Disclaimer: DarkOwl does not endorse nor support these vendors, sales, or listings in any way. DarkOwl has historically partnered with organizations such as the Global Emancipation Network and Kruger Park to eradicate human and animal exploitation.
It’s always a difficult topic to research, but calling attention to the online dark web forums, markets, and Telegram operations that sell and harm animals is an absolute necessity to give a voice to innocent creatures and draw legal attention to this cause. Like many things, animal sales have been augmented by the ease and speed of technology and the perceived anonymity of the dark web.
DarkOwl observed recent trends concerning the online sales of animals and animal products in 2021, including sales of reptiles and bears; offering objects made from less-common animal materials such as ivory or exotic fur; and a steady interest in dog fights.
In this blog, we aim to cover the latest identified trends in nefarious animal activity on the dark web and adjacent platforms to call awareness to these practices as well as the efforts to stop the harm of innocent animals. We have provided a list of online links and resources to contribute to the effort at the end of this blog.
Actors Attempt to Hide
Selling any live creature online could and should attract law enforcement and animal rights groups’ attention. For instance, dog fighting is illegal in all but five countries worldwide; there are constant efforts to break up dog fighting rings, the sales of dogs themselves. Selling rare materials from endangered animals, such as ivory which is often procured from animal poachers, can result in fines and other legal action. However, actors who participate in these kinds of sales and events know how to watch the vocabulary and keywords they use in posts for advertising and selling.
Animal abusers know law enforcement officials and animal rights groups are monitoring deep and dark web forums and marketplaces to identify any information in the hopes of shutting down illegal animal activity. Usually, advertisements for anything surrounding animals are vague and only offer a preview of the kind of animal for sale, or the kind of activity they are advertising, forcing logins and other processes so vetting can take place before interested parties can gain access, in hopes of rooting out investigators and validating user interest:
Figures 1 and 2: Conversations about animal abuses on the darknet found in DarkOwl Vision
Exotic Animals for Sale
The exotic animal and wildlife trade is another sphere of illicit trade found on the darknet. Illegal wildlife trafficking is estimated to be the third largest illegal business in the world after drugs and weapons.The following findings from DarkOwl Vision introduce some of the darknet’s leading vendors in the darknet wildlife trade community, along with their sources.
“The Dark Jungle” is an onion site that considers itself “…the dark web’s premier classified site” and offers turtles, snakes, as well as animal products such as fur jackets for sale. It has been around so long that it migrated from a V2 onion site, with only 16 characters to the V3 onion site, with 56 characters.
Figure 3: The Dark Jungle homepage
Darknet adjacent sites such as Telegram have been used to advertise sites, including clear net sites which offer exotic animals for sale. Bears are a feature of this June 2023 post on Telegram offering a link to a website where they can be purchased. DarkOwl will not publish this in order to not drive traffic to this website:
Dog Fighting
Unfortunately, dog fighting has long been a popular pastime, especially in places such as the Philippines. As of 2023 it is still legal in Russia, Japan, Honduras, Afghanistan, and Albania. Even in nations with criminal laws against this activity and fines, many people still choose to engage in dog fighting, and use anonymous platforms to organize and conduct these events.
The dark web combines its darker side, with actors soliciting drugs for “fight dogs” to improve their performance in fights, combining the underground markets of narcotics and illegal animal activities:
Dog fighting activity continues to gain traction and spread to other geographical areas – Iran and China also have dog fighting rings and sales on Telegram. DarkOwl will not publish the content of the channels. However, below we show some examples of the channel information.
A Persian dog fighting channel, offering the sale of “war dogs”:
Figure 4: Source: Telegram
This Russian channel discusses the history of dog fighting in Moscow, and how it has evolved as a sport with an avid fanbase:
Figure 5: Source: Telegram
People from backgrounds of all kinds participate in horrific activities involving dogs. Not long ago, news broke of a United States Pentagon official leading a dog fighting ring. It’s not just famous people from movies, TV, and sports industries. Politicians and governing officials also get involved as we can see in the example below from Telegram:
Ear Cropping
Ear cropping is the practice of surgically altering or removing ears from dogs. This practice is legal for certain species in some countries, including the US, for hygiene reasons. However, in other countries such as the UK, the practice is totally illegal. The RSPCA reports that they are seeing an increase in ear cropping in the UK due to celebrities and influencers “glamorizing” the look. DarkOwl analysts have identified mentions of this practice on the dark web and adjacent sites.
DarkOwl analysts identified an onion site which offers ear cropping videos and examples as of October 2023. It is unclear where these were taken and if it was in a country where the practice is legal, but it highlights there are individuals who wish to view this type of activity.
Deception Methods
As animal rights activists use technology to combat these activities, online operations turn to methods used to fool those who legitimately sell animals, such as bringing children or other family members when they go to purchase. On the below Telegram channel, users discuss how some people use children or other family members to hide that their animal purchases are actually for fighting:
Online Efforts to Combat Animal Abuse
There are also many petitions and people identifying harmful practices, such as puppy farming, on these platforms. They combine their efforts on other social media sites, such as Facebook, in order to spread the word about harm to animals and enlist civilian and government efforts to inflict harsher penalties. Below, a Facebook post identifying Irish puppy farmers is posted.
An Australian also comments on the commonality of puppy farming, and shares a resource for potential pet parents to avoid buying from breeders:
Final Thoughts
Previously, DarkOwl predicted that like many other activities, animal trading and sales of exotic animals and exotic animal materials could move to darknet-adjacent platforms such as Telegram. The trends we see now, in the fall of 2023, confirm this move continues to these platforms, and also includes some social media platforms such as TikTok and Reddit. An upside to this trend is that some of these platforms can be easily monitored and tracked, reducing these horrible activities and hopefully bringing about the arrests of those involved. Additionally, social media sites are more likely to respond to takedown requests, while little action can be taken against dark web sites.
Despite activist efforts, these online activities continue and unless there is intervention from law enforcement and animal groups, these activities will unfortunately continue.
If you’d like to contribute to the effort to stop the animal activities described in this blog, or learn more about general efforts to save animals, please see:
Despite claiming a mostly isolated status for the past four decades since the 1979 revolution, Iran manages to send personnel and/or weapons to many major conflicts around the Middle East region, quietly participating in and shaping world events while also giving themselves the plausible deniability of doing so. Additionally, their cyber capabilities have quickly grown and improved, meaning they are able to also act in the digital realm, yet obfuscate these activities as well. As Iran trains guerrilla fighters, trains and funds militias that actively attack western military bases and personnel in the Middle East region, and couples their physical activities with digital aggression, they must be closely monitored and observed to properly understand their growing capabilities and levels of involvement in various conflicts.
Iranian ground activity in Iraq was observed at the beginning of the US invasion in 2003, where coalition forces routinely encountered Iranian influence and weapons. Despite the formal end of coalition efforts in Iraq, Iran has had and maintains a proxy-presence in multiple Middle East conflicts, including active foot soldiers in Yemen, Syria, Lebanon, and other Middle Eastern states and present-day conflicts. Iran has recently sent fighters and weapons to Belarus to support Russian aggression in Ukraine, expanding their operations and support to a European conflict.
Iran’s activity supporting various militant groups with weapons, funds, cyber operations and personnel in and outside conflict is nothing new for them, which is why analysts are exploring their role, if any, in the current conflict between Israel and Hamas. Dating back to the Lebanese civil war in the 1970’s, Iran saw an opportunity to simultaneously support fellow Shiites and oppose Israel. Iran funded the Shiites and offered formal training to the guerilla groups, which cemented themselves as Hezbollah. Iran continued to fund, train, and arm Hezbollah throughout conflicts in the 1980s, such as the Southern Lebanon War; the 1990s, facilitating various kidnappings, suicide bombing attacks, and direct military battles along the Israeli border. In the 2000s, Hezbollah established Unit 3800 to target coalition forces in Iraq. During the 2010s, Hezbollah and IRGC forces protected and supported dictator Bashar al-Assad in Syria.
