The semiconductor industry powers everything from computing and artificial intelligence to defense systems and the Internet of Things. Given its strategic importance, it has become a prime target for cybercriminals, nation-state actors, and ransomware groups—many of whom operate across the darknet.
On these hidden networks, adversaries trade stolen intellectual property, zero-day exploits, and even sell access to compromised enterprise environments. This blog explores how these darknet-enabled attacks unfold.
Why Semiconductor Companies Are Prime Targets
Semiconductor companies, design, manufacture and sell semiconductors which are essential to modern electronics. Semiconductors are materials, typically silicon, that have electrical conductivity between a conductor and an insulator. They power everything from smartphones and laptops to cars and medical equipment. Due to their importance these companies are targeted for a range of reasons and in a range of ways.
Due to their use of advanced chip designs and fabrication techniques, which are worth millions, they are often targeted by advanced persistent threat (APT) groups in order to steal intellectual property. Governments seek to control semiconductor advancements for technological and military superiority, leading to targeted cyberespionage campaigns.
Due to the components that are required the companies often rely on a complex global supply chain made up on many different companies and providers. This leaves them open to vulnerabilities from cyber threat actors which could lead to compromise. The SolarWinds and Kaseya attacks, where third-party vulnerabilities led to board compromises.
Given the high cost of production downtime, attackers often use ransomware and wiper malware to extort payments or cripple manufacturing facilities. This can be in an attempt to crimple critical infrastructure or simply to extort companies worth millions of cash.
How Semiconductor Firms Are Targeted on the Darknet
Threat actors can use multiple tactics to infiltrate semiconductor companies and their supply chains. Some of their activities take place on the dark web.
Darknet Markets for Stolen Data & Initial Access
Darknet forums such as RAMP, Genesis Market (before takedown), and BreachForums can offer compromised credentials, session tokens, and MFA bypass methods for employees in the semiconductor sector. Threat actors will offer these credentials for sale to the highest bidders. They are often known as Initial Access Brokers. (IAB)
Initial access brokers (IABs) often sell pre-compromised RDP, VPN, and Citrix credentials, allowing ransomware groups to gain footholds in corporate networks.
Ransomware Attacks on Semiconductor Manufacturers
Semiconductor companies are not immune to ransomware attacks, as few organizations are these days. In fact they may appear as enticing targets due to the worth of the organizations and the technology that they deal in. As with any other ransomware attack, information relating to the organization is exfiltrated, which can include a range of document types, in this case including sensitive semiconductor designs and threaten to leak them unless a ransom is paid. Ransomware Groups such as LockBit, BlackCat (ALPHV), and RansomEXX have been observed targeting semiconductor firms.
Zero-Day Exploits and Vulnerability Markets
A zero-day vulnerability is a security flaw in software or hardware that is to the technology owner and therefore has no patch or fix available at the time it’s discovered. Zero-day vulnerabilities in ICS/SCADA, firmware, and chip toolchains can be sold on the darknet and in private Telegram channels. This is very rare and these types of vulnerabilities are worth a huge amount of money, especially when targeting critical infrastructure.
However firmware vulnerabilities in semiconductor manufacturing equipment, particularly ASML lithography systems and ARM-based architectures, are known to have been exploited in targeted attacks.
Supply Chain Infiltration and Hardware-Level Attacks
Threat researchers have identified instances where adversaries embed malicious firmware in chips before deployment. This has been a major concern for critical infrastructure sectors who could be relying on compromised semiconductor components. Attackers have also been known to compromise EDA (Electronic Design Automation) tools and semiconductor manufacturing software, injecting backdoors into fabricated chips.
Darknet Recruiting and Credential Stealing
Darknet forums have been observed offering payment in cryptocurrency for insider access or data leaks within semiconductor firms. Data leak and infostealer malware like RedLine, StealC, Raccoon, etc are widely used to harvest credentials that are resold and can be used for supply chain targeting or to target employees of semiconductor companies themselves.
Real-World Attacks on Semiconductor Companies
Several semiconductor firms have suffered high-profile cyberattacks in recent years, reinforcing the urgency of darknet threat monitoring.
NVIDIA Breach (2022) – Lapsus$ Group
Stolen proprietary GPU designs and employee credentials.
A third-party supplier was compromised by LockBit ransomware, exposing sensitive business data.
Attackers demanded a $70M ransom.
Intel & AMD Firmware Leaks
Engineering documentation and firmware signing keys leaked on underground forums.
Exploited for BIOS and firmware-level rootkit attacks.
Strategies to Mitigate Darknet Threats
Semiconductor companies need proactive cybersecurity measures to mitigate darknet-driven threats. These companies and their partners should monitor the darknet to track mentions of company assets, stolen credentials, and exploit chatter. They should also actively monitor initial access brokers, ransomware leak sites, and private forums for early indicators of compromise. DarkOwl data can assist in conducting this monitoring and alerting on identified threats.
Conclusion
As semiconductor firms continue to drive technological progress, they will remain top-tier targets for darknet cybercriminals and state-sponsored attackers. A multi-layered security approach, incorporating darknet monitoring, access control, supply chain security, and proactive threat hunting, is crucial to mitigate evolving cyber threats.
By understanding how attackers operate on the darknet, semiconductor companies can stay ahead of threats, safeguard intellectual property, and ensure business continuity in an increasingly hostile cyber landscape.
DarkOwl, a leading provider of darknet data and intelligence, and Halo Security, a leading attack surface management platform, today announced a strategic partnership. This collaboration will empower Halo Security’s customers with enhanced visibility into the dark web, providing critical insights into potential threats and vulnerabilities that their customers could face.
Through this partnership, Halo Security will integrate DarkOwl’s dark web monitoring and intelligence capabilities into its platform. By leveraging DarkOwl’s industry-leading darknet intelligence platform, organizations can gain unparalleled visibility into malicious activities occurring on the deep, dark, high-risk webs as well as on darknet adjacent sites. This will enable cybersecurity teams to identify exposed assets, leaked credentials, and other high-risk data circulating in dark web forums, marketplaces, and communication channels — all in one place.
“At Halo Security, we’ve always approached cybersecurity from an attacker’s perspective,”saidLisa Dowling, CEO at TrustedSite. “Our partnership with DarkOwl extends this approach by bringing visibility into areas where attackers congregate, plan, and share information. We’re excited to offer our customers this critical intelligence within a single, actionable platform.”
Mark Turnage, CEO and Co-Founder at DarkOwl echoed this excitement, “We’re thrilled to partner with Halo Security to provide dark web intelligence directly within their attack surface management platform. The combination of Halo Security’s proactive approach and our deep dark web insights will give cybersecurity teams the edge they need to identify and neutralize threats faster than ever.”
The integration will provide real-time alerts and detailed threat analysis, helping organizations to proactively mitigate risks and strengthen their overall security posture. With this enhanced capability, Halo Security users will have access to valuable insights, such as compromised credentials, insider threats, and emerging attack tactics, all sourced directly from the dark web.
Meet Halo Security and DarkOwl at RSA
Halo Security will be at DarkOwl’s booth at RSA on Wednesday, April 30th, 2025, from 1:30 PM to 3:30 PM at Booth #4604. Visitors can experience a live demo and learn more about how this partnership will enhance their cybersecurity operations.
About Halo Security Halo Security is a comprehensive attack surface management platform that provides asset discovery, risk assessment, and penetration testing within a single, easy-to-use interface. Founded by cybersecurity experts with experience at McAfee, Intel, Kenna Security, OneLogin, and WhiteHat Security, Halo Security offers a unique, attacker-based approach to protecting modern organizations. Learn more at halosecurity.com.
About DarkOwl DarkOwl is the industry’s leading provider of darknet data. We offer the world’s largest commercially available database of information collected from the darknet. Using machine learning and human analysts, we automatically, continuously, and anonymously collect and index darknet, deep web, and high-risk surface net data. Our platform collects and stores data in near real-time, allowing darknet sites that frequently change location and availability to be queried in a safe and secure manner without having to access the darknet itself. Customers are able to turn this data into a powerful tool to identify risk at scale and drive better decision making. For more information, contact DarkOwl.
On January 6, 2021, supporters of President Donald Trump stormed the United States Capitol in an effort to prevent the certification of President Joe Biden’s 2020 election victory. In the lead up to Congress’ joint session, President Trump repeatedly made unfounded claims of voter fraud and, in a January 6 speech, encouraged his supporters to march towards the Capitol building and to “fight like hell.” Shortly thereafter, a crowd wielding flags and weapons gathered at the Capitol, quickly outnumbering police and starting a riot. Protesters forced their way into the Capitol building, breaking through doors and windows, and began to search for members of Congress and then-Vice President Mike Pence. As the riot continued, President Trump criticized Vice President Pence for presiding over the certification of the election; rioters were heard chanting “hang Mike Pence.”
While the violent mob’s efforts to undermine the election certification were ultimately unsuccessful, approximately 140 law enforcement officers were injured in the attack and five people died during and soon after the riot. Following the attack, the Federal Bureau of Investigation launched the “largest criminal investigation in U.S. history” looking into the siege, which it identified as an act of domestic terrorism. As noted by NPR—which tracked all federal criminal cases pertaining to the attack—the FBI estimates that “around 2,000 people took part in criminal acts on Jan. 6.” In total, 1,575 individuals were charged. Among these were individuals with ties to far-right domestic extremist groups, including the Three Percenters, Proud Boys, and Oath Keepers.
