. That’s a tiny little example of some of the challenges that the government faces.
Francis: One of the things I think has been interesting about tracking this over time is that organizations, for example, like NGA, have not fought the change in the lines of delineation what used to be open or what used to be proprietary is now open-source and so on they’ve kind of said we have to get with the game and them and go with it. Has that helped, do you think, organizations in government to go through this change?
Mark: I think it’s been a big culture shift for them. I mean, NGA in particular, but other organizations as well. Take the examples of satellite data, satellite imagery. What’s available today commercially is better than what was available, on the high side, 10 years ago. And that is only going to keep happening. Using a cell phone, you can get battlefield information on the front lines in the Ukraine that’s far more detailed and far more timely than what is what then what our analysts have access to here in the US, you know from high-side data. So, I think any organization that understands that, then has to embrace it fully and start to use those commercial sources and integrate them fully into their with their high-side data. And then they’ll, then they have the best of both worlds, to be honest.
Francis: Take me farther into that definition of embracing that fully. What does that mean to those organizations to do from a tactical perspective?
Mark: Well, first of all, there’s a culture shift. I’m not sure that’s tactical, but there’s a, there’s a cultural shift that’s necessary. But once that cultural shift, once they actually understand it and get it in their DNA, I think there’s a couple of things. Number one, don’t fear it. Don’t fear open-source data. Embrace it. Buy it. Integrate it. Use it. And by the way, part of that is also staying on top of what open-source data is out there and available because it changes and it shifts dramatically as time goes on. Secondly, integrate it with your high-side data. Look at them side by side. Understand that that data, sometimes that commercially available data is better than what you have and sometimes it’s very complementary to what you have. It makes your analyst team far more powerful looking at both sets of data and correlating them together. But embracing, I think, means buying, understanding it, buying it, integrating it.
Francis: That integration process, it sounds like when you use the term changes and shifts dramatically, it sounds like that integration process may be the key factor to all of the ones that you just laid out there. Is that a fair read?
Mark: That is an absolutely fair statement. I think understanding what that technology or that tech stack is that you need to build and maintain to integrate open-source data is a journey that all the federal agencies we work with are on right now.
Francis: What does the technological underpinning of this infrastructure underpinning? And is that changing over time as well?
Mark: It’s likely to change over time, but the technological underpinning is you have to have the ability to integrate extremely large data streams, parse those data streams, store them in a secure environment, and then make them available through whatever interface or tools to your analysts that are available. You make them available in live time to your analysts. So, there are off the shelf products that allow you to do that. And obviously there are cloud data storage capability available to the government through a number of different avenues. The one interesting thing that is a challenge for many of these agencies is how do you integrate open-source data coming from the low side with high-side data? How do you cross that chasm? Because taking OSINT intelligence into a skiff, and then trying to correlate it with high-side data becomes a real challenge, you would rather have them on the same screen. So that creates a completely different technological challenge, I think, for many of these organizations.
Francis: I want to come back to that idea, but you talked about analysts and the importance of the analysts a number of times in this conversation already. What does the skill set for the analyst of the future look like potentially compared to the analyst of today given the advances that you’ve discussed?
Mark: That’s a really good question. And obviously, AI is front and center in that process. I would say that the analyst of the future needs to be able to contextualize the intelligence that they are getting. And in fact, a good chunk of that data of that intelligence they’re getting is going to be AI generated. But they have to contextualize it, and they also have to be able to keep it honest. When you have AI hallucination and other things, and you don’t have a trained analyst who doesn’t understand the context in which this is being done, you could go down a rat hole pretty quickly. So, the world of the future is going to be divided between, broadly, between people who can use AI to be more productive and those who can’t. And that’s the new social split that we’re coming to as a society, that’s no different with an analyst. They have to understand how AI works. They have to understand the data AI is looking at. They have to understand the output, and they have to then stress test that output.
Francis: You mentioned the desire to mash up high-side data with open-source data. What is the challenge potentially, if any, to maintaining, I guess, tagging is the best word I can think of, so that one knows throughout the entire data stream this piece is just for us to see and this stuff is okay for others to see when you’re combining?