Possible support methods will vary in this latest conflict depending on other major military powers’ possible involvement, drone and other remote weapons use, and digital augmentation of physical attacks, including possible cyber warfare. This blog explores Iran’s recent activity, security posture, and response to the conflict between Hamas and Israel.
For many years Iran has consistently publicized controversial opinions to further its authoritarian views and leadership in the world using its state-controlled media:
Anti-Western ideas are advertised with galvanizing calls for participants to rise and join forces to remove Western ideology, culture, and personnel from the Middle East region. The current conflict is no different, hybrid physical and cyber components are being utilized that Iran hypes up and pushes to maintain activity to further its goals of regaining international status on the world stage and coming back to global-power status, versus the isolated stance it has sustained since the 1979 revolution.
Prior to the October 7, 2023, attack on Israel, multiple news outlets claimed contingents of Hamas fighters trained at Iranian facilities in September 2023. Considering that Hamas went notably quiet in the months leading up to the attack, with reduced Telegram/online activity, and leading Intelligence agencies reportedly lacking insight into the coming attacks, these claims are difficult to substantiate, but merit observation.
Hezbollah
Lebanese based Hezbollah, which means “the party of Allah,” is a Shiite political party and militant group. The group took advantage of the Lebanese civil war to position themselves in power in the area.
Political party: حزب
Allah: الله
Hezbollah is anti-Western influence and anti-Israel:
The Iranian theocracy took to supporting Hezbollah in the 1980s, nurturing them from a low-level, poorly organized militia into the regional powerhouse they are today with a healthy annual budget. While the exact amount is unknown, estimates from global governments put the operating budget in the hundreds of millions of dollars. The size of Hezbollah is also a rough estimate at 30,000 people, but this is impossible to confirm. They vow to expel western influence from the Middle East region, and use improvised explosive devices (IEDs), guerrilla tactics, and other asymmetric warfare in their physical operations. Hezbollah also provides Iran with plausible cover to deny their involvement in any operations Iran doesn’t want to publicly claim.
Considering the ties to Iran, it is no surprise that as Iranian cyber capabilities grew, so too did Hezbollah’s. Like so many other groups during times of conflict, Hezbollah also adopted cyber capabilities to augment their physical and psychological operations. Dating back to 2006, Hezbollah launched cyber-attacks against multiple countries who supported Israel during the 34-day war. In 2015, Hezbollah conducted operation “Volatile Cedar” which targeted Israeli defense sector websites and assets.
Currently, they have numerous Telegram channels in various languages which promulgate Iranian and Syrian state narratives and propaganda:
In this current conflict, Hezbollah has physically attacked Israeli defenses and equipment on the Israel/Lebanon border. They have also established Telegram channels specifically for this conflict to show war videos, events, and document them as events unfold, which DarkOwl are actively monitoring:
Kata’ib Hezbollah
Kata’ib Hezbollah, or “The Brigades” of Hezbollah, is the branch of Hezbollah that specifically operates in Iraq, with limited activity also observed in Syria. They are funded, supported, and trained by Iran as well as Lebanese Hezbollah. They have involved themselves in the Israel-Hamas conflict by declaring war on U.S. entities in Iraq and attacking them as retribution for U.S. support to Israel:
Badr Organization
The Badr Organization, a Shiite entity also funded and trained by Iran, is another group active in Iraq. Much like Kata’ib Hezbollah, they entered the public threats realm by criticizing US support for Israel, and threatened US entities in the region:
Houthis
Ansarullah, “Partisans of Allah” are better known as the Houthis, the name of the tribe from which they emerged in Yemen:
Partisans/supporters: أَنْصَار
Allah: الله
Both the Government of Iran and militant group Hezbollah are arms, training, and financial providers/supporters of the Houthis, a Shiite party of fighters who target western forces, Jewish residents of the Middle East, and other Middle Eastern nation states, such as Saudi Arabia and the United Arab Emirates.
Iran’s Houthi support is measurably less than the support it provides to Hezbollah. Much like Iran, the Houthis rely on irregular, guerrilla warfare tactics to remain elusive and unpredictable, yet effective. The Houthis are based in Yemen and have furthered proxy efforts, launching attacks against Saudi Arabia and other Gulf states from war-torn Yemen. These proxy groups are also involved in the latest Middle East conflict, both physically with weapons, claiming drone and missile attacks as well as digitally, galvanizing support for Palestine and Islam on Telegram and other chat platforms:
Telegram channels that follow the conflict have also recounted training, drills, and other Houthi activity, bringing the group into the media of war coverage:
A Yemeni political figure demonstrates how the Houthis also turned to Telegram, and are engaging international parties in the current Middle East conflict:
In addition to the more infamous Iranian proxy groups, other splinter supporters and lesser-known groups have emerged in both the digital/physical realms and espoused their support for Hezbollah, Hamas, and/or general pro-Palestinian efforts. Accessibility and connectivity make it easy for anyone with a device and connection anywhere in the world to jump into the fray of conflict and espouse their opinions. As this conflict rages on, more groups are expected to emerge. Their actual ties to bodies like the Governments of Iran, Syria, and other groups with an interest in the Middle East region will require diligent research and vetting.
Conclusion
Despite its self-described global isolation, which Iran claims is the fault of the US and the UK, Iran constantly involves itself in regional events in the Middle East, whether by funding/training/arming its many proxy groups, conducting offensive cyber attacks, or both. Considering its decades long history of involvement, Iran will stay enmeshed in the current Israel-Hamas conflict by arming Hezbollah and Hamas with drones and missiles to use, and propagating pro-Islamic, anti-Western and anti-Israeli messages on Telegram and other social media platforms, and bolstering support for eradicating the Middle East region of western influence in general.
DarkOwl plans to cover Iranian cyber and physical efforts, including Telegram and dark web activities, Government of Iran domestic and civilian targeting during recent civic strife, using technology to track Iranian dissidents, the state of Iran’s cyber program, state sponsored and criminal, and more in-depth Iranian material in 2024. Make sure to register for our weekly newsletter to get the latest.
Curious how darknet data applies to your use case? Contact us.
Blackbird.AI extends its leadership position in narrative intelligence to gain insight into narrative attacks, misinformation, and disinformation across the dark web.
Blackbird.AI, the leader in AI-driven Narrative and Risk Intelligence, today announced a partnership with DarkOwl, the leading provider of Darknet Data, to enable organizations to identify narrative attacks across the dark web. This expands Blackbird.AI’s comprehensive visibility of narrative attacks that today include social media, news, forums, podcasts, and more.
Darknet and messaging apps are historically complex, noisy, and opaque social platforms frequently used by bad actors to develop and deploy harmful narratives and cyber attacks. Through this partnership, Blackbird.AI’s Narrative Intelligence Platform, combined with DarkOwl’s unparalleled dark web discovery capabilities, organizations gain valuable insights that have historically been difficult for cyber and communications professionals to see and protect themselves against. Darknet and messaging app data from the DarkOwl collaboration will also facilitate detailed reporting from Blackbird.AI’s RAV3N Narrative Intelligence and Research Team.
Narrative attacks are a new blind spot for organizations across the globe. Narratives are ‘any association that shapes perception about a person, place or thing in the information ecosystem.’ The risk comes when narrative attacks scale and turn harmful, creating financial and reputational harm. An estimated $78B a year is lost due to narrative attacks, with publicly traded companies losing approximately $39 billion annually due to disinformation-related stock market losses.
“Our Constellation Narrative Intelligence Platform is designed to detect narrative attacks and manipulation, including misinformation and disinformation,” said Wasim Khaled, CEO and Co-founder of Blackbird.AI. “Our partnership with DarkOwl substantially expands our ability to help organizations protect themselves from harmful narratives being propagated across the darknet. Giving our customers the ability to identify these narratives for better strategic decision-making is incredibly powerful and necessary where a single narrative could inflict significant financial and reputational harm.”