On January 20, 2025, the first day of his second term, President Donald Trump issued “complete and unconditional pardon to all […] individuals convicted of offenses related to events that occurred at or near the United States Capitol on January 6, 2021.” The order specifically named nine members of the Oath Keepers and five members of the Proud Boys—among them, Stewart Rhodes, the founder of the Oath Keepers who was sentenced to 18 years in prison. Since the pardoning, the previously publicly available dataset detailing convictions of January 6 rioters has been removed from the Department of Justice’s (DOJ) website. A complete database detailing all January 6 criminal cases remains available on NPR’s website.
Since the January 20 pardoning, DarkOwl has observed violent rhetoric and conspiracy theories circulating within January 6-affiliated online groups (including those linked to the Proud Boys and Oath Keepers). This blog will explore the frequency and type of rhetoric observed on the surface, deep, and dark web as it pertains to the pardoning of the January 6 defendants.
J6 Community’s Online Ecosystem
Analysts have observed an extensive online community consisting of individuals indicted and/or sentenced for the January 6 (J6) attack, their family, and J6 apologists. Dozens of Telegram channels are dedicated to sharing J6-related news and updates, including information about releases and the few who remain in prison. The J6 Telegram landscape also consists of channels belonging to J6 defendants who have been released and are now sharing their stories, spreading mis- and disinformation, and corralling support for the few January 6 defendants who have not yet been released. Many of these individuals have also been observed calling for retribution through investigations into, and prosecutions of, the “criminals walking free who did this.” While many J6-related Telegram channels have dozens or hundreds of followers, others have as many as 10,000, reflecting the scale of the community and the extent of its reach.
Additional activity has also been identified on surface web-level video-sharing social media platforms, particularly Rumble, which remains especially popular among right-wing creators and is often referred to as “right-wing YouTube.” Some channels on Rumble are exclusively dedicated to J6 news; however, prominent content creators—some with nearly 200,000 followers—are also providing J6 defendants with a platform. Multiple J6 defendants—among them, Stewart Rhodes, founder of the Oath Keepers—have been invited to popular Rumble channels as special guests since their pardoning, where they actively shared mis- and disinformation and claim that the FBI “manufactured narratives” regarding the January 6 attack. Henry “Enrique” Tarrio—former head of the Proud Boys—was also interviewed by Sean Spicer on his YouTube channel, where similar misinformation was shared. Both Rhodes and Tarrio had been convicted of seditious conspiracy for their roles in the January 6 attack.
Similar activity has been observed on other surface web social media platforms, most notably Twitter. In posts observed following the pardoning of the January 6 defendants, pro-J6 Twitter posts frequently received even more views than those on Telegram. The reach of these posts is consistent with the increase in harmful and extremist content seen on the platform since it was acquired by Elon Musk in 2022. Some Telegram channels made by and tailored to J6 defendants were also found to have matching accounts on Twitter.
Rhetoric Observed Post-J6 Pardons
Following the Trump Administration’s pardoning of those indicted for the January 6 attack, analysts observed a wide variety of rhetoric, including continued efforts by J6 supporters to release the remaining prisoners, extensive conspiratorial rhetoric, calls for retribution, and—in some cases—calls for violence against the federal employees who investigated the attack on the U.S. Capitol.
Notably, J6 participants and supporters on the surface, deep, and dark web—from Telegram to Twitter—are coming together to call for the release of the few remaining rioters who are in prison. Emboldened by the administration’s pardons, numerous Telegram channels and Twitter accounts appear to be intensifying efforts to release the remaining J6 defendants. Many channels and accounts make nearly daily posts encouraging supporters to call President Trump, U.S. Attorney General Pam Bondi, and other officials within the Trump Administration to request the release of the J6 “hostages.” Several of these accounts are administrated by recently pardoned J6 defendants who, in addition to calling for the release of all J6 defendants, are also encouraging those who have been pardoned to share “testimonial videos” to “expose the truth.”
Conspiracy theories are at the heart of many of these discussions being held in J6 communities on the surface, deep, and dark web. The overarching, unfounded conspiracy theory observed across multiple platforms is the belief that the January 6 attack was orchestrated by the U.S. government. J6 supporters have been observed referring to the attack as the “J6 Fed-surrection,” and have shared conspiratorial articles claiming that FBI agents participated in the insurrection. One of the posts sharing this unfounded claim on Twitter gained 170,000 views, reflecting how this type of misinformation is gaining traction and becoming a part of the dominant discourse.
These conspiracy theories have further fueled J6 campaigns for retribution, as notably observed in a January 30, 2025 Telegram post calling for the creation of a “J6 Taskforce” intended to “document the abuses of power and overreach demonstrated by the justice department, DC jail, DC courts, and Bureau of Prisons.” The post discussed a letter sent to President Trump to request such a taskforce, which would specifically be composed of “J6ers, J6 family members and advocates.” Indeed, DarkOwl has observed a pattern of J6 supporters interested in participating in the administration of “justice” against those who they believe have wronged them. Immediately following their release, both Stewart Rhodes and Enrique Tarrio vowed retribution and called for the prosecution and imprisonment of those who investigated the January 6 attack or testified against them.
The majority of the rhetoric observed by DarkOwl in J6-affiliated Telegram channels since the pardons has not been violent in nature. This is not to say, however, that there has been a total absence of concerning or violent rhetoric. In response to articles about the House Select Committee on the January 6 Attack, DarkOwl saw Telegram users calling for acts of violence against those who participated in the committee. One user suggested “send Luigi [Mangione] to [their] homes,” while another added: “could always just have them ‘commit suicide.’”
Significantly, there appears to be even more violent rhetoric directed at the J6 Committee on Twitter than on Telegram. In response to a tweet sharing an article about unfounded claims that the FBI participated in the January 6 attack, numerous individuals called for violence against the mentioned FBI officials. Users in the comment section mentioned firing squads and hangings, with one individual making an indirect threat by encouraging “traitors and liars” to “RUN!!” DarkOwl also located instances of similar rhetoric on Rumble, where users insisted on prison or the death penalty for “the entire J6 committee, Schiffs of the World, Fauci’s, Bill Gates, etc.” This language is consistent with the type of rhetoric that has been observed since the results of the 2024 presidential election, with individuals specifically calling for violence against former members of the Biden Administration.
Conclusion
Ultimately, the network of J6 participants and supporters online—both on the surface and dark web—remains extensive and robust. It is a community characterized by the active propagation of conspiracy theories, misinformation, and disinformation. Perhaps more importantly, however, it is a collective of individuals bound by anger and a desire for retribution, as is evidenced by repeated calls for vengeance, whether through prison sentences or executions.
Research across these J6-related online spaces—whether on Telegram, Twitter, Rumble, or others—reveals an overarching sentiment: the veneration of those convicted for participating in the violent attack on the U.S. Capitol. The defendants are portrayed as heroes—a misrepresentation that is only further bolstered by the administration’s pardons and President Trump’s description of the rioters as “patriots.” Based on the rhetoric seen across numerous platforms, the J6 community’s goals appear clear: release the remaining prisoners and push for the persecution of members of the J6 Committee. Whether or not—and how—the group is able to achieve the latter, however, remains unclear.
Happy April Fools’ Day, friends! Instead of the usual prank-filled antics, I decided to take my curiosity to the next level. Last night, armed only with coffee, bravery, and an excessive number of browser tabs open, I ventured deep into the legendary—and mysterious—dark web.
Spoiler Alert: I survived…barely!
Hour 1: Preparation and Anticipation
To access the dark web, you need something called the Tor browser, which claims to protect your identity online. I downloaded it, feeling like a hacker from an ’80s cyber-thriller movie. For added protection, I wore sunglasses indoors (obviously) and put my browser window in Incognito mode (because double anonymity cancels out, right?).
Hour 3: Lost in the Rabbit Hole
I quickly discovered something unexpected. Rather than finding shady websites selling counterfeit unicorn tears or alien secrets, I stumbled into endless forums discussing whether pineapple belonged on pizza. Seriously? This is the stuff they hide from Google? It turns out the real conspiracy here might be pizza toppings!
Hour 6: Finally, The Dark Side
Navigating deeper, I found some genuinely bizarre markets offering everything from invisibility cloaks (sadly, “out of stock”) to jars labeled “authentic air from Area 51.” I placed an order immediately, naturally, paying in cryptocurrency—specifically something called “FoolCoin,” which suspiciously crashed right after my purchase.
Hour 12: I’m Being Watched
Paranoia began creeping in as I visited a chatroom where users communicated exclusively in cat emojis. I attempted to blend in, carefully selecting 🐱🐱🐾🐾, which was apparently a deeply offensive phrase. I was promptly banned.
Hour 18: Surprising Discoveries
Contrary to my expectations of black market dealings and illicit hacking tips, the deepest corners of the dark web were mainly populated by lonely people sharing their poetry about existential dread and asking for dating advice.
Also, there was a surprising lack of actual darkness—most sites had a retro neon vibe. (The 1990s want their animated GIFs back.)