Mark: When you combine those datasets, you have to tag it, you have to give them metadata so that an analyst a month out or a year out or five years out knows where that data came from, knows the source, knows the provenance of the data, and obviously can distinguish between a sentence which may have been come from high-side and a sentence that’s right, immediately adjacent to it, that came from the open-source. So that’s obviously a real challenge, but there are technical, that’s actually, I think that’s relatively solvable with metadata and tagging that’s available. If you don’t pay attention to it, going to be an analyst down the road in five years who’s going to get himself in real trouble or herself in real trouble.
Francis: Mark, it’s great to talk to you. Thanks for your time.
Mark: Really nice to talk to you as well.
Cybersecurity might has well have its own language. There are so many acronyms, terms, sayings that cybersecurity professionals and threat actors both use that unless you are deeply knowledgeable, have experience in the security field or have a keen interest, one may not know. Understanding what these acronyms and terms mean is the first step to developing a thorough understanding of cybersecurity and in turn better protecting yourself, clients, and employees.
In this blog series, we aim to explain and simplify some of the most commonly used terms. Earlier this month, we covered CVEs. In this edition, let’s dive into APIs.
Simply put, application programming interfaces (APIs) allow for two software applications to communicate each other, to make requests, receive responses, and exchange data. This is true for both mobile and web-based applications. APIs permit humans and machines to exchange, process, and use data using rules and protocols. Once of the important benefits is that APIs allow for and enable applications that are written in different programming languages, or are running on different operating systems, to easily communicate and pass data.
While APIs run behind the scenes and allow for software to communicate with other software, but there are plenty of current examples of API use one might not be aware of. For instance, if a user logs into an account or service by opting to use their Google or a social media account (to avoid having to create a brand new account), this login flow uses API services to exchange authentication information between the Google or social media account and the platform to enable a convenient and seamless login experience for the user.
There are two primary designs for APIs – Simple Object Access Protocol (SOAP) and Representational State Transfer (REST) approaches. While we will not dive deep into the technical aspects, the main takeaway is that SOAP is a very structured XML data format, while REST is more flexible and permits data exchange in multiple formats, such as JSON, Plaintext, or XML. Being more flexible, REST can use SOAP protocol, but the reverse is not true – SOAP cannot use a REST protocol. REST protocols are useful for mobile devices that use an API.
Here at DarkOwl, we allow for access to our platform via a curated User Interface (UI) as well as several API endpoints. The APIs enable our customers to use DarkOwl Vision data in their own software applications. You can view our product offerings here.
Unfortunately, while APIs automate and permit quick transfer of a large amount of data, like so many facets of the cyber world, they are subject to malicious activity and attacks.
Malicious actors are focusing on attacking APIs more and more as APIs transmit loads of valuable information and data. Without proper security, including regular software updates and securing the multiple entry points that facilitate API function, as well as legacy APIs which could be overlooked and left unprotected, APIs can be subjected for malicious use. This is especially true when in most cases, developers provide very detailed API documentation to allow for sanctioned API use. New and prospective customers are not the only ones who rely on API documentation to fine tune API use.
Actors can go against APIs with several traditional types of attacks. This list is not exhaustive, but is provided as a high-level example of the possible kinds of attacks directed against API infrastructure:
DarkOwl constantly observes actors discussing methods for API attacks at multiple layers of the tech stack, trading methods for having maximum impact, and selling possible API access to various organizations:
Mitigating API attacks includes protection at multiple stages.
Industry leaders join forces to provide end-to-end domain threat intelligence to customers.
Rebrandly, the leader in branded link and domain management, and DarkOwl, the leader in darknet data and intelligence, are proud to announce a partnership that revolutionizes domain and link management services with comprehensive domain security and intelligence monitoring, powered by AI. Together, the companies set a new standard for domain and link management, leveraging their respective products and expertise.
As the volume and variety of threats to organizational domains proliferate—from phishing to ransomware to typosquatting—the need for total awareness of a domain’s use has become essential. Rebrandly’s branded link management platform, combined with DarkOwl’s unique and comprehensive database of domain intelligence and cyber threats, allows large enterprises, domain registrars, cloud service providers, and cybersecurity firms to effectively manage their domain portfolios in a holistic and secure manner. The aggregate power and innovative differentiation of Rebrandly and DarkOwl technology are what make this pioneering management, visibility, and ongoing monitoring possible.