Getting early knowledge about emerging narrative attacks is a critical need to inform key stakeholders and the executive team to determine what countermeasures they can put in place to minimize the impact of the attacks. Narrative attack use-case examples include Geopolitical Risk, Breaches, Perception Attacks, Insider Threats, Supply Chain Risk, Critical Manufacturing, Critical Infrastructure, Due Diligence / M&A / Corporate Intelligence, Physical Security, Crisis Management, Stock Manipulation, Brand Reputation/Risk, and Financial Market Exposure.
“DarkOwl offers the world’s largest commercially available database of information continuously collected from the darknet, enabling Blackbird.AI and their customers the ability to turn this data into a powerful tool to identify narrative risks at scale and drive better decision-making,” said Mark Turnage, CEO of Dark Owl. “Our darknet datasets are updated from tens of thousands of sites across multiple darknets daily and will be made available through Blackbird.AI’s Constellation Platform, allowing their users to parse and analyze the data for specific narrative attack use cases.”
To learn more about the partnership, see the fireside chat between the companies ’ CEOs and corresponding blogs from DarkOwl and Blackbird.AI.
About Blackbird.AI
BLACKBIRD.AI protects organizations from narrative attacks that cause financial and reputational harm. Powered by our AI-driven Narrative Intelligence Platform, Constellation, organizations can proactively understand narrative threats as they scale and become harmful for better strategic decision-making. Blackbird.AI was founded by a diverse team of AI experts, threat intelligence analysts, and national security professionals with a mission to defend information integrity and fight a new class of narrative threats. Learn more at Blackbird.AI.
About DarkOwl
DarkOwl is the industry’s leading provider of darknet data. We offer the world’s largest commercially available database of information collected from the darknet. Using machine learning and human analysts, we automatically, continuously, and anonymously collect and index darknet, deep web, and high-risk surface net data. Our platform collects and stores data in near real-time, allowing darknet sites that frequently change location and availability to be queried safely and securely without accessing the darknet itself. Customers can turn this data into a powerful tool to identify risk at scale and drive better decision-making. For more information, contact DarkOwl.
Mark Turnage, CEO and Co-Founder of DarkOwl, and Wasim Khaled, CEO and Co-Founder of Blackbird.AI, sat down for a fireside chat to discuss emerging trends with darknet adjacent sites, such as Telegram and Discord, and narrative attacks. Their interview is transcribed below.
Today, Blackbird.AI, the leader in AI-driven Narrative and Risk Intelligence announced a partnership with DarkOwl, the leading provider of Darknet Data, to enable organizations to identify narrative attacks across the dark web. This expands Blackbird.AI’s comprehensive visibility of narrative attacks that today include social media, news, forums, podcasts, and more. The full press release can be found here.
Interview with Mark and Wasim
Mainstream apps like Discord and Telegram are gaining popularity among hackers. Why do you think they are migrating away from the dark web?
Wasim: Narrative attacks are now part of many cyberattacks. Mainstream apps like Discord and Telegram are gaining popularity among hackers because increased law enforcement monitoring has pressured dark web hacker forums. These apps make it easier for hackers to coordinate because apps like Discord and Telegram offer more moderate anonymity but increased accessibility compared to the difficulty of accessing the dark web. It’s also effortless for narratives to proliferate across channels and groups with little friction.
Mark: As Wasim said, there has been a considerable uptick in recent years of marketplaces and forums being “disrupted” and taken down by law enforcement activities on the dark web. For example, Breached Forums, Monopoly Market, and Genesis were taken down just this year. This has led to a lot of mistrust by users on these forums who believe that they are being watched or that their infrastructure is unsafe. So they are looking for other means of communication. Platforms like Telegram are utilized for marketplaces and forums like the dark web, using public channels but also allowing users to have private messaging, giving them more security and anonymity. Platforms like Telegram are much more accessible to users, easily accessed from your phone, and for some users, this is better than configuring your TOR browser, etc. Telegram also traditionally has not cooperated with law enforcement. Using dark web adjacent sites can also give the appearance of legitimacy, as legitimate users can often use these. Groups like left and right-wing extremists use these channels and surface web forums. Also, groups like the Taliban are active on these sites.
The dark web allowed anonymity but was difficult to access. How do Telegram and Discord offer hackers more moderate anonymity but increased accessibility?
Wasim: The dark web allowed anonymity but was difficult to access. Telegram and Discord offer hackers more moderate anonymity, but the improved accessibility of mainstream apps makes them attractive alternatives.
Mark: While the dark web continues to be an area where criminals congregate to sell goods and discuss illicit activities, we are seeing other platforms emerge as also being used by these groups. Many of these chat platforms and networks include legitimate channels and communities and could even be casually considered a form of ‘social media.’ Despite this, DarkOwl refers to chat platforms such as IRC, Telegram, and qTox that have considerable use by darknet cyber criminals as ‘darknet adjacent’ for their role in persisting illicit goods trade, fraudulent activities, and cybercrime.
What are some examples of narrative attacks and disinformation that can spread about companies?
Wasim: Examples of narrative attacks and disinformation aimed at companies include spreading misleading or outright false information about harmful products, leadership misconduct, unethical business practices, or other damaging claims.
Mark: Regarding nation-state examples, with the emergence of the Russian invasion of Ukraine, messaging apps have become an essential means of communication between militant groups and sharing information/disinformation with wider groups of people. Wagner, the Russian PMC group, also uses Telegram. These sites have a much larger reach than the traditional dark web sites.
How can narrative attacks and disinformation about a company’s products be harmful?
Wasim: False claims about product defects, safety issues, or performance can erode consumer trust. This may discourage purchases. Correcting false claims is difficult if disinformation has spread widely online or in the media. Lost revenue and reputational damage can result. Narrative attacks and disinformation targeting a company’s products can inflict significant harm by eroding consumer trust and tarnishing brand reputation. Misleading or polarizing information quickly goes viral in today’s hyper-connected world, leading to a cascade of negative effects such as plummeting sales, increased customer churn, and even regulatory scrutiny. The long-term impact can be even more damaging because once a narrative takes hold, it can be tough to change, causing lasting harm to market share and growth prospects. In the worst-case scenario, a successful disinformation campaign can trigger a crisis of confidence among stakeholders, ranging from customers and employees to investors, severely undermining the company’s competitive standing and even jeopardizing its existence.
Mark: I would add that due to all those examples, disinformation can even lead to legal action against a company in some cases. On the darknet, we see disinformation-as-a-service frequently. It is definitely on the rise. Threat actors trade social media accounts and their influencers – accounts sold in bulk that could be easily leveraged for disinformation or misinformation campaigns by a foreign government or agency with malicious intentions. There are several examples the DarkOwl team has found where a threat actor group offers for a fee to erase news, website pages, results from search engines, YouTube videos, and negative comments on forums and create posts, reviews, and news to positively or negatively affect a company.
How do narrative attacks target politicians, thought leaders, and company leadership?
Wasim: Conspiracy theories and false and inaccurate narratives about executives can undermine their credibility and leadership. False claims about illegal or unethical actions by leaders can also trigger costly investigations or lawsuits, while share prices may fall due to uncertainty. The company may have to spend significant resources defending and communicating the truth.
Mark: The darknet is a known playground for disinformation campaigns, and its users are wise to detect disinformation, especially across anonymous image boards where several controversial groups like QAnon participate. The team wrote a blog a while back where one anonymous user on endchan advised, “Don’t be fooled by disinformation. They almost always use truth but wrap it in disinformation,” noting the prevalence of outrageous conspiracy theories historically across the internet.
This interview continues diving into narrative attacks on the Blackbird blog here.
About BlackBird.AI
Blackbird.AI helps organizations detect and respond to threats that cause reputational and financial harm. Powered by their AI-Driven Narrative & Risk Intelligence Constellation Platform, organizations can proactively understand risks and threats to their reputation in real-time. Blackbird.AI was founded by a team of experts from artificial intelligence, and national security, with a mission to defend authenticity and fight narrative manipulation. Recognized by Forrester as a “Top Threat Intelligence Company,” Blackbird.AI’s technology is used by many of the world’s largest organizations for strategic decision-making.