Hour 23: Reality Check
Suddenly, a chat message popped up on my screen:
“We’ve been expecting you.”
My heart raced. This was it, my dark web initiation—or my undoing. Before panic set in, another message followed:
“Just kidding! April Fools’! Want to buy more FoolCoin?”
I’d been played. And it was glorious.
Hour 24: Reflection
As my dark web adventure concluded, it struck me that perhaps the greatest mystery isn’t what’s lurking in these hidden corners of the internet. Maybe it’s why we’re so fascinated by them in the first place.
Or maybe it’s still the pineapple-on-pizza debate. Honestly, it’s probably that.
Disclaimer: This post was entirely fictional—no actual dark-web diving took place. Or did it? 😉
Happy April Fools’ Day!
(Seriously, though…) Stay Cyber Safe!
Jokes aside, the Dark Web poses real security risks. Here’s your actual cybersecurity advice to take away today:
Be wary of unsolicited emails and unfamiliar links.
Use two-factor authentication (2FA) to keep accounts secure.
Regularly update your passwords and avoid reusing them.
Stay informed, stay vigilant, and when in doubt, trust no one, except maybe your trusted cybersecurity friend.
Happy April Fools’ Day from DarkOwl. Remember, cybersecurity doesn’t have to be scary, even if the Dark Web sometimes is.
Stay safe, and may your passwords be as mysterious as today’s blog!
Our analyst team shares a few articles each week in our email newsletter which goes every Thursday. Make sure to register! This blog highlights those articles in order of what was the most popular in our newsletter – what our readers found the most intriguing. Stay tuned for a recap every month. We hope sharing these resources and news articles emphasizes the importance of cybersecurity and sheds light on the latest in threat intelligence.
1. This Data Could Destroy The FBI—Russian Crime Gang Warns Kash Patel – Forbes
In a February 25 post on their dark web leak site, the Russian ransomware gang LockBit claimed to have stolen data from the Federal Bureau of Investigation (FBI). The post directly addresses new FBI Director Kash Patel and claims that the ransomware gang has “an archive of classified information” that would “negatively affect the reputation of the FBI [and] destroy it as a structure.” The message prompts FBI Director Patel to contact LockBit personally in order to gain access to the password-protected file included in the post. Read full article.
In a March 24 press release, INTERPOL announced the arrest of 306 suspects and the seizure of 1,842 devices as part of the INTERPOL-led operation “Red Card,” which aims to “disrupt and dismantle cross-border criminal networks.” The arrests were carried out in Benin, Côte d’Ivoire, Nigeria, Rwanda, South Africa, Togo, and Zambia. Operation Red Card, which took place between November 2024 and February 2025, specifically targeted “mobile banking, investment, and messaging app scams,” which involved more than 5,000 victims. Article here.
3. X hit by ‘massive cyberattack’ amid Dark Storm’s DDoS claims – Bleeping Computer
On March 10, X (formerly known as Twitter) suffered multiple worldwide outages. The hacktivist group Dark Storm has claimed responsibility for the distributed denial-of-service (DDoS) attacks which caused the outages. Specifically, the group made posts on their Telegram channel the same day the attacks took place and shared screenshots from check-host.net as proof of the attack. Tens of thousands of users were impacted by the outages. Read more here.
4. Ukrainian military targeted in new Signal spear-phishing attacks – Bleeping Computer
In a March 18 bulletin, Ukraine’s Computer Emergency Response Team (CERT-UA) warned of numerous cases of targeted cyberattacks against employees within Ukraine’s defense industry and members of the Armed Forces of Ukraine (AFU). According to the report, in March 2025 threat actors were observed using compromised Signal accounts to distribute malware. The phishing messages contained a PDF and an executable file classified as the DarkTortilla cryptor, “which, when launched, decrypts and executes the remote access trojan Dark Crystal RAT (DCRAT). Read here.
5. Police arrests suspects tied to AI-generated CSAM distribution ring – Bleeping Computer
In a February 28 press release, Europol announced the arrest of 25 suspects who were part of a criminal group “engaged in the distribution of images of minors fully generated by artificial intelligence.” The global operation—dubbed “Operation Cumberland”—was led by Danish law enforcement and involved authorities from 19 countries. In addition to the 25 arrested suspects, the operation also identified 273 suspects, conducted 33 house searches, and seized 173 electronic devices. Learn more.
6. Cyberattack takes down Ukrainian state railway’s online services – Bleeping Computer
On Sunday, March 23, Ukraine’s national railway operator Ukrzaliznytsia was targeted in a “systematic, complex, and multi-level” cyber-attack. The attack disrupted the company’s online services, preventing users from purchasing tickets. Railway operations themselves were not impacted by the intrusion, however the hit to online systems resulted in long waiting times, delays, and overcrowding. Read full article.
7. Vo1d Botnet’s Peak Surpasses 1.59M Infected Android TVs, Spanning 226 Countries – The Hacker News
According to researchers at Xlab, nearly 1.6 million Android TV devices have been infected with a new and improved variant of the Vo1d malware botnet. 226 countries have been targeted in the campaign, with Brazil, South Africa, and Indonesia accounting for the largest number of infections (24.97%, 13.6%, and 10.54% respectively). Xlab has been tracking the campaign since November, 2024, and has reported that the botnet peaked on January 14, 2025. The new variant currently encompasses 800,000 daily active IP addresses. Read full article.
8. BADBOX 2.0 Botnet Infects 1 Million Android Devices for Ad Fraud and Proxy Abuse – The Hacker News
Over 1 million devices have been impacted in a fraud operation dubbed “BADBOX 2.0,” an expansion of the previous BADBOX operation discovered in 2023. As noted in the Satori Threat Intelligence report, “BADBOX 2.0 is the largest botnet of infected connected TV (CTV) devices ever uncovered.” Satori researchers assess that it is likely that the same threat actors are behind both operations. Four different threat actor groups have been identified: SalesTracker Group, MoYu Group, Lemon Group, and LongTV. Learn more.
Make sure to register for our weekly newsletter to get access to what our analysts are reading on a weekly basis.
It’s that time of year—time to start planning your next vacation. The big question is: where do you start searching for the best deals? With so many options and countless advertisements, should you just go straight to the hotel chain’s website?
What if I told you that the dark web might offer the biggest savings, if you can navigate its hidden marketplaces, chat groups, and cryptocurrency payments?
Obviously, this is satire, as using such methods could be illegal or violate a company’s terms of service, potentially leading to the loss of your booking or criminal charges.
Cheap Bookings
The dark web hosts numerous vendors claiming to offer deeply discounted travel bookings, sometimes as much as 80% off standard prices. These listings cover everything from airline tickets and hotel stays to car rentals and vacation packages.
While these deals may sound tempting, they often come with serious risks.
How Are These Discounts Possible?
Dark web travel deals typically result from fraud, hacking, or insider manipulation. Common methods include:
Carded Bookings: Reservations made using stolen credit card details, which are often flagged and canceled before the traveler can use them.
Hacked Travel Accounts: Fraudsters gain access to compromised airline, hotel, or car rental accounts, using stored points or payment methods to book travel.
Insider Access: Some sellers claim to have contacts within travel companies who manipulate reservations for a fee.
Fake or Resold Reservations: Some listings involve legitimate bookings resold at a discount, but travelers risk cancellations if the original buyer disputes the charge.
While these cheap travel deals may seem like an easy way to save money, most buyers end up losing more than they gain, whether through last-minute cancellations, financial losses, or legal consequences.
Travel Site Carding
Carding refers to the use of stolen credit card information to make unauthorized purchases. This is one of the primary ways criminals secure cheap travel bookings on the dark web.
Fraudsters exploit compromised payment details to book flights, hotels, and car rentals at a fraction of the normal price—often reselling these bookings to unsuspecting buyers.
How Travel Site Carding Works
At the core of travel site carding is stolen credit card data, which fuels an underground economy of fraudulent bookings. Hackers and cybercriminals obtain this information in various ways, large-scale data breaches, phishing scams, malware attacks, or even by purchasing stolen details on dark web marketplaces. Once obtained, these compromised credit card details are sold in bulk, often for as little as $10 to $50 per card, depending on the card’s available balance and spending limits.
Armed with stolen card details, fraudsters quickly move to make high-value travel bookings, flights, hotels, car rentals, and vacation packages, before the actual cardholder notices the unauthorized transactions. Since most credit card companies have fraud protection systems in place, criminals often prefer last-minute bookings, reducing the window of time for detection. These fraudulent transactions are usually done through compromised accounts or newly created profiles, making it harder for travel companies to link the bookings to the real perpetrators.
The travel industry has become a prime target for carding because, unlike traditional e-commerce purchases that require shipping addresses, travel services involve digital confirmations, making them easier to exploit. Criminals take advantage of instant booking confirmationsto quickly secure flights or hotel rooms, often completing their travels before the fraud is even detected.
Refund Scams
So, you booked a trip but still want a discount? What if you could get a full refund, even after enjoying your stay?
One of the more brazen scams discussed on dark web forums involves fraudulent refund claims. Scammers manipulate hotel policies to get their money back, sometimes using extreme methods including one case where a scammer suggested urinating on the hotel bed to fabricate evidence.