Carla Bourque, CEO of Rebrandly, commented, “Security, brand protection, and trust are core to Rebrandly’s enterprise link management platform, and there is a natural synergy in our partnership with DarkOwl. Furthering our mission to make the internet safer for all, we’re proud to bring Rebrandly’s link-level abuse detection together with DarkOwl’s darknet threat intelligence in the industry’s first holistic domain security solution.”
“We are excited to partner with Rebrandly in this important and innovative endeavor”, said Mark Turnage, CEO of DarkOwl. “As threats grow, demand for secure domain management continues to be a request by our customers. This partnership offers the ability for organizations, agencies and companies to benefit from each of our companies’ best-of-breed platforms.”
About Rebrandly
Rebrandly is the market leader in enterprise link management solutions. Rebrandly’s customers include global enterprise businesses, developers, and agencies that prioritize brand protection and security. With a flexible API and real-time click analytics that integrate easily into existing workflows, many of today’s most innovative brands rely on Rebrandly to optimize performance with every link.
Founded in 2015, with headquarters in the United States, Italy, and Ireland, Rebrandly is a global company with diverse teams worldwide. The company is SOC 2 Type 2, GDPR, CCPA, and HIPAA compliant. Visit Rebrandly’s Trust Center for more information.
About DarkOwl
DarkOwl uses machine learning and human analysts to collect automatically, continuously, and anonymously, index and rank darknet, deep web, and high-risk surface net data that allows for simplicity in searching. DarkOwl is unique not only in the depth and breadth of its darknet data, but also in the relevance and searchability of its data, its investigation tools, and its passionate customer service. DarkOwl data is ethically and safely collected from the darknet, allowing users secure and anonymous access to information and threats relevant to their mission. For more information, visit www.darkowl.com.
Our analyst team shares a few articles each week in our email newsletter which goes every Thursday. Make sure to register! This blog highlights those articles in order of what was the most popular in our newsletter – what our readers found the most intriguing. Stay tuned for a recap every month. We hope sharing these resources and news articles emphasizes the importance of cybersecurity and sheds light on the latest in threat intelligence.
Dmitry Yuryevich Khoroshev, a Russian citizen, was revealed as the admin and developer of LockBit ransomware. Earning approximately $100 million dollars through the ransomware gang activity, Khoroshev is now subject to travel bans and his assets are frozen. His enjoyment of speaking and granting interviews to media outlets and his high level of activity posting on Russian dark web forums also contribute to the totality of the picture of LockBit’s ransomware activity. Five other members of the gang were arrested and are pending trial. Full article here.
Malicious actors are using malicious links to lure dating app users to a (fake) website that proves they are not sex offenders. On this fake website, the user enters their email, phone, and other pieces of personal information to verify they are not a sex offender and prove this to the audience on the dating site. However, after this information is entered, the person is subject to a monthly fee that is charged on their credit card, and their other PII is sold in criminal operations on dark web markets, as well as in certain cases, on Telegram. Read more.
In another example of the digital realm having a physical impact, US-based Ascension healthcare had to change the destination hospital for several ambulances when a ransomware attack impacted their systems. The incident also caused clinical treatment disruption, such as delaying medical test and medication orders, as well as system outages. No group has publicly claimed this incident as of the time of this writing. Article here.
Continuing to emphasize the usefulness and success of typo- and combo-squatting, researchers observed that websites impersonating the US Postal Service official website get as much web traffic as the actual website, and during holiday times, the fake websites receive more web traffic than the official website. Combined with SMS messages that send “package unable to be delivered” themed messages and often provide a link to a malicious website, the fraud targeting the USPS is sophisticated, and expected to continue to remain elevated. Read article.
A new threat actor attributed to China, “Unfading Sea Haze,” has been hiding on military and government networks in the South China Sea for the past six years. Their primary goals are both espionage and intel collection, and their tools appear to overlap with APT41. The group uses spear-phishing to begin their attacks, and sends documents laced with LNK files that will execute a PowerShell script under the right circumstances. They also use a custom keylogger named “xkeylog” as well as some GhostRAT malware variants. Full article here.