Introducing DarkOwl’s new addition to our Vision UI platform, Actor Explore
November 08, 2023
Introduction
In today’s digitally driven world, the landscape of cyber threats is ever-evolving and increasingly sophisticated. As businesses and individuals become more dependent on technology, the need to protect sensitive data and critical infrastructure from cyber attacks has never been more critical.
One effective approach to enhancing cybersecurity is to track and monitor cyber threat actors. The actors that are responsible for conducting attacks; individuals or groups with malicious intent, often targeting organizations, governments, or individuals. Understanding why they are operating, what they hope to achieve and what methodologies they are using can assist analysts in protecting infrastructure and predicting future activities.
Why Are Threat Actors Important
Motivations for conducting these attacks can vary greatly from financially motivated to espionage threats to geo-political events, just to name a few. It is important to understand the motivation of threat actors as this can help identify what they are trying to achieve and what threats they might pose to certain organizations, industries or even countries.
Identifying and monitoring the tactics, techniques, and procedures (TTPs) of cyber threat actors, is also an important step to gain insights into actor’s strategies. This information can be invaluable in understanding how attacks are executed and identifying potential vulnerabilities in an organization’s defense.
Attribution is the process of determining who is the real individuals behind an attack. Knowing who is responsible for an attack not only helps with law enforcement efforts but also serves as a deterrent. When malicious actors know that they can be identified and held accountable for their actions, they may think twice before engaging in criminal activities. However true attribution is not always needed, knowing what activities a group are conducting and who their victims are can help us to understand what will happen next and learn for future attacks.
Actor Explore
Today, DarkOwl has launched Actor Explore, which will allow users to review analyst curated insights into active threat actor groups on the darknet and wider. We explore the motivations behind the groups, the tools they have used and searchable attributes to pivot on within DarkOwl Vision. Here we explore three of these groups available in Actor Explore and the motivations, methodologies and TTPs that the groups use.
Anonymous Sudan
Anonymous Sudan are a hacktivist group who are very active on Telegram, running their own channel which regularly publishes details of the attacks that they are undertaking and re-posting information from affiliated groups such as Killnet.
They appear to be politically and religiously motivated, targeting countries or organizations they perceive to be anti-Muslim or pro-western. However, security researchers have hypothesized that they group is backed by Russia given their links to pro-Russian groups their way of operating and the financial backing they appear to have.
Figure 1: DarkOwl Actor Explore result for Anonymous Sudan
The group emerged in early 2023, when they began to conduct Denial of Service (DDOS) attacks against organizations in Sweden and Denmark. DDOS appears to be the main method of attack that they have adopted, often evidencing their success by posting images of the downtime of their victims’ websites.
The group’s current Telegram channel was created in September 2023, when they claimed that their original channel had been banned by Telegram. In response to this they attacked the Telegram website and caused issues and downtime for Telegram users. The attacks appeared to continue throughout the month.
Later that month the group targeted a number of US companies, including Netflix and Hulu which it stated was a response to US interference in Sudanese internal affairs.
Figure 2: Anonymous Sudan Telegram channel
In response to the Hamas incursion into Israel, Anonymous Sudan pledged their support to Palestine and announced that they were attacking “some critical endpoints in the alert systems of Israel, which may affect the Iron Dome.” The post was made in English and Arabic, previously several posts have been in English and Russian. The group went on to target the Jerusalem Post, as well as “western” news outlets who it claimed were sharing fake news such as the New York Post, the Washington Post, and the Daily Mail. At the time of writing the attacks have predominantly been aimed at US corporations.
Figure 3: Anonymous Sudan Telegram channel
This group has shown capabilities that allow them to take high profile websites offline for varying periods of time. While they appear to be politically motivated and claim to be from Sudan, researchers have cast doubt on this highlighting why it is important to understand the motivations of a group, what activities they are conducting and how they are operating and who with. DarkOwl continues to track the activities of this group.
0XCee
Figure 4: Telegram ID for 0xCee
0XCee is an Initial access broker (IAB) who is active on Telegram. They use a bot on the Telegram channel in order to verify a user who wishes to join their channel is not a bot. This is a level of sophistication that most Telegram channel administrators do not exhibit.
The user is active on several telegram channels where they have participated in chats and shared information. DarkOwl analysts have been able to identify the user profile for the individual as well as their private channel used for selling access, building identifying information allows analysts to monitor the activity of threat actors.
Some of these channels have been used to advertise the access that the actors have, they provide specifics about the pricing as well as details of how many times they are willing to sell the access.
DarkOwl analysts have seen other Telegram users claim that some of the data that was purchased was old data and that they were not happy that they did not have the access that was advertised. 0xCee refused to provide any refunds on the data and insisted that it was used incorrectly. Reputation is very important in darknet markets, as most purchases are made on faith. Therefore, understanding these interactions can help analysts to make an assessment about the risk posed when an IAB advertises access to an organization.
APT Groups
Advances persistent threats (APT) are considered to be highly sophisticated threat actors, who usually operate over a prolonged period of time. The motivations of an APT can often dictate how they operate, with those committed to espionage trying to hide their activities, while those that are seeking to obtain intellectual property may be less concerned and those which are financially motived may publicize their activities through ransomware attacks such as the Lazarus group which was widely reported to be responsible for the WannaCry ransomware attacks in 2017.
While APT groups are difficult to track, generally identified via the TTPs they use rather than communications on darknet forums or platforms such as Telegram, it is possible to identify common signatures that they adopt which can assist with attribution. Identifying commonalities among victims can also assist analysts in identifying the origin of an APT as well as what their possible motivations are, this can also be assessed by reviewing what information has been accessed or exfiltrated.
DarkOwl analysts track the tools utilized by APT groups as well as details of victims and CVE’s and the dark web footprint of actors. Using open-source intelligence as well as our darknet collections details relating to these groups are tracked to assist analysts with their attribution efforts.
Figure 5: Screenshot of APT10 Threat Actor Group Profile in Actor Explore
Conclusion
True attribution is very difficult to achieve, and some Cyber Threat Intelligence Analysts would argue that it is not important. However, tracking available information about threat actors such as their motivations, TTPs, victims and activities can provide valuable intelligence which allows analysts to predict behavior and take proactive steps to protect their organizations.
DarkOwl sees the benefit of this information and have therefore created Actor Explore to provide our users with intelligence relating to threat actors active on the darknet, and the wider threat actor community. This latest feature is designed to empower security professionals, researchers, and organizations with analyst curated information about threat actors, enhancing their ability to understand and combat cybersecurity threats effectively.
DarkOwl is thrilled to announce the launch of Actor Explore, an exciting new addition to our Vision UI platform that provides invaluable insights into cyber threat actors. This latest feature is designed to empower security professionals, researchers, and organizations with analyst curated information about threat actors, enhancing their ability to understand and combat cybersecurity threats effectively.
With Actor Explore, access to comprehensive threat actor information is just a click away. Navigating the cyber threat actor landscape has never been easier. Each actor profile in Actor Explore includes a detailed dossier, offering an in-depth overview of the threat actor. Additionally, DarkOwl analysts provide extensive information such as darknet fingerprints, targets, tools, CVEs, contact information, and morewhen available. Actor Explore connects this information to our other data sets, including leak sites, ransomware sites, alias, cryptocurrency, etcetera that actors are associated with. This wealth of data enables users to gain a profound understanding of the threat actors, their tactics, and the potential risks they pose.
Cyber threats are continually evolving, and so are the threat actors behind them. The collection consists of threat actors in several categories, including: state-sponsored, cybercrime-focused, ransomware groups, access brokers, exploit brokers and buyers, critical infrastructure attackers, and more. Actor Explore will be regularly updated with new information and actors,prioritizing client needs, ensuring that users have access to the latest intelligence to bolster their cybersecurity efforts and research.
DarkOwl’s Director of Product, Sarah Prime, expressed their enthusiasm about the launch, stating, “We believe this new feature will give our users insight about important threat actors and provide pivot points to where they appear in the darknet. We are committed to providing the most comprehensive darknet dataset, along with context and enrichment that helps our users understand evolving cyber threats.”