The Art of the Travel Refund Scam
For some, getting a hotel refund isn’t about dissatisfaction, it’s about manipulation. Scammers exploit refund policies using deceptive tactics, sometimes going to extreme lengths to fabricate complaints.
One common method involves faking unsanitary conditions. A scammer might scatter staged evidence like soiled bedding, stains, or even dead insects they brought along. With shocking photos in hand, they demand a refund for an “unacceptable” room.
Others take a more destructive approach, intentionally damaging amenities like TVs or air conditioning units and then claiming the room was already in poor condition. Acting frustrated, they pressure hotels into offering refunds or discounts.
Some fraudsters rely on fake medical complaints, claiming allergic reactions to mold or illness from “toxic” cleaning chemicals. By threatening negative reviews or legal action, they push hotel staff into issuing refunds.
While these scams don’t always work, some travelers see them as an easy way to score a free stay. Unfortunately, this leads to stricter refund policies and higher prices for honest guests.
While booking sites don’t always favor the consumer, having “evidence” and being persistent can increase the chances of getting money back. This shows the extreme lengths some scammers go to in order to save money on their travels—even resorting to urinating on a bed for photographic proof.
Risks of Using Dark Web Travel Bookings
While the promise of cheap travel is tempting, there are major downsides:
Cancellations & Denied Check-ins: If fraud is detected, hotels and airlines cancel bookings without notice.
Legal Consequences: Purchasing knowingly fraudulent services can lead to criminal charges.
Loss of Money: Many dark web vendors scam buyers, taking payments without delivering valid reservations.
Exposure to Cybercrime: Engaging with dark web marketplaces increases the risk of malware, scams, and data theft.
Final Thoughts
While cheap travel deals on the dark web may sound like a way to save money, they come with significant risks. In most cases, travelers end up losing more than they gain, whether through canceled trips, lost money, or even legal trouble.
Instead of turning to illegal or high-risk methods, savvy travelers should look for legitimate discounts, reward programs, and last-minute booking strategies.
This also highlights the importance of the hospitality industry monitoring dark web intelligence. These scams ultimately lead to increased prices for honest travelers.
Remember: If it seems too good to be true, it probably is.
In DarkOwl’s Darknet Marketplace Snapshot blog series, our researchers provide short-form insight into a variety of darknet marketplaces: looking for trends, exploring new marketplaces, examining admin and vendor activities, and offering a host of insights into this transient and often criminal corner of the internet. This edition features B1ack’s Stash.
B1ack’s Stash is a dark web carding marketplace that specializes in the distribution of stolen credit and debit card information. Emerging on April 30, 2024, it quickly gained notoriety by releasing 1 million stolen payment card details for free, a strategy aimed at attracting cybercriminals to its platform. The market sells credit card information to users occasionally shares free credit card dumps (as seen below). In this blog, DarkOwl analysts take a deep dive into the market, how it operates and what the reaction to the site has been on the dark web.
B1ack’s Stash Emerges with its Free CC Dump in April 2024
According to DarkOwl Vision, B1ack’s Stash began advertising its websites and free credit card information across well-known dark web forums between the spring and summer of 2024, including XSS, Exploit, Verified, Club2CRD, WWH Club, and ASCarding. The site then released several “dumps” claiming to contain credit card information.
Figure 1: Screenshots of B1ack’s Stash advertisements
The technique of making free data available to promote a site is nothing new, other well-known carding marketplaces, such as BidenCash and Joker’s Stash, operate similarly. However, they are not assessed to be directly related.
Joker’s Stash was one of the largest and most infamous dark web carding marketplaces, operating from around 2014 until it voluntarily shut down in early 2021. It was known for selling high-quality stolen payment card details and used blockchain-based domains to evade law enforcement. The closure of Joker’s Stash left a gap in the cybercriminal ecosystem, which was later filled by other marketplaces.
B1ack’s Stash, on the other hand, emerged in 2024 and quickly gained attention by releasing millions of stolen credit card details for free—a tactic often used to attract cybercriminals. While it shares a similar purpose with Joker’s Stash, there is no confirmed connection between the two.
While B1ack’s Stash may seek to capitalize on Joker’s Stash’s legacy, evidence suggests it operates independently rather than as a direct successor.
B1ack’s Stash Reappears in the Media (February 2025)
In a more recent development, on February 19, 2025, B1ack’s Stash escalated its operations by claiming to leak an additional 4 million stolen credit card details for free. This massive data dump was publicized on underground cybercriminal forums like XSS and Exploit, serving both as a marketing tactic and a means to establish credibility within the cybercrime community.
The leaked data encompasses a wide array of sensitive information, including:
Primary Account Numbers (PANs)
Expiration dates
CVV2 codes
Cardholders’ personal details
Email addresses
IP addresses
User-Agent strings
According to a blog by SOCRadar, the release of such comprehensive data poses significant risks, including financial fraud and identity theft. This data enables cybercriminals to commit fraud, resell stolen credentials, and facilitate identity theft.
The following screenshot from DarkOwl’s Vision UI provides an example of sensitive data exposed in B1ack’s Stash’s recent free credit card dump. It shows PII such as: Name, DOB, email, CCN, CVV, Expiration, Address, and IP.
Figure 3: Screenshot of Feb 2025 Freebie CC Dump
This incident underscores the persistent threat posed by dark web marketplaces like B1ack’s Stash, highlighting the critical need for enhanced cybersecurity measures to protect both individuals and organizations from such illicit activities.
B1ack’s Stash’s Darknet Footprint
While B1ack’s Stash has been most active on XSS since April 2024, it has also heavily advertised itself on Exploit, Verified, Club2CRD, WWH Club, ASCarding, and likely other forums. It also maintains a popular Telegram channel with 2,755 subscribers.
Exploit:
Free 1 million CCs release advertisement and various dead download URLs, which were reportedly active at the time of the post on April 30, 2024.
Figure 4: Screenshot of B1ack’s Stash Free CCN Dump in 2024 on Exploit
Verified:
The following B1ack’s Stash advertisement was originally posted on the popular hacking forum, Verified, on April 17, 2024, but still is a popular thread on the forum.
Figure 5: Screenshot of B1ack’s Stash Verified Advertisement
Club2CRD:
Same content as above verified advertisement, which was originally posted on the popular credit card fraud forum, Club2CRD, on April 16, 2024.
Figure 6: Screenshot of B1ack’s Stash Club2CRD Advertisement
WWH Club:
The following post appeared on the popular Russian language credit card fraud forum, WWH Club, on June 12, 2024. Its content is identical as the content posted on other forums. However, the second below screenshot shows additional information that was not previously shared. Details like the database name, country list, PII type, validity rate, and its refund policy.
Figures 7 & 8: Screenshot of B1ack’s Stash WWH Club Advertisement
ASCarding:
Same content as above. This B1ack’s Stash advertisement also appeared on the popular credit card fraud forum, ASCarding, on April 17, 2024.
Figure 9: B1ack’s Stash ASCarding Advertisement
Telegram
B1ack’s Stash also has a presence on the popular messaging app, Telegram. Its official Telegram channel has 2,755 subscribers and occasionally posts advertisements for selling credit card data.
Figure 10: B1ack’s Stash Telegram Account
Their official TG account posts in English and Russian. The below post is related to their “4 million free cc release” from February 2025.
Figure 11: Screenshot from B1ack’s Stash Telegram Account
Community Reactions: Is B1ack’s Stash Legit?
B1ack’s Stash’s sudden rise in popularity has been met with mixed reactions from dark web users. Most comments range from negative to neutral, while very few users gave clearly positive endorsements based on their site experience.
On December 27, 2024, a Telegram user on the official channel for the popular carding forum ASCarding questioned whether B1ack’s Stash could be a scam, stating:
“I got 2 non vbv from b1ack stash a while ago, they didn’t work at first but somehow on the 4 try I think i managed to withdraw 5$, am i doing something wrong or just b1ack stash is shit, i got the proxy in his area on firefox, vpn on whole pc, gmail account on his name, mac changer.”
Figure 12: Telegram Screenshot from DarkOwl Vision
DarkOwl analysts discovered a well-known dark web research website called Dark Web Informer, which also mentioned B1ack’s Stash twice on its Telegram channel.
Dark Web Informer is a cyber threat intelligence platform that provides insights into activities on both the dark web and the surface web. The site covers topics such as data breaches, darknet markets, ransomware incidents, and threat alerts.
In addition to its main website, Dark Web Informer maintains a presence on several platforms, including GitHub, LinkedIn, and Medium, where it shares cyber threat intelligence information, tools, and articles. Recently, on February 17, 2025, Dark Web Informer claimed that B1ack’s Stash is a “legitimate” fraud site.
“TheDarkWebInformer wrote: Yes, B1ack Stash is a “legitimate” fraud site. In May of 2024 1 million cards were leaked for free.”
Figure 13: Telegram Screenshot from DarkOwl Vision
Conclusion
B1ack’s Stash’s emergence and rapid growth highlight the ongoing evolution of dark web marketplaces and the persistent threats they pose to global cybersecurity. By strategically releasing millions of stolen credit card details for free, the marketplace has garnered significant attention—both from cybercriminals looking to exploit the data and security researchers tracking its impact.