In what has become a normal operation for Russian intel operatives, the Kremlin is using Telegram, bot farms, and other social media platforms such as X (formerly Twitter) to increase division in US society. Doppelganger, a well-known, Kremlin-aligned group of actors, uses its vast botnet network to pass links that contain fake news about real world events to global publications, including Le Monde and other European new networks, as well as news outlets in the United States. Full article.
Continuing the trend of actor arrests and online market/malicious operation takedowns, this week witnessed the arrest of Incognito Market operator Rui-Siang Lin. Lin was arrested in New York City for his oversight and operations of the popular drug market, which had over ~200,000 customers that purchased all types of narcotics. Read more.
Two MIT students who are also brothers stole $25 million dollars in Ethereum in 12 seconds in an attack that questions the very integrity of blockchain technology. The actors gained access to pending transactions by fraudulent means and altered the movements of Ethereum cryptocurrency. The brothers experimented with manipulating protocols in the months leading up to the theft, using a software vulnerability. Read here.
Small businesses and home internet users often use open-source HTTP and HTTPS proxy servers in their internet access. Cisco warned of a new flaw covered under CVE-2023-49606, which detailed a remote code execution issue that impacts incorrectly managed HTTP headers. This leads to actors possibly being able to access freed memory. Censys also confirmed approximately 90,000 internet exposed Tinyproxy services, over half of which were subjectable to the aforementioned CVE. Read more.
RSA Conference in San Francisco, this year held May 6-9, is one of biggest and most anticipated cybersecurity events of the year. The DarkOwl team plans and looks forward to RSA each year; to see friendly and new faces alike, hear the latest trends, news and innovations in cybersecurity, share our latest product updates and offerings, and of course have some fun around San Francisco. This year, the team had a booth on the show floor, a private meeting space around the corner from Moscone Center to hold one-to-one meetings with prospects, partners, press, and clients, and for the first year ever, host a party with several of our customers and partners on Tuesday night!
The RSA Conference slogan, “Where the World Talks Security” is the perfect quick elevator pitch for what happens each year at RSA – thousands of security professionals from around the globe gather together to hear and discuss new and leading perspectives, innovation and best practices. The most memorable RSA moments can be found on their website here.
The theme of RSA this year was “The Art of Possible.” According to Dr. Hugh Thompson, Executive Chairman of RSAC and Program Committee Chair in his keynote speech describes the theme as “a phrase that, on the one hand, is meant to inspire hope, but it also serves as a warning. We should never underestimate what is possible by our adversaries.” It is a great point as over 40,000 cyber security professionals across 130 countries around the globe all gather at RSA.
Representing the DarkOwl team, we had several executive team members, sales reps, customer success managers, and analysts present manning the booth and holding private one-to-one meetings. Of note, DarkOwl Chief Business Officer, Alison Halland, shared, “Great week of seeing new and friendly faces alike – tons of great conversations, especially at the booth which a welcomed change of pace – not just attendees looking for some freebies, but genuinely interested in what DarkOwl has to offer.” Magnus Svärd, Director of Strategic Partnerships, echoed that sentiment, “RSA this year was the busiest yet with a higher number of meetings compared to previous years. The names of the companies were top tier visiting the booth.”
Big shoutout to all our customers and partners that stopped by the booth to say hi, see the latest updates and provide feedback. These face-to-face conversations are invaluable to us as we work towards making darknet data relevant, actionable, and digestible for all our clients!
This year, we were happy to host several sessions at our booth, highlighting the work that we do with different customers. We hosted OSINT Combine, Silobreaker, Authentic8 and Datastreamer. This was a great way to showcase how we work together. Below, we briefly summarize how DarkOwl works with each of these companies.
This collaboration empowers OSINT Combine’s clients with access to DarkOwl’s extensive darknet database, bolstering their open-source intelligence capabilities and enabling them to address complex operational requirements more effectively through training, software solutions, and consulting services. Read more.
DarkOwl’s robust darknet data enables our customer, Silobreaker, to provide their customers enriched monitoring of deep, dark web and dark web adjacent sites to help identify risk at scale and drive better decision-making. Use Case here.