About DarkOwl DarkOwl uses machine learning and human analysts to collect automatically, continuously, and anonymously, index and rank darknet, deep web, and high-risk surface net data that allows for simplicity in searching. DarkOwl is unique not only in the depth and breadth of its darknet data, but also in the relevance and searchability of its data, its investigation tools, and its passionate customer service. DarkOwl data is ethically and safely collected from the darknet, allowing users secure and anonymous access to information and threats relevant to their mission. For more information, visit www.darkowl.com.
Our analyst team shares a few articles each week in our email newsletter which goes every Thursday. Make sure to register! This blog highlights those articles in order of what was the most popular in our newsletter – what our readers found the most intriguing. Stay tuned for a recap every month. We hope sharing these resources and news articles emphasizes the importance of cybersecurity and sheds light on the latest in threat intelligence.
1. North Korea Poses as Meta to Deploy Complex Backdoor at Aerospace Org – Dark Reading
Threat actor group Lazarus has crafted a new backdoor used in operations targeting the aerospace industry. “Lightless Can” is a RAT, and Lazarus members are spreading it by impersonating Meta recruiters on LinkedIn. The actors pass “coding challenges” which are “for a job interview”, so victims download to both their company and personal devices, spreading the malware. Read full article.
2. Magecart Campaign Hijacks 404 Pages to Steal Data – Dark Reading
Magecart is inserting malicious code into HTML pages of various websites, with a focus on food and retail industries. Magecart is an umbrella term; the collective is comprised of several different criminal actor groups who employ skimming and custom malware to steal PII and financial information form ecommerce websites. One of Magecart’s skimmers, Kritec, successfully impersonated third party vendors like Google Tag in the spring of 2023. Article here.
3. US energy firm shares how Akira ransomware hacked its systems – Bleeping Computer
Akira actors first used stolen VPN credentials from a third-party contractor’s account to access internal BHI networks. This same account was used to conduct continued recon of the internal network. It took the actors just over a week (nine days) to take 767,000 files/690 GB of data. Exposed data included full names, SSNs, DOBs, and more PII of BHI customers. Read more.
The Ukrainian Cyber Alliance (UCA) used CVE-2023-22515, which involves Confluence, to escalate privileges and access Trigona’s confluence server. They gained insight into the infrastructure and published Trigona’s support documents, exfilled the developer environment and information pertaining to Trigona’s crypto payments, as well as the back-end of Trigona’s chat service and blog/leak site details. After collecting all the information, UCA defaced and deleted Trigona’s site. Read here.
Israeli hacking collective Predatory Sparrow recently reemerged after taking time off from digital operations. This group, who has historically targeted Iran, posted in Persian in their Telegram channel on Monday, October 16, asking if their followers were “…following what is happening in Gaza.” They also shared a link to Iranian Mehr News Agency, which was down at the time. Learn more.
6. KillNet Claims DDoS Attack Against Royal Family Website – Dark Reading
KillNet caused the UK Royal Family’s website to be unavailable for 90 minutes on Sunday, October 1. KillMilk, the leader of KillNet, called the incident “an attack on pedophiles” – a reference to Prince Andrew’s ongoing scandal. Fueling the fire, Britain’s King Charles had recently condemned the Russian invasion of Ukraine in a public speech, and KillNet attempts to exact retribution on those who speak out against Russian actions. Read full article.
7. ALPHV ransomware gang claims attack on Florida circuit court – Bleeping Computer
ALPHV ransomware gang claimed responsibility for an early October attack against northwestern Florida courts. The attack possibly revealed social security numbers and other personal information of the court employees, as well as judges themselves. ALPHV also claims to have a network map of the court’s online systems, which likely includes credentials, leading to further network infiltration and possible lateral movement. Read full article.
8. BianLian extortion group claims recent Air Canada breach – Bleeping Computer
Ransomware group BianLian successfully breached Air Canada with their ransomware, claiming 210 GB of data. Air Canada acknowledged an incident in September 2023, but said that the stolen information was limited. BianLian shared screenshots on their ransomware page indicating that the employee data was only a part of what they stole, and that they also had technical information, such as an SQL database. Learn more.
Make sure to register for our weekly newsletter to get access to what our analysts are reading on a weekly basis.
As the digital landscape continues to evolve, so do the threats that target it. Staying ahead of cyber adversaries requires a deep understanding of the latest trends and innovations in the cybersecurity space.
In this webinar, DarkOwl CEO, Mark Turnage and Socialgist CRO, Justin Wyman explore a variety of critical topics shaping the cybersecurity landscape:
Key VC Raises in Cybersecurity: Capturing Industry Attention
Understanding the Major Players: Who’s Raising the Stakes
Harnessing Security Solutions: How Organizations Protect Their Assets
Addressing the Talent Gap: Scaling with Data Aggregators and Services
Pioneering the Use of AI: How do LLMs and AI Come into Play
For those that would rather read the presentation, we have transcribed it below.
NOTE: Some content has been edited for length and clarity.
Kathy: Thank you for joining us for today’s webinar exploring emerging trends in cybersecurity. Before we get our topics, begin our topics today, I’d like to turn it over briefly to Mark and Justin to give a brief introduction of themselves and their companies.
Justin: Hi, guys. Nice to meet you. Wyman, Socialgist is the name of my company. I’m the Chief Revenue Officer. We are a provider of open source intelligence. We’ve been doing so for the last 22 years, and I’m excited to be here.
Mark: Hi, I’m Mark Turnage. I’m the CEO and Co-Founder of DarkOwl. We are a company that specializes in the darknet, and specifically in extracting data from the darknet and providing it to our clients and working with partners like Socialgist to provide a broad view of open source intelligence, including that of the darknet.
Kathy: Great. Thank you both. Prior to diving into our topics today, Justin and Mark wanted to take a moment to comment on the Israeli and Hamas conflict happening presently.
Mark: I’m happy to comment. You know, when the conflict broke out on October the 7th, we immediately started looking at content in DarkOwl’s database that was relevant to the conflict, either pro-Israeli, pro-Palestinian, pro-Hamas, and we pretty rapidly triangulated on about 400 Telegram channels that are actively covering the conflict. And we’ve been monitoring those channels throughout, directly ourselves and generating some content which is available on our website, and also supplying that to our clients. And it gives them a different perspective than what you see on the front page of many of the newspapers. I will comment, we published a blog very early in the conflict that noticed that amongst the most prominent Pro-Hamas Telegram channels, they went quiet for several weeks before the attack. Unusually quiet. We don’t have an explanation other than they were distracted, they were planning, they were getting ready, or they had been told to go offline. But we did detect that in the lead up to the attack, there was considerably less activity on those Telegram channels than was normally the case.
Justin: I would say when you see such a horrible thing, it’s really hard to process, especially because in the space that Mark and I occupy, Israel is a big component of it. Technology companies and cybersecurity are founded in Israel all the time. Some of the leaders in the space. So it gave an extra personal feel, if that’s even possible. When you see these types of things, when you know the people that are directly impacted by it at a different level. And then I thought it was it was comforting to see that we could in some way help with our information, help the helpers, essentially. And Mark, I got to say, I thought the Dark Owl content was fantastic. To help show examples of how OSINT intelligence can help prepare for these types of things and deal with them frankly.
Kathy: Thank you both. Now we will begin with our first topic.
Key Raises in Cybersecurity: Capturing Industry Attention
Justin: So let me talk at a high level. What is happening? If you look at VC and cybersecurity over the last couple of years, it’s declining, which normally I think would be a bad thing if you didn’t realize it was declining from a peak bubble that happened during the pandemic. So you can say things are down 30% from last year, which is down another 30% from last year. It really, honestly, to me just seems to be returned back to normal. You see a lot of companies having some very specific raises, we’ll get into and you’ll see some combinations, you’ll see some coverage. But I think that the cybersecurity industry should feel that there’s been a correction that was due because you’re in a bubble. But now we are in a place where things are normally operating. The space is growing and investment is happening as well.