While comparisons have been drawn to now-defunct platforms like Joker’s Stash, B1ack’s Stash appears to be a distinct operation aiming to establish itself as a major player in the underground economy. Its presence across multiple dark web forums, coupled with an active Telegram channel, indicates a calculated effort to build trust and legitimacy within illicit communities.
The continuous leaks of sensitive financial data underscore the urgent need for enhanced cybersecurity measures. Organizations must proactively monitor for compromised credentials, implement robust fraud detection systems, and educate users about the risks associated with stolen payment information. As cybercriminal tactics continue to evolve, law enforcement, financial institutions, and cybersecurity professionals must collaborate to anticipate and counter emerging threats in underground marketplaces like B1ack’s Stash.
Attendees of this webinar, hosted with Carahsoft, learned about how in today’s world, Open Source Intelligence (OSINT) plays a critical role in uncovering threats and mitigating risks by leveraging publicly available information. This webinar dove deep into the practical side of OSINT investigations, focusing on how dark web data can be strategically utilized to enhance threat detection and risk assessment for organizations.
During this webinar, the Director of Intelligence of Collections at DarkOwl, demonstrated the power of DarkOwl Vision through real-world examples, including:
Tracking stolen credentials from a recent data breach
Monitoring dark web marketplaces for insider threats
Identifying emerging cybercrime trends
Analyzing chatter on forums to predict potential attacks
Protecting executives and high-profile individuals
Participants gained hands-on insights into gathering, analyzing, and interpreting OSINT data, with a focus on applying dark web intelligence to solve real challenges.
NOTE: Some content has been edited for length and clarity.
Erin: Hi everybody. I am the Director of Intelligence and Collections at DarkOwl and I’m going to talk you through some background on the dark web and some OSINT investigations.
What we’re going to cover today, I’m going to give you a little bit of background on who DarkOwl are, what the dark web is, why it’s important, how we can use it in OSINT. And I’m going to do a couple of use cases and walk you through some examples of what we see on the dark web and how you might be able to use it for OSINT.
A bit of background about DarkOwl. We’ve been around since 2014, but collecting data I would say from the dark web in earnest since around 2017-2018. So, our goal is to collect data from the dark web so people are able to use that data for their investigations and to protect their organizations. We allow people to do that in a number of different ways, so you can access data through our platform Vision, which I’ll be showing you how to use today, but we also have APIs and data feeds which allow you to access dark web data, and the idea really is challenging to access the dark web, and also it can be against policies and violations to access it. It’s not easy to access and there are things on there that you might want to avoid. So we allow you to access that data in a secure way.
What kind of data do we have? We have layers of the deep and dark web as well as some surface web, although we are primarily a dark web company. Everything that you see here in red is something that we do collect from. We’re always looking to increase our coverage though and look at other areas where we see criminals, cyber threat actors, insider threats, people proposing violence, operating. So, we’re always on the lookout for other areas that we can collect from. But as I said, we’re primarily dark web, TOR, onion sites is where we get most of our data from, but we do also collect some surface websites, things like Doxbin, paste sites, certain forums where we see extremist activity being discussed, as well as underground criminal forums and markets and discussion boards. We also collect from Telegram and Discord. We see a lot of criminal activity operating in those areas. And this just gives you a breakdown of the volume of data that we have.
I believe there’s a polling question up on the board for you now. And that’s just to highlight, are there any messaging apps you’re seeing as part of your investigations at the moment that you would like to have more coverage of. As I mentioned, we do cover Telegram and Discord, but we’re always looking for other options. So please fill that in. You can have multiple choices. But going back to the slides, you’ll see that we’ve got a large volume of data that we collect. We have been collecting since 2017, and we do not remove any historical data because that can still be important to your recent investigations. And so, you can see the numbers that we have here. We also extract particular entities, so email addresses, IP addresses, credit cards and crypto addresses that can help you with your recent investigations. And we also have a large volume of data leak records that we’ll talk about in a little bit more detail.
And this is just to give you an overview of how our ecosystem works. We do have the Vision UI where you can access all of our data as well as APIs. We have several API products that allow you to generate scores and risk assessments based on the exposure that an individual has as well as context information about our data leaks.
And we also provide darknet services. So, for those that don’t have the resources and/or do not have the experience working with the dark web, we are able to do investigations and OSINT investigations on your behalf and produce reports regarding whichever you’re investigating. So, this is our Vision UI, it supports Boolean logic, it has darknet data within it, and it can also be used for alerting, but I will go through that in a lot more detail later in the presentation. But so, just so that we’re on the same page, let’s start with talking about what is the dark web.
No OSINT presentation is complete without an iceberg slide so this is our obligatory iceberg slide which breaks down the surface net, the deep net and the darknet.
We really do focus on the darknet you know collecting from onion sites, TOR, ITP, ZeroNet that is specific software that you need to download to access that and also, it’s not indexed so you need to know the URL that you are going to in order to find that information. So, it makes it a lot more difficult to navigate and identify sources that are going to be beneficial to you as part of your recent investigations. And that’s one of the things that we assist with. We, you know, have broad coverage across the dark web. We’re always looking to identify new sites and new areas where individuals are communicating or buying and selling goods. And so that allows you to be able to search that information. We also do do the deep net. So, this is not indexed by search engines, usually behind a firewall of some kind or password protected. It’s not easy to access, but it’s easier to access than the dark web. You can still do it using your usual browser. And there are a lot of forums and marketplaces and vendor shops, et cetera, that sit on the deep net. And then you also have the surface net. So this is, you know, the internet we’re all used to. It’s indexed by search engines. So, you can, you know, go to Google, go to Yahoo and find a site that you’re looking for and it’s all open. I would say more and more we are seeing fights on the surface web that are also engaging in criminal activity. People seem to be less concerned about obfuscating what they’re doing then they had traditionally been and also, I think law enforcement’s been quite successful in taking down some dark net sites and that has kind of moved people onto the surface net so that’s an interesting trend that we’re seeing at the moment and that’s why we cover those areas as well as just the dark net.
To give you a little bit of history on the darknet, It started in around 2000. The Darknet Tor project itself was actually created by the US Navy as a means of secure communications for their operations. And then they decided to make it an open source tool. The Tor project is a not-for-profit that runs Tor and the onion sites and the bridges, et cetera. It’s always worth noting that there are fully legitimate reasons for using the dark web for those that live in countries where communications may be limited and, you know, they may not be able to access mainstream media, things like that. Tor can be used for that. And also, people who do really want privacy. They can use the dark web to enable that privacy. I’m not going to go through everything here on this slide obviously it goes up to 2020, but you can see that there’s been a lot of things that have happened in the darknet, things like cryptocurrency becoming more prevalent and being a semi-private way of people transacting and law enforcement operating on the dark web to take down sites has been a game changer as well. But there’s a lot of things that have happened on the dark web ecosystem and continue to happen to this day.
Okay, so why is dark web data important? I’ve kind of touched on this, but a lot of criminals operate on the dark web. So, we see people communicating on the dark web in forums, in messaging apps, having conversations, but we also see people selling and buying goods. We see people offering services. There is a lot of activity that happens on the dark web that can be useful to your investigations. And there’s also sites where people’s data is released. So, data leaks, stealer logs will go into in a little bit of detail, as well as things like DoxBin where people’s information is released. So, it can really help you in your investigations identifying information about individuals, but also can help you to kind of protect individuals from an executive protection perspective and we’ll talk about that in a bit more detail as well.
While we’re level setting on dark web, hopefully everyone on this webinar is aware of what OSINT is, but it’s basically the collection analysis and dissemination of information that is gathered from publicly accessible sources and these are a couple the sources that are out there that I think are familiar to most people doing OSINT investigations. But people don’t always think of the dark net. I think some people think it’s scary. There are questions about whether or not it’s truly open. But it is in fact open. It’s harder to access, but all of the data is out there for people to go and view if they choose to. So, I like to think of it as a tool in the toolbox that an OSIN investigator has. you know, you should be looking at social media, you should be looking at public records, you should be looking at, you know, other mainstream websites that are out there, things like the Wayback Machine, but the dark web is an important element of that investigation and gives you kind of a broader overview of information that you might not get from other sources. I feel like, again, I have the obligatory iceberg slide, this is my obligatory AI generated image. You can see that it’s AI generated because it’s the Dark Wab and not Dark Web. It seems that when you give it a few too many prompts, it gets confused, but this is my obligatory AI image.
Okay, so but what things do we see on the dark web? So hopefully people are familiar with some of these. I think some are more well known but marketplaces are definitely, you know, a mainstream and one of the things that first started in the kind of criminal ecosystem of the dark web with things like Silk Road, which was not the first market, I believe, Farm was, but, you know, marketplaces for buying and selling drugs, illicit goods, hacking tools, tutorials. You can purchase hitmen, you can purchase all manner of strange things, whether or not that’s legitimate or not is something that we can also discuss.
There’s also a wide range of forums, so people kind of talking about things that interest them. Breach forums is probably one of the most famous forums out there that works in buying and selling data and sharing data. But there’s also extremist forums out there, things like the in-sell community, right-wing extremists operating on forums too or people just discussing general things not all of the forums are bad. There are some social media sites that are on the dark web too. There are mirrors of things like Facebook and Twitter that appear on the dark web so people can access them in countries where there might be censorship so that that’s one of the more legitimate areas and also we talk about social media and I’ll go onto this in the next slide as a dark web adjacent area where we do see criminals operating on mainstream social media as well.