This partnership brings together the advanced technologies and expertise of both Authentic8 and DarkOwl to address the escalating challenges posed by cyber threats. By combining DarkOwl’s comprehensive darknet database and monitoring capabilities with Authentic8’s Silo cloud browser, which is known for its secure browsing environment, organizations will gain unprecedented visibility and protection against cyber threats surfacing on the darknet. Read more.
With Datastreamer and DarkOwl’s combined solution, organizations can integrate dark web data without in-house engineering teams needing to maintain complex data pipelines. Furthermore, analysts can broaden coverage by merging additional web data including TikTok, Threads, news, forums and more. Previously raw unstructured data is federated for analysts to perform queries and real-time surveillance as easily as they would with structured data. Learn more.
Ahead of RSA, the team put together several product highlights and updates to be able to share on the showfloor. Below, we outline a few of them, but a full blog of Q1 product highlights can be found here and a summary 1-Pager here. Curious about how any of these can help your use case? Contact us!
Last quarter the team released “Direct to Darknet” within Vision UI in partnership with Authentic8, a leading provider of cloud-based secure browsing solutions. This feature allows users to further investigate Vision UI search results on forums, marketplaces, and other Onion sites. This can be helpful for an investigation to view the original website, view images or advertisements that may be on the sites, take a screenshot for reporting, and more. By combining DarkOwl’s comprehensive darknet database and monitoring capabilities with Authentic8’s Silo cloud browser, which is known for its secure browsing environment, organizations will gain unprecedented visibility and protection against cyber threats surfacing on the darknet.
Last quarter showed tremendous growth in data collection. The team had 5% growth quarter over quarter in added Tor documents, 27% growth in I2P documents, 31% growth in ZeroNet documents, 15% growth in records from Telegram, to highlight a few.
On Tuesday night, for the first time, DarkOwl hosted a happy hour after the show floor closed… and what a fun night! We’d like to extend a huge thank you to our co-sponsors, Doppel, OSINT Combine, and Socialgist. From networking with net new prospects, current customers, partners and everything in between, it was a great event and we hope that everyone that attended enjoyed their evening. If you didn’t get an invite this year, make sure to ask for invite next year! We would love to see you and look forward to hosting again!
In December of 2023, DarkOwl analysts released a blog answering the burning question of “What are Stealer Logs”. In another piece, DarkOwl analysts presented an overview of the different types of Information Stealers (Info Stealers) that are sold on the Darknet.
Now, DarkOwl would like to shed some insight into info stealers from an engineering perspective, to further explore the functionality, specific behaviors, and technical characteristics of this sophisticated form of credential theft.
Info Stealers infiltrate systems and compromise data primarily through social engineering attacks. Common tactics include but are not limited to:
Info stealers are very sophisticated forms of malware, and the complexity of the modular architecture allows them to often go undetected even by anti-virus software. While each type of info stealer does vary in its level of refinement, as they are still relatively new but rapidly evolving, this review will be focused on generalizing key elements commonly found in info stealers. Info stealers are known for their evasion techniques and for targeting what people want to protect, their private information, credentials, and financial data.
Part of what makes info stealers so sophisticated are their complex modular architecture. A simplified overview of that architecture includes the following key elements:
To understand what each of these modules are and their functionality within a stealer log we will review each term and look at a very basic version of the complex code that is used to design an Information Stealer.
This serves as the central intelligence hub of the info stealer and manages its functionality. The core engine drives tasks such as initialization and configuration of all the other modules coordinating their actions. It also initializes the malware, establishes communication with the command control (C2) server and houses the execution codes for the other five modules.
Below is a basic sample of what part of the code for a Core Engine could look like:
This establishes and maintains communication with the C2 server, handles sending/receiving commands, transmission of stolen data, and maintains a covert channel of communications. Generally, this module will have some form of encryption in place to prevent the interception of the data that is being stolen as well as protecting the location of where the stolen data is being sent.