Mark: Yeah, I’ll just echo Justin. The investment into the cyberspace, go back say three years was just red hot. It was at levels that I didn’t think were sustainable. And oftentimes at evaluations that I didn’t think were justified. What has happened as the economy has gone through a fair amount of turmoil over the last year and a half is that those valuations have reset, and the level of investment is what I would normally expect in a pretty healthy sector that is still growing. Overall funding is down. I think it’s down 30% year on year. Valuations are down. The interesting thing is that companies that are still growing and companies that are profitable are still getting healthy inbound investment. Just yesterday, by the way, Censys announced a $50 million dollars raise, a small company out of Israel raised $4 million. I mean the raises come in regularly. They’re not at the valuations that we saw, say 2 or 3 years ago, but they are still happening. And they are particularly happening with very healthy companies.
The other trend, by the way that I’ll mention is any time you have an economic reset, which is what we’re experiencing right now, it forces consolidation in the market. You know, scale matters, size matters, sophistication matters. Go-to-market strategies and the ability to reach your market matters. So whereas before a small startup could have raised successive rounds of value, of money, of capital at ever increasing valuations against, you know, maybe skinny performance – those days are gone and they’re likely to be an acquisition candidate for for another company. And we’re seeing this – large companies are pretty active in the M&A market right now as a result.
Kathy: Based on that, a question has come in. What changes do you foresee over the next coming year?
Justin: Let me start with one of the public markets because that leads things. So in the public markets, you’ll see a lot of leading cybersecurity companies up double digits this year, more than the S&P 500. CrowdStrike is a good example. They’re up 70% year to date. As an example, Tesla is only up 80%. Apple’s only up 36%. So that’s not market forces. That’s industry forces of the problem with cybersecurity is growing so rapidly. The things I think you’ll see over the next year would be companies that have a growth plan, getting more funding and moving into new markets. I saw that already with OSINT Combine. There’s a company with a very good Australian presence going to the North American market. Full disclosure, they’re friends of my company and DarkOwl – so maybe we’re a bit biased there.
You’ll see some people getting acquired by PE firms, which is an idea of, again, operational excellence that might be a different component than things, say, in a bubble where instead of doing a PE acquisition, you would raise a bunch of money and see if you could sell and market your way out of it. The other thing I’ve noticed that I think will come is more legitimacy and standardization. Frost and Sullivan has created industry coverage for the first time on a lot of these companies. You’ll see certification tracks coming out of industry organizations like Osmosis. So I see it as a big step forward in the maturity of this space. There’s always startups, there’s always guys in the middle, and there’s always the big guys, and you want to have enough of them to create an ecosystem where you can ultimately meet the consumer need.
Mark: I couldn’t agree more. The way I would have described the cyber security industry two years ago was an awkward teenager. And it’s moving to young adulthood. It’s maturing. It’s growing up. It’s actually starting to understand what its own limitations are and what it can and cannot do. And I would just echo Justin and say, over the next year, we’re going to continue to see consolidation – more and more mergers, more acquisitions. It has always amazed me, just as an aside, that the largest cybersecurity companies in the world still only measure their revenues in single digit billion dollars. Those are the largest. And then it falls off pretty quickly from there. And given the size and importance of the problem, this is an industry that is ripe for what you just identified, Justin, which is growing up, consolidating, becoming more professional, working against known certifications and known standards. And by the way, known regulations because the regulators have arrived.
Justin: Mark, that McKinsey report we’re referencing before about just how breaches are supposed to go up 300% from 2015 to 2025 also noted that to your point about revenue, that the vendors in the space right now make up a 10th of what they think the overall revenue is going to be in the next ten years. So yeah, teenager growing up is a great analogy, meaning there’s just so much. There’s some stability being built in, but there’s still so much more to grow up.
Understanding the Major Players: Who’s Raising the Stakes
Mark: Well, I think in the world of threat intelligence broadly, there are a couple of very large players – Recorded Future comes to mind, Flashpoint comes to mind, Intel 471. There are a bunch of these players. Interestingly enough, every single one of those has been acquired over the last 3, 4 or 5 years by large private equity firms that have, as a strategy, explicitly what Justin was talking about, grow these companies up, make them larger, make them professionalize their operations, give them global scale and global reach. And then below that you’ve got a whole range of companies and these are small- to mid-size. Some of them are just start-ups who are looking at problems from a different angle. And there has been a lot of activity, both in terms of fundraising into those companies as well as acquisition. I mean, one that comes to mind is Maltego. Maltego was acquired by a private equity firm at the beginning of this year, and that’s a well known, well established platform that is used across the industry by a number of different companies and users. And in my view, that was a really smart purchase by the private equity firm. What else is going on Justin that you’re seeing?
Justin: A company I recently became familiar with at a conference was Fivecast. They raised 20 million. They were an Australian based company looking to really expand their sales and marketing into North America. They feel their perception, not mine or based on conversations, that they feel they have their product completeness to the point where it’s time to go see if they can compete against the bigger guys in the space. Now Cobwebs, another huge player in the space, just joined Chainlink. Those are other things I’m seeing.
Another one we were talking about, Mark, is Palo Alto Networks buying Dig this morning as a sign of just a major player adding in a feature capability. So, you know, this is following the the classic playbook – where you watch Oracle and Salesforce go after each other and then add on competing bolts. Again, another idea that you have a very well established market that you can operate. If you have operational excellence, you can really succeed.
Mark: Another example of that, by the way, is Proofpoint yesterday announced the purchase of Tessian and we’ll come on to it. Tessian is an AI provider that will significantly enhance Proofpoint’s products. And so you’re starting to see that happen at a pace that I have long predicted. But really I think this economic climate has accelerated.
Harnessing Security Solutions: How Organizations Protect Their Assets
Justin: I’ll start as I always do, with a little bit of data. Fraud is still massive. The biggest issue that every organization is dealing with – it’s coming from social media, it’s coming from internally. I talked a little about this McKinsey report, but again, I’ll say it again because it’s such a massive number. They think that breaches damage is going to increase 300% by 2025. The other one that I looked at was a survey of mid-sized companies suggests that threat volumes will almost double from 2021 to 2022. So that’s 100% growth in one year.
What they’re doing to protect their assets – my concern is with their employees. So I’d love to hear your thought on this, Mark.
Mark: Just a small data point from DarkOwl – we track where visitors to our site go and what pages they dwell on. The most common feature across our website is our fraud webpage and content on fraud. That speaks to the nature of the problem.
I’ll just say two things. One is we are all excited as an industry about AI. We’re excited about new tools, about new capabilities that exist. So are the threat actors. They’re using all of the same tools, all of the same capabilities to actually scale and professionalize their own operations. But, you know, going back to your point, Justin, the biggest threat to many companies is their own employees continues to be their own employees, whether that’s actual outright fraud or just mistakes that employees make that open up the company to potential potential attack and fraudulent attacks.
Justin: I believe that was the logic behind the Tessian acquisition is just the amount of people that have exposed their companies by literally emailing the wrong person. That seems to be a problem that should be quickly solved through some proper technology application.
Mark: I mean, I’m amazed. I’m actually amazed. Look, I mean, CEOs are are susceptible to this as well. And in fact, I mean, go to any OSINT training seminar and they’ll tell you the most vulnerable people or the easiest to attack are the C-suite, because they’re the ones who are the sloppiest or the least attentive to to security. That continues to be the case, but it permeates the entire organization.
Justin: The other thing I’ve heard is that key figures, usually execs, because there’s so much information, that they’re much more easy to manipulate. Voice manipulation takes a lot of samples of data. So the bigger the sample, the easier it is to manipulate the voice is the other thing I would talk about. And then the last one I noticed was people just kind of really trying to do the best they can to understand their supply chains. If employees are people accidentally sending information out. Supply chains are people sending information in, and these are business partners that you rely on your suppliers. So it’s very easy. Those are very weak points in a system to kind of create havoc if you’re not prepared.