Cryptocurrency obviously is the currency of the dark web. We still see bitcoin as the largest currency being used but things like Monero and Zcash and more of the privacy coins are also popular. You you know, wallet explorers, there are dark web wallets, there are tumblers, mixers, et cetera. So a lot of cryptocurrency activity can occur on the dark web as well as being, you know, again, perfectly legitimate information, there are a lot of new sites that are on the dark web. The BBC has a new site. I believe CNN has a new site. And there’s also just kind of other sites that share information. These can be kind of data repositories, you know, when information is leaked by whistleblowers that can sometimes appear on the dark web as well. And then we have data leaks. So rather than kind of whistleblowers, that’s more stolen data and data that’s been taken illegally. And in that vein, we also have ransomware. So, a lot of ransomware groups have leak sites on the dark web where they will kind of shame their victims into paying the ransom by saying that they are a victim and they’re gonna release the data. If the victim does not pay the ransom where they do usually then release that data which is downloadable on the dark web.
But as I mentioned, there’s also some things that we refer to as dark web adjacent. Oh, there’s a poll question. So, what areas of the dark web are of most use to you. So I’ve gone through some of them, but it’d be really interesting to know from your perspective what is most beneficial for you and your investigations and your day-to-day job. But in that thing we also have some dark web adjacent. That’s what we refer to as sites that aren’t or messaging apps or platforms that aren’t exactly on the dark web, but they’re still being used by the same community of people, i.e. usually criminals or extremists or some form of bad guy for one of the better phrase. Things like Telegram, ICQ, Jabber, Discord is a gaming site as is Twitch, where we see people are sharing classified information, they’re making threats. A lot of the so-called gore community are very active on places like Discord tends to be younger generations and people that are into gaming, as you would expect. But these are all areas that we think it’s important to also have coverage of in order to, you know, have a full coverage of these communities and these groups and how they’re interacting. Obviously, I would say there’s been some changes in Telegram. In recent months, but that we are still seeing a huge amount of people operating on Telegram in a malicious way. And then the surface web, marketplaces, vendor shops, forums, as I mentioned before, excuse me, we are seeing some people that are operating in the same way they operate on the dark web on the surface web. You can find those vendor stores and those marketplaces, which I think is an interesting evolution and how these communities are operating.
Okay, so there is a lot of data on the dark web as well. So, we’ve kind of talked about the general themes and the types of sites that there are, but there’s also a lot of different types of data and a lot of different types of information. So, a huge amount of PII appears in data leaks and is discussed on some of the sites as well. Financial information, There’s a huge ecosystem of financial fraud, people selling credit card data, selling banking information, selling details of how to operate in a financial fraud way. So, we see a lot of people doing tutorials and giving guidance about how to conduct some of these scams. There’s also a huge, as you would expect, cyber and hacking community. So, people trading malware, and exploits, and different tools that you can use, you know, the phrase script kiddies, individuals who aren’t necessarily that sophisticated enough to build code or build these vulnerabilities, but they can purchase them and execute them and still kind of use them for criminal activity. So, we see a lot of trading of those kind of things, drugs, obviously, and cryptocurrency I’ve also mentioned. There’s a lot of activity that can come from this kind of data. We see cyber-attacks. We see data exfiltration and hacking. There’s also cyber espionage. I mean, APT groups are hard to identify, but they’re definitely operating in some of these places. And insider threats as well, people, you know, talking about sharing information that they should not be sharing or making threats to their organization. These are all the types of things that we see on the dark web.
Let’s dive in a little bit more into what data we actually see and kind of try to look at it from an OSINT perspective where possible. Ransomware I have already mentioned. This is two examples of ransomware leak sites, one is LockBit, the other one, I actually don’t remember which ransomware site it is, but you can see like they will share the information about the company that has been victim of a ransomware attack.
But you can see they’re also operating the yellow image. You see that they have a Telegram channel. They are on Twitter and they are on Facebook. So they have a dark website where they share this information, but they’re also operating on kind of more of the mainstream areas. And that can be really useful for you as part of an OSINT investigation. If you’re trying to identify more information about these, you’re building that kind of what we call darknet footprint and digital footprint for these groups and how they’re operating. So, you know, their sites can give you information about them that can help with understanding how they operate. But also, you know, the information that they share while stolen and really should not be shared can be used as part of investigations as well. Especially if you’re concerned about supply chain or third party risk, understanding what data has been released about an organization can help you protect your organization if, you if one of your supply chain vendors is in there, or if you are the person that has been leaked, sorry, had been ransomed, knowing what of your data has been released and is out there for other criminals to kind of delve into, is an important thing to know. And I think some people get concerned about this data and it’s stolen data, but the thing I think people need to understand is criminals have access to this data, threat actors have access to this data and they will use it to conduct more criminal attacks, so it’s important to know what is out there from a risk perspective so you can better protect yourself.
Financial crime I’ve mentioned, we see a lot of marketplaces but also places like Telegram being used as a market for people to sell financial information. So, you can see here there’s stimulus checks being sold, there’s people selling plain credit cards, there’s other things that they’re making available on here, cash apps, etc. So there is a huge ecosystem of this financial crime.
And in the theme of markets, we also see people selling drugs and weapons on the dark web as well.
You’ll see that a lot of these markets look similar to what you would expect to see from, you know, a commerce website on the surface web as well. They provide pricing, they provide images, they also provide reviews. And that can be really useful for us from an OSINT perspective. So, you know, things that you might want to look into on these markets that can give you some clues that you can go and look through in more traditional sources. So, you know, you’ve got OSINT, sorry, you’ve got reviews, as I just mentioned. So, these are some examples of reviews. I don’t know that they are legitimate to be honest, but you’ve got the username, you’ve got the date that they purchase, And sometimes they give some information in there, like, you know, it arrived really promptly that could give you ideas about, you know, where are they based? Where are they purchasing from? And, you know, how it operates. We’ve also got here, like, more descriptions about the drugs that they’re selling. So, they’re telling you the type of drug. It’s a pressed pill. They’re made in-house. So that’s something that they’re, you know, Again, you can never really trust a threat actor, but they might be operating this themselves. That’s something to go on. And they’re also saying that we ship worldwide.
We’ve got other examples where they tell you where they’re shipping from. So, this is actually counterfeit money that they’re shipping. And they’re telling you kind of how they operate it, what techniques they have in terms of producing this counterfeit money, but also they say they’re shipping from Romania. It’s a pretty good starting point that they could be operating in Romania and that they’rei ndividuals based in that country. Again, with OSINT, you also always have to verify everything. You can’t take anything at face value, but these are data points that I think it’s important that you pull out.
And this one is a little bit maybe harder to read, but I thought it was important because they’re giving them details and almost like TTPs of how they’re operating. So they’re telling you they ship it in an envelope that it uses anti-extra bags and if it’s inspected, it will get through it. And they’re actually saying that the National Post Service is the safest way to order it and that they also use express shipping. So, if you’re doing an investigation into kind of the methodology of someone selling these drugs or counterfeit goods, I think I believe this one was still a counterfeit money. You can get from these marketplaces and from these sites information about how they are actually operating, which can really help you in your investigation and maybe where you wanna focus to identify things from other sources that are out there.
Stolen data is also a big one. I’m not really going to show real examples here because I don’t want to expose people’s PII, there’s some of that. But these are, this is Breach Forums and I believe LeapBase. These are sites that appear on the dark web where people are sharing data. And again, we get a lot of questions about is this open? I would say predominantly on these sites; the data is shared freely. Sometimes you need credits, so you need to have a reputation on the sites and that have built kind of some of that persona. But by and large, this is freely available data that again, criminals are going to have access to and it’s something to be aware of.
This gives you an idea. This is a breakdown from data that’s in our platform and Vision.
I looked at the last 90 days and it gives you a breakdown of some of the PII that is available in these leaks. So, you know, names and email addresses you’d expect, but you’re also seeing identification numbers, information about people’s genders, information about companies, phone numbers, dates of birth. You know, there’s kind of two use cases for this kind of data, I think, in the OSINT realm. One is, you know, attribution of looking at threat actors. There’s so much leaked data out there now, but threat actor information is going to appear in there as well as, you know, legitimate people’s data. So, it can really help you with that kind of attribution use case but also from a risk analysis perspective understanding what information is out there about yourself or your employees or you know individuals that you might seek to protect. This lets you know kind of what level of risk they have, what level of exposure they have and how criminals might be able to target them.
Stealer Logs is something that we’ve seen a huge rise in. They’re not new, but they just seem to be a lot more prevalent in the last year or two than they were previously. This is an example. ALIEN TXTBASE is a group that have been sharing not full stealer logs, actually, but what we would call combo stealer logs, where it has the URL, the password, and the username of an individual. And they’re making that available on Telegram. So, you know, this is great for criminals in terms of they are able to log into accounts, do account takeover attacks, depending on what URLs appear here, it could be access into someone’s network. But CELA logs are basically malware that exists on your computer or a victim’s computer and steal things like cookies like your auto fills on your browser, your passwords, and your usernames. It can also steal things like cryptocurrency wallet addresses, basically anything you’re doing on the internet, it can hoover up and we have some good blogs that I would recommend about stealer logs and how they work and how they operate and the different types of them. But they have a huge wealth of data in them.