Below is a basic Communication Module code to demonstrate part of the module’s functionality:
The responsibility of this module is to identify and harvest the data the threat actor is after once the system has been infected. The Data Collections Module can house a large array of submodules for specific forms of data the threat actor wants to collect. Common forms of data such as PII, financial data, device information, Geo locations, and personal photos would all require their own submodule to identify. In addition to the targeted data, the Data Collections Module also collects from numerus other sources such as browsers, system files, and apps installed on the device.
Below is a basic example to demonstrate the structure and functionality of Data Collections Module often found in info stealers:
This provides cryptographic functionality and encryption keys used to communicate with the C2 server. As ironic as it seems the use of strong encryption algorithms (AES) is used to prevent interception of “unauthorized” access to the data that is currently being stolen. Only instead of protecting the device owner from the threat actor it is protecting the threat actor from the device owner, authorities, and aids in keeping the info stealer from malware detection.
Below is an example of one type of AES often used in info stealers:
This module handles the transmission of the stolen data once it has been encrypted. Exfiltration module formats the encrypted data into messages and sends them through the communications channel established by the communications module. This module often includes contingencies for when there are network interruptions, failed transmissions, and bandwidth issues.
Below is an example of the type of code that could be used in the Exfiltration Module:
Just as it sounds this final module is responsible for the evasion tactics to evade malware detection by software and humans. Some common evasion techniques include polymorphism, obfuscation, and anti-debugging to hide the malware. This module acts as a chameleon as it continually adapts and evolves to remain under the radar. This is a highly scalable and adaptable to the various environments and target systems but below is a simple example of what the code could look like.
detect_analysis_tools – check for signs of virtualization/sandboxing and the presence of analysis toolsThere is no doubt about it, information stealers are a formidable threat to cybersecurity on multiple levels. Info Stealers are sophisticatedly engineered to stealthily execute malicious intent. By studying the architecture, functionality, and technical characteristics through an engineering perspective, cybersecurity analysts can gain a deeper understanding of how to create effective countermeasures and create robust detection strategies.
Internet censorship is arguably a critical threat facing freedom of expression and access to information today. This is especially true for countries where access to information is restricted by governments or other controlling entities. For many countries around the world, controlling entities use various tools, techniques, and technology in order to control and restrict access to certain websites and publicly available content. The Tor Project’s response to such targeted censorship is WebTunnel.
In this blog, DarkOwl analysts summarize WebTunnel, not to be confused with TORTunnel, what it is, how it is implemented, and the impacts it has.
Released March 12th, 2024, WebTunnel is a bridge developed by the Tor Project that allows users to bypass censorship by disguising traffic to mimic encrypted web traffic. Essentially, WebTunnel helps users evade censorship by hiding traffic in plain sight. The bridge tunnels TOR traffic by wrapping the TOR connection in a websocket-like HTTPS connection, making traffic more difficult for tools, techniques, and technology to detect and block. The Tor Project designed WebTunnel to be easy to use and simple to deploy.
Configuring a TOR browser to use the new WebTunnel feature is easy. Users simply navigate to the TOR Project bridges resource from any browser, select “webtunnel”, and copy the provided line. The user then simply opens the TOR browser, selects “add a bridge manually”, pastes the copied line, and restarts the browser. No further modifications or configurations are required.
Tor provides individuals with a means to protect and obfuscate online privacy and anonymity, enabling users to browse internet connected resources without potentially revealing personal or location data. WebTunnel has the potential to significantly impact censorship evasion by providing users with an easier, more effective and reliable means to access restricted content.
The availability of features like WebTunnel impacts corporate security and further extends the corporate risk surface. Corporate security policies and technology often lock down networks and devices to protect the organization. Anonymity driven tools and features often allows users to bypass corporate defenses to browse the totality of the internet both good and bad. While it’s fair to assess most users using privacy-driven tools to bypass corporate security policies, technology, and controls are likely not doing it out of spite or hostility towards the organization, these users often lack the guidance and information on why these tools and features should not be used to bypass corporate defenses.
Educate users on the risks bypass tools expose the organization to and why such tools are not allowed inside the corporate environment or on corporate devices. Allow staff to understand the potential impact and outcome. TOR is a tool neither good nor bad until assigned an action by the user. Encourage staff to include the security of the organization in their decisions.