Mark: There’s absolutely no question. The pandemic taught us that supply chains matter and supply chain vulnerability is mission critical. And to to Kathy’s question of how organizations protect their assets, it’s not only protecting your own assets, but protecting those critical assets of your vendors who are critical to the provision of your product or your services as an organization, which is why you’re starting to see these third party and vendor risk management companies come into their own in terms of their level of maturity, because especially very large, complex organizations need to pay attention to their supply chains.
Addressing the Talent Gap: Scaling with Data Aggregators and Services
Mark: The interesting thing about the talent gap is that the cybersecurity industry for years has complained about lack of talent. I think the statistic I continually hear is something like half a million unfilled cybersecurity jobs worldwide. And that number has held pretty steady for the last number of years. We’re in an environment, though, where many of the companies in our sector are actually laying people off. So how do you square those two contradictory statistics? Well, one way to square them is exactly what Justin said earlier, which is many of the companies that are laying people off were hiring at a clip that was unsustainable just as recently as 2 or 3 years ago. So you’re coming back to a sort of a more normal track. My sense is that there is still plenty of demand in the marketplace for people who have cybersecurity experience, whether it’s developers or product people or otherwise. But yes, there is a gap and I think AI is going to help fill that gap. What do you think about that, Justin?
Justin: I absolutely do. Let’s talk about the two things like data aggregators and services. Start with services because Mark and I have a data aggregation stake in this fight. But on the services component, when I work in the space, what is interesting to me is the people come from all different backgrounds military, private, etcetera. There’s no “you don’t go to school to become a cybersecurity expert.” So that’s a very big problem. But it’s a problem that is being solved, I think. When we were all at OsmosisCon, which is a association of these professionals, they’re creating certifications. They’ve created a conference so people can come and share tips and tricks. And that’s just one of many. So I think it’ll get easier and easier to bring people into the space and give them the certifications that show them that they’re qualified, because right now it really is due to the nature of the sensitivity of the issues and how people come. It’s like, who do you know that you can trust? Which makes sense in the beginning. But over time, you have to figure out how to scale your business. So I see a lot of services being created to help with that.
Then on the data aggregation side. As a data provider technology provider in this space, it’s amazing to me how big the problem is, right? These people are searching for needles in haystacks and the haystacks are growing, and so the only way you can solve them is through aggregation. And that’s basically at any point in the value chain. So if you’re creating a piece of software that allows analysts to hunt for threat actors, well, you’re probably going to use data from many different sources because the haystack is too big for you to do it yourself. Then if you’re actually looking and searching and doing the analysis on top of the data, these tools will allow you to search more efficiently. If you go back to Mark’s Telegram example about things going silent before an attack, as these technologies get better, you know you won’t have to go, “Huh? Why are these silent?” These things will go, hey, there’s an interesting activity here. The volume of these things has really dropped off. Why? And that’s a way that people will be able to not only look in the haystack more broadly, but faster, have things suggested to them. So I think ultimately the space will be fine. Again, I can’t stress this enough, we are coming off a bubble, and that generally means people aren’t behaving how they should behave. And so to correct that, you have to lay some people off. But now that we’ve had this baseline, people go back to building their businesses most based off of the value they provide in the market. And as we’ve shown, the value is only growing, meaning the threats are only increasing dramatically.
Kathy: Based on that, we’ve had a question come in: We have seen a lot of layoffs in the space recently. And can you address how this does affect the talent gap?
Justin: Positive half glass full spin would be – when you have layoffs in an industry where it’s growing, it’s because those people are in a place where they weren’t effective. They weren’t doing the things that needed to be done to keep the business on its goals. So when you take an experienced person and you separate them from a business that no longer needs them in a growing space, they should be deployed in a better space where they are more impactful. Right. This is the efficiency of markets happening. So I think these gaps will take the people that were places where they weren’t as useful and put them in places where they will be much more useful and create a world where they’ll be, again, more coverage.
Mark: Not to disregard the dislocation that necessarily occurs when that when that happens, if you’re the individual who’s affected, it can be quite difficult. But I agree with Justin that on aggregate we’re not seeing employment in the cyberspace decline. It still continues to increase.
Pioneering the Use of AI: How do LLMs and AI Come into Play
Mark: The big issue that both Justin and I have discussed in the past is anytime you bring an end to a problem, it needs a data set to sit on, to learn, to learn that problem in order to be effective. And so what becomes the most critical in that is the data we aggregate – darknet data. Socialgist aggregates open source data across a variety of different platforms. Those data sets become extremely valuable and extremely important in the application of an LLM to address or learn about a specific problem. And you know, in the case of DarkOwl, I can speak to that, our data set has been aggregated over 5 or 6 years. That’s not something that you can just recreate overnight. If you’re a new company coming into this space or somebody looking to utilize AI, the same I’m sure is true for Socialgist. So it’s a very interesting insight into the power of the underlying data that that any organization can has in terms of addressing the problem via an LLM.
Justin: And I totally agree with everything Mark just said. I think the other thing to think about is, how much easier it is to get things out of the data value, out of the data with LLMs, and how in general, the biggest thing you’re going to see in the software world, the biggest constraint is going to be software engineering capacity. Every company in the world wishes they had more software engineers because it’s hard to do things like connect a data set into an analytics platform. It’s a very technical work. These engineers now are doing work 40% faster, so it’ll be easier to make progress and solve problems when you put these types of applications together. What that should mean is that you should have in the long run, and again, marginal like dislocation is hard and things need to change and we have to cross the chasm and all these sayings, but what we’re really talking about is in the long run, things should get cheaper with technology and things should also get better. So the data sets that we ship to our clients that are working very hard to get incredible data out, get incredible insights out of it, should be able to get insights out of it faster and better and cheaper because they need less engineers. And then the tools to analyze these data sets should only get more powerful as well. I really see there will be an area where, you know, there’s different segments in our space, right? There’s the people that are at these big companies, and they have all the budgets in the world, and they have the fanciest tools, and there’s people below that, and there’s people literally using their cell phones to track people doing medical research. Those people should get increasingly better tools that will make them much more effective. So we’re talking about the capability of people with less budget getting much more effective, which I think really creates a much better world.
With the caveat that the other guys have it too. So there’s always a push and pull, but I see a lot of positive headwinds in the in the long run with AI.
Mark: I mean look, you know it’s going to increase, as Justin said, productivity per worker significantly. And the comment that I heard recently in a conference was, you know, AI will be tremendously dislocating of many types of employees and many types of groups, but the world’s going to divide itself into to two camps. Those people who know how to use AI to make themselves more productive and those who don’t. And that’s the digital divide that we’re actually hurtling towards. I’m deeply optimistic, personally, about what I can do across multiple different fields, but starting with our own field in cybersecurity – I’m very optimistic about it.
Kathy: We’ve had another question come in and an attendee is interested to know “Will DarkOwl and its peers sell their data sets to companies?”
Mark: Good question. We’ve been approached by a couple of companies, and we’ve done our own early work on putting an LLM onto our own dataset. I suppose I should put on my businessman’s hat and say it depends on the price. Yes, it depends on the price. But it’s not something that we’re going to do loosely or without a lot of thought. Because once that data is out there under somebody else’s LLM, obviously the data is available to whoever has access to that platform.
Justin: It depends, I think is a good answer. I think the thing to understand about perhaps my company, Mark’s company, is like, you know, our mission is to extract information from the world’s online conversations and if you can help us with that mission, because we’re very serious about it for the reasons we’ve discussed throughout this whole thing, we’re seriously going to talk about it. Now, there’s sometimes choices that make decisions. There’s sometimes choices that make that not the case. And there’s always a lot of nuance. But at a high level, if you help us with our mission and the business makes sense, then that would seem something that should happen. But also, Mark, you touched on a really interesting point of, you know, I do think data companies like ourselves are also going to explore training with our own LLMs too. to have the full picture. So I think the key is as long as LLMs capability is used on these data sets to make the world a better place, we’re for it. The machinations, I don’t know. There could be a world where two data providers do one together, etcetera, but the technology should make the data more useful, and that is our goal.