And again, threat actors have been victims of these as well as legitimate citizens. And we’ve seen a lot of research where you are able to search for places like XXS or exploit, you know, dark web forums and see people’s user information and that can really help with attribution, but also knowing that risk of your password and your username is out there and that can be used for a variety of different attacks is really important and also because the cookies are in there it can help threat actors get past two-factor authentication and OTP codes as well, so that’s something to bear in mind. Again, I said I wasn’t going to share actual data, so I wanted to give a really basic description of how some of this data can be useful. But if you have an email address for a threat actor or someone you’re interested in understanding more about, you can search for that in leak data, and it might appear and show that it’s linked to a password. Depending on how unique that password is, you might be able to identify other accounts that they’re using because we all reuse passwords. We shouldn’t and we get told not to all the time, but most people do. So, you might be able to identify other email addresses and then you can use other OSINT techniques to find more information linked to that. There are tools out there that will allow you to search for an email address and using open-source techniques can find things like telephone numbers that link to social media accounts, that link to things like Cash App and Venmo that can give you access to the real identity of an individual. So, this is a very basic, simplistic way of talking about the workflow, but you can definitely use information and data leaks to be able to investigate individuals. I see it as another tool in the toolkit of data that’s open that you can use as part of your investigation.
We also see a lot of extremist activity on the dark web and on particularly Telegram. So, these are some images that we identified related to ISIS but we also have things on there that are you know right-wing, extremist, racist information that’s being shared and it’s important to monitor these because they can lead to real world threats and so we need to identify what is being done. You can see with the ISIS threats these were around some sporting events where they were encouraging people to target the sporting events and they were giving specific areas that they should do that and this is something we’ve definitely seen an increase of is using the dark web using things like telegram to incite violence in others and create loan actor attacks. So, it’s definitely something that needs to be monitored.
Executive protection is also a use case that we’re seeing more and more active on the dark web or the data on the dark web helping with that use case I should say. So here I’ve got and I apologize for some of the language in this, but just to highlight, on the left-hand side, we’ve got a post from DoxBin where they’re talking about X FBI agent, whether this information is accurate, I don’t know, but you can see they’re providing things like date of birth, address,] telephone number, his wife’s information, what their role was. He’s also got their daughter’s information. So, huge amounts of data are being shared about individuals on Doxbin. If you’re not monitoring that, then that’s going to be an issue because, you know, a lot of when people’s information is shared here, it can lead to real -world attacks, like things like swatting attacks. A lot of that information would come from Doxbin. You can also see we’ve got a data leak here that specifically mentioned CrowdStrike employees. Again, I haven’t provided any of the actual data, but you’ve got first name, last name, email, where they’re located, their phone number, their job title. So, this is information that’s being released about employees. And again, why you need to kind of be monitoring data leaks for your employee’s information being shared. And I think it’s really important as well that you do that from a corporate perspective of looking at corporate email addresses, but to do this completely you also need to have access to personal information too. And then the the one with the not great language so apologies again for that is it’s from 4Chan and it is an example of a particular individual that I have blanked out being threatened and being said he will be shot, shot like the healthcare CEO and it’s a long time coming. So, we can see kind of chatter and rhetoric of people making threats against individual on dark websites as well. And it’s really important to analyze those and make a judgment about, you know, the risk that these individuals pose and then using OSINT techniques to see if you can identify who these individuals are so you can have a bigger picture. 4chan unfortunately, is a difficult one to do that with because it’s anonymous, but it’s so important to know what people are discussing.
And then you can also do threat actor investigations and attribution. So, this is a bit of a historic one, but Pompompouren was the admin of Breach Forums previously. He was also on raid forums, and you know, from analyzing the data, we were able to look at the username and see that he was active on all of these different dark web forums. We were really able to build that footprint of how he’s operating, but you’ll see he was also, on Discord. And so, it really allows you to kind of understand how this person’s operating, and obviously you can analyze their language and what they’re talking about. And if there’s any clues within those forums to location and information. But I highlighted the DoxBin for executives through Actors Get Docks all the time as well. So, this is an example of information relating to him that was shared online. Several people doxed this individual. So, it’s clear now that Pompompouren was Conor Bryant Fitzpatrick. He was subsequently arrested. So, using the data, and again, this is a very simplified version, but you’re able to identify a real person based on a username and kind of how people are interacting in the community. And from that, we were able to identify telephone numbers that they use that you can do further research on IP addresses that we use. And I believe one of the IP addresses that was associated with of Fitzpatrick was actually where he was hosting breach forums, and the FBI were able to use that. He is now or he was incarcerated, he was charged. So using the data and the information online can really help you doing investigations into threat actors as well.
Okay, and we have a third question. So what use cases are most important to you? I think it’s important to understand what use cases people are working on so we can best identify kind of the data that’s going to support that from the dark web.
But with that said, I’m going to move on to a couple of quick demos to show you real world examples of how we can find data using the Vision platform (see recording for demo portion).
DarkOwl analysts regularly follow threat actors on the darknet who openly discuss cyberattacks and disseminate stolen information such as critical corporate or personal data. Such analysis helps DarkOwl’s collection team direct crawlers and technical resources to potentially actionable and high-value content for the Vision platform and its clients.
In April 2024 the UK took the unprecedented step to sanction a group known as Terrorgram as a terrorist organization. The UK was the first country to take this step, proscribing the group which consists of various Telegram channels which have been used to share and encourage extremist ideologies and methodologies. This marked the first time a group that is primarily organized on a messaging app has been declared a terrorist organization.
In this blog we will explore the origins of the group, how they operated and the current status of the organization.
Who are Terrorgram?
Terrorgram (logo to the left) was an online network of neo-Nazi and white supremacist extremists that was formed on the messaging app Telegram. The group are devoted to militant accelerationism – the idea of hastening societal collapse through violent acts and used a number of different telegram channels to spread this message.
The group’s overarching objective was to inspire terrorism, leveraging propaganda to promote “white supremacist” ideology and encourage both organized and lone-wolf attacks. The concept of encouraging terrorist attacks, rather than conducting them yourself is known as stochastic terrorism. Over the past few years, Terrorgram’s activities have triggered international law enforcement crackdowns as officials sought to contain its spread of hate and violence.
Origins, Ideology, and Objectives
Terrorgram emerged in the late 2010s as an extension of earlier extremist forums and subcultures. A major influence was the now-defunct Iron March forum, which, despite only ~1,200 users, had an outsized impact on modern neo-Nazi ideology.
Iron March popularized James Mason’s book Siege, which advocated leaderless terrorist cells to destabilize society and spark a fascist revolution. From this foundation, Terrorgram adopted a militant accelerationist doctrine: it seeks to collapse the current order through stochastic terrorism, inciting followers to commit acts of violence in hopes of triggering broader chaos.
Terrorgram promoted the ideologies of neo-fascist and white supremacists. Many of the channels they operated glorified Hitler and other fascist figures, and promoted slogans like “TRAITORS WILL HANG.” Saints culture was also heavily promoted by Terrorgram users, the culture treats right-wing terrorists and mass killers as martyrs or “saints,” praising their deeds and encouraging others to emulate them.
Figure 2: Rules to be made a “Saint” by Terrorgram
The ultimate objective of this ideology is to radicalize young extremists and drive them to commit hate-fueled attacks – against minorities, government, infrastructure – to accelerate a hoped-for collapse of multicultural society.
Communication Channels and Platforms
Terrorgram’s primary base of operations was Telegram (Figure 3 to the right) – an encrypted messaging and social media app that up until recently gave extremists a relatively unpoliced platform.
The name “Terrorgram” itself is a mashup of “Telegram” and “terrorism,” reflecting how deeply the group is tied to the chat platform. The network of Terrorgram was made up of hundreds of decentralized channels which were used to communicate and share propaganda with followers. In 2021, the network encompassed 200+ neo-Nazi channels on Telegram, many openly sharing bomb-making manuals and calls to violence. Some popular channels amassed thousands of followers (one had over 16,500) despite Telegram’s nominal efforts to ban violent content.
There is little evidence of a significant dark web presence dedicated to Terrorgram; its preferred “underground” forum is effectively Telegram itself. However, when faced with crackdowns, some members discussed migrating to more obscure encrypted apps like Signal, Briar, or Sessionto evade surveillance.
Propaganda Methods and Recruitment Tactics
Figure 4: Propaganda booklet created and shared by Terrorgram
Terrorgram’s propaganda machine was sophisticated and deliberately geared toward inciting violence from its followers. An inner circle of propagandists, the self-described “Terrorgram Collective,” produced digital manifestoscomprising of hateful ideology and practical guides. These e-magazines – circulated as PDFs in the channels – carry titles like Hard Reset and explicitly instruct readers how to commit terror attacks. In mid-2021 Terrorgram published a guide urging attacks on power grids and violence against minorities, police, journalists, and other “enemies.”
Figure 5: Propaganda shared by Terrorgram encouraging followers to attack Government, law enforcement and critical infrastructure
A second manifesto released in late 2021 combined accelerationist and eco-fascist ideology with step-by-step manuals for making weapons. By 2022, the Collective put out a third installment (the Hard Reset series) that glorified recent white supremacist attacks and detailed critical infrastructure targeting strategies, in December 2023 a Terrorgram manual described how to manufacture explosives from urea nitrate fertilizer.
Figure 6: Propaganda created by Terrorgram
Text publications are not the only types of publications that Terrorgram have produced, they have also leveraged multimedia. In October 2022, it released a 24-minute film titled “White Terror,” which celebrated dozens of terrorists from 1968 to present, hailing them as saints and martyrs. The video used actual shooter livestream footage, including clips from the 2019 Christchurch massacre and 2022 Buffalo supermarket attack, and news reels, as well as extremist messaging. The video explicitly urged viewers to carry out new terror acts, promising that “future attacks will be honored.”
In order to spread this information, the group maintained multiple channels. The channel admins would cross-promote one another’s groups, sharing posts and links to encourage followers to subscribe across the network. This created an environment in which any newcomers who found one Terrorgram channel would soon be exposed to many more.
The group also heavily relied on the use of memes and images to share their propaganda; controversial memes, catchy slogans, and insider symbols,like skull masks and sonnenrads, were used to build a subcultural identity that could appeal to alienated individuals.
Figure 7: Telegram message depicting the skull mask widely used by terrorgram and mass shooters
Notable Messages and Incidents Attributed to Terrorgram
The Terrorgram group were successful in using their propaganda to incite real world acts of violence:
In October 2022, a 19-year-old gunman attacked an LGBTQ bar in Bratislava, Slovakia, killing two people. In his manifesto, the shooter explicitly credited the Terrorgram Collective as an inspiration. Terrorgram channels hailed him as a martyr after the fact, adding him to their list of “saints.”
In early 2023, FBI agents foiled a plan to attack the electrical grid around Baltimore, Maryland, arresting Brandon Russell (an Atomwaffen Division founder) and an accomplice. Both were active in Terrorgram circles and had been sharing the network’s materials.
In January 2024, agents raiding the Florida home of a man found he had a Terrorgram-produced manual and a copy of Mein Kampf alongside plans for a mass shooting. Lightner had posted on Telegram about wanting to murder people of color and Jews.
Brazilian investigators suspect that a 2022 school shooter in Aracruz, Brazil (who killed 4 people) had engaged with neo-Nazi online content aligned with Terrorgram’s ideology.
In August 2024, a young man carried out a knife attack at a mosque in Eskisehir, Turkey, injuring several worshippers – an incident the U.S. State Department later cited as having been “motivated and facilitated” by Terrorgram propaganda.
In January 2025, an extremist in Nashville committed a school shooting that channels in the network celebrated as part of their “accelerationist” campaign.
It is believed that the Terrorgram were successful inciting violence in others and encouraging lone wolf attacks as they were very specific about what they were asking their followers to do. The group would often provide targeting lists as well as tactical guides and information about the successes and failures of previous mass shooters as a blueprint for future attacks. The network has circulated spreadsheets of critical infrastructure sites and personal information of officials/journalists deemed enemies. It had also urged followers to attack power stations, synagogues, LGBTQ venues, refugee centers – any targets that fit its apocalyptic white supremacist worldview.
Law Enforcement Actions and Countermeasures
In April 2024, the United Kingdom formally proscribed the Terrorgram Collective as a terrorist organization, making it a criminal offense to belong to or support it. British officials warned that the network “spreads vile propaganda” and “aims to radicalize young people to conduct heinous terrorist acts.” This UK ban put Terrorgram in the same category as ISIS or National Action (another neo-Nazi group), signaling how seriously authorities viewed the threat. The group were then also designated by the United States Government in January 2025.
Police in Canada arrested two Ontario men in December 2023 on terrorism charges for their role in creating Terrorgram propaganda. These individuals, identified in court documents as Matthew Althorpe and Kristoffer Nippak, allegedly helped author the Terrorgram manifestos and produced recruiting videos for Atomwaffen Division. One was charged with multiple counts of participating in and facilitating a terrorist group and even instructing others to carry out terrorism. The other faced a lesser charge of contributing to a terrorist group’s activities.
In September 2024, federal prosecutors in California unsealed a 15-count indictment against Dallas Erin Humberand Matthew Robert Allison, accused ringleaders of the Terrorgram Collective. According to the Department of Justice, Humber and Allison used Telegram to solicit hate crimes and terrorist attacksagainst Black, Jewish, LGBTQ, and immigrant communities, and even solicited the murder of specific government officials. These arrests were a significant blow to Terrorgram’s leadership, as Humber and Allison were believed to be key organizers behind the scenes, their Telegram aliases “Ryder_Returns” and “BTC” were well-known in the extremist chats.
Since the arrest of Telegram’s CEO in 2024, Telegram has changed its terms and conditions and how it operates with law enforcement to respond to claims they allow extremist and other criminal activity to be openly shared on their platform. While Telegram has insisted that “calls to violence have no place” on its service and claims it removed several channels using the “Terrorgram” name in the past, it is clear that these groups were allowed to operate for multiple years with no consequences from the platform, allowing them to incite violence and lead to the murder and plots to murder multiple individuals.
Current Status of the Group
With its leaders behind bars or on the run and global sanctions in place, the Terrorgram network has been severely disrupted as of 2025. Counterterrorism experts observe that a string of arrests in the U.S., Canada, Europe, and elsewhere over 2023–2024 dismantled the collective’s structure. Many of the most active channels went quiet or into lockdown mode following the crackdowns.
Terrorgram as an identifiable entity has not openly rebranded under a new name – at least not yet. It is possible that remnants of the community have splintered into smaller cells or migrated to other fringe platforms without the Terrorgram label. Indeed, the ideology of militant accelerationism predated Terrorgram and will persist beyond it, so authorities remain vigilant for copycats.
Conclusion
Terrorgram’s story—from its genesis in shadowy neo-Nazi forums to its rapid expansion on Telegram, and finally to its undoing by global law enforcement—underscores the evolving landscape of extremist threats. It operated at the volatile intersection of online subculture and real-world violence, proving that internet memes and manifestos can indeed have deadly consequences. While the collective as originally known has been largely torn down, the ideological fuel it spread is still out there. Counterterrorism efforts will need to remain adaptable and collaborative across borders to prevent the next “Terrorgram” from taking root.
DarkOwl, a leading provider of darknet intelligence and insights, and SET University, a premier institution dedicated to science, entrepreneurship, and technology, Kyiv, Ukraine, are proud to announce a partnership aimed at advancing cybersecurity training and research.
This collaboration will provide SET University students with unique opportunities to engage in cutting-edge research, hands-on training, and career development initiatives in the field of cybersecurity and darknet intelligence. The partnership will involve joint projects, knowledge exchange, and participation in industry events, including hackathons and training programs.
“As we know, cybersecurity threats are evolving rapidly. It is crucial to equip the next generation of professionals with the necessary skills to combat them,” Mark Turnage, CEO and Co-founder at DarkOwl. “By partnering with SET University, we will be doing just this – creating and supporting an environment where students can gain practical experience and contribute to real-world security solutions. We are excited to support SET University’s mission in providing student top-tier education and access to global experts.”
Iryna Volnytska, President of SET University, adds, “Cybersecurity is about always staying ahead. At SET University, we’re building a new generation of cybersecurity leaders who don’t just react to risks but anticipate and outsmart them. That’s why we’re partnering with DarkOwl, the leader in darknet intelligence, through an MoU. By joining forces, we will combine world-class darknet intelligence with academic excellence to drive innovation, strengthen cyber resilience, and prepare Ukraine’s brightest minds to meet global cyber challenges.”
The partnership will also facilitate joint seminars, workshops, and training sessions, enhancing the cybersecurity expertise of students and faculty alike. By leveraging DarkOwl’s extensive knowledge in darknet intelligence, SET University aims to prepare students for careers in cybersecurity, intelligence analysis, and digital forensics to create the cybersecurity leaders of tomorrow.
About SET University SET University is a non-profit tech institution reimagining higher education through science, entrepreneurship, and technology. Based in Ukraine, SET University empowers innovators to shape the changing world and grows the future tech leaders to rebuild the Ukrainian economy. It offers transformative educational approaches, fosters startup development, and brings together the brightest minds in tech and science.
About DarkOwl DarkOwl is the industry’s leading provider of darknet data. We offer the world’s largest commercially available database of information collected from the darknet. Using machine learning and human analysts, we automatically, continuously, and anonymously collect and index darknet, deep web, and high-risk surface net data. Our platform collects and stores data in near real-time, allowing darknet sites that frequently change location and availability to be queried in a safe and secure manner without having to access the darknet itself. Customers are able to turn this data into a powerful tool to identify risk at scale and drive better decision making. For more information, contact DarkOwl.
DarkOwl is a Denver-based company that provides the world’s largest index of darknet content and the tools to efficiently find leaked or otherwise compromised sensitive data. We shorten the timeframe to detection of compromised data on the darknet, empowering organizations to swiftly detect security gaps and mitigate damage prior to misuse of their data.