Mark: I will point out we’re in discussion right now with our first client who wants to put in on a subset of our data. It’s exciting.
Disclaimer: DarkOwl analysts do not endorse any of these marketplaces or offerings and have not confirmed legitimacy of any of these sites. This information is provided for awareness only and has not been independently verified.
Introduction
This Halloween season, DarkOwl analysts decided to delve into some of the scary things that are available for purchase on the dark web. The dark web is well known for dealing in illicit goods such as drugs, counterfeit goods, and hacking tools as well as leaked data. But there are also sites out there which claim to be selling goods that are a bit more gruesome and creepy…
This blog explores some of the weird and scary things we have found being sold on the dark web.
Warning: This blog contains images some may find distressing.
Organs For Sale
A number of sites have been identified on the dark web that claim to be selling human organs. DarkOwl analysts have seen both stand-alone sites selling these as well as individual postings on marketplaces. In the image below, we can see a stand-alone site which offers organs for transplant and claims to provide shipping worldwide.
The image below is an example of the items that are being offered for sale. Ranging from hearts, kidneys, and livers. They claim that the organs remain viable for one year – which is scientifically impossible. There is no indication from this site on how the organs are transported, or how the purchaser is expected to transplant the organs, as no medical help is provided. The do provide a money back guarantee however.
The cryptocurrency address associated with this site has received a total of 0.61955435 BTC, which equates to around $34,000 depending on the conversion rate. Although the address currently has a balance of 0. Most of the transactions that have taken place have been for $100-200 which is far below the asking price on the website. So, it is unlikely that they have actually sold the items they are advertising or at least not at the prices shown above.
It is doubtful if this is a legitimate offering, DarkOwl analysts have observed the same images being used on multiple sites which may indicate that they are using stock images and that this is a scam. The fact that they claim the organs will survive a year is also suspicious.
It is also unclear from the sites we have reviewed, ifthey are legitimate, where these organs are sourced from. There is the potential that this could be linked to criminal activity such as human trafficking or the black-market trade of organs.
Another site we identified is more specific about the locations that they are able to export organs to and also indicates that they will provide medical expertise to assist with the transplant. It is worth noting that this particular dark web site is not currently active.
“Human” Meat
Perhaps the “creepiest” site we found was one that advertises the sale of human “meat” for consumption – “For those with taste.”
The site states that eating human meat is not immoral as long as you haven’t killed to get it. Although they don’t directly state where the meat is sourced from, they suggest it comes from road traffic accidents and morgues.
The site also gives information about where they will export the “meat” to and suggest that everyone should taste human meat at least once. They offer a range of “cuts” as well as organs which can be sent to Europe, Asia, and Africa.
DarkOwl has no evidence to suggest if this is legitimate or not. We do not suggest trying to order.
Hitmen
It has been widely reported previously that hitmen are available for hire on the dark web. Although it is never clear if the sites are legitimate or not, there have been examples where they have been proved to be true and murders or attempted murders have taken place.
One such example of hitman services being offered was identified by DarkOwl. The Mexican Mafia claim to offer the following services in their own words:
Death by shoot and drive away
Death by making it look like accident or robbery gone wrong
Death by sniper
Beating
Arson
Guns
They offer proof that they are legitimate by posting the names of individuals they claim to have murdered in multiple jurisdictions. No further research was conducted to substantiate this claim and it is possible they could have obtained stories from the media and claimed them as their own.
Conclusion
The dark web holds many secrets, some of which can be gruesome. At this time of year, they can seem like “tricks” but we are unable to confirm if any of the things mentioned in this blog are legitimate or not but either way they are creepy for spooky season.
Disclaimer: DarkOwl is not affiliated with any of the groups mentioned in this article and do not support the actions of cybercriminals regardless of their motivations. This information is provided for informational purposes only and has not been independently verified.
Introduction
Defacement attacks, involve the unauthorized modification or vandalism of a website or web application. These attacks typically result in the alteration of the website’s content, appearance, or functionality by attackers with malicious intent. The primary goals of defacement attacks are usually to deface the targeted website, display a message or image, and often to spread a message or agenda, drawing attention to the attacker’s cause or skills.
It’s important to note that defacement attacks are just one form of cyberattacks, and they usually don’t involve data theft or damage to the website’s infrastructure. However, they can still have a significant impact on the website’s reputation and the trust of its visitors as well as voicing political messages.
As the events in Israel and Gaza have unfolded, defacements have been a common technique used by cyber actors to target opponents. Here we examine some of the groups conducting these attacks and the victims.
DragonForce Malaysia
DragonForce Malaysia is a pro-Palestinian group located in Malaysia. The group are active on social media with accounts on Telegram, Twitter and Instagram. They also have their own website and forum where they detail their activities.
Historically the group have primarily conducted distributed denial-of-service (DDOS) and defacement attacks, and this pattern is being replicated in response to the October 07 attack on Israel. However, they have also been seen to use other exploits.
Since the beginning of the conflict, DragonForce have mounted defacement attacks against approximately 125 websites with .il domains. There does not seem to be a pattern to the websites that are targeted other than their affiliation to Israel, although multiple Op names have been used on their various defacement messages. As shown below they have also used their defacements to encourage other hackers to join their cause.
Their Telegram channel has also been used to highlight other attacks that they have conducted, including a claim to have accessed the “Israel Telephone system Management,” as well as other Israeli Telcos. Samples of the data have been posted on their telegram channel. They are also sharing leaked databases as seen in the image below.
Cyb3r_Drag0nz_Team
Similarly, to DragonForce Malaysia the Cyb3r_Drag0nz_Team is a pro-Palestinian group which has been active creating defacements since the beginning of October. However, they appear to have cast a wider net in terms of who they are targeting with a number of US victims in the education space as well as in other countries, including Israel.
As well as providing details of the group in their defacement message they also supply the usernames/Aliases of individuals who have assisted in the attack as shown below. They also provide details of their Telegram and Twitter accounts.
This highlights the fact that groups which conduct defacement attacks are usually looking for notoriety and often are active on social media in order to publicize their actions. This group have conducted defacement attacks against approximately 157 websites since October 08, 2023, as of the writing of this article.
The Telegram account of this group has been used to promote the defacements it has conducted; this appears to be the main activity that they conduct although they have also released leaked information purporting to contain Israeli citizen data. This underscores that with this conflict normal citizens are being targeted as well as governments and military organizations.
X7root
This group has also conducted defacement attacks against Israeli websites, including kdh.org.il which is the Jewish Burial society, this appears to still be active. This defacement message also includes an image from the Holocaust likely to cause the most amount of offense possible. The image is not included here but the accompanying message is shown below.
Little is available about this group, but they do also have a Telegram channel which has previously been used to sell exploits and requires a $90 subscription fee. However, recent posts on the channel have been anti-Israel in nature and provide details of the websites which have been defaced. In posts made on Telegram the user states that he is Arab and shows support for individuals in Gaza. The user is using the #OpIsrael which has been used by many pro-Palestinian groups.
Conclusion
Defacement attacks are not a new technique, but they can become particularly effective in times of conflict, as they were in Russia and Ukraine, in order to share the attacker’s message. The majority of defacement attacks that we have observed have been conducted by Pro-Palestinian groups, but Pro-Israel groups are also conducting cyberattacks. Defacements are a powerful tool for hacktivist groups seeking to use their skills to share a message.
Defacements are in some ways unique in that they seek to publicize the actors behind them, their views and their activity. Therefore, they are more prominent and easier to detect than some other attacks and usually less destructive as they do not tend to affect the underlying infrastructure. As hacktivists seek to take a stand, they differ from the more traditional cyber espionage which seeks to stay in the shadows, but it is very likely those attacks will escalate in the coming months.
DarkOwl is a Denver-based company that provides the world’s largest index of darknet content and the tools to efficiently find leaked or otherwise compromised sensitive data. We shorten the timeframe to detection of compromised data on the darknet, empowering organizations to swiftly detect security gaps and mitigate damage prior to misuse of their data.
