Author: DarkOwl Content Team

Cybersecurity Awareness Month: Upcoming Content

October 03, 2023

In light of Cybersecurity Awareness month, DarkOwl is committed to sharing research, trends and industry news from our analysts.

Be the first to know as we release new research by entering your email below!

Upcoming Content This Month

BLOG

Z Bloggers

A recent BBC article reported the sudden increase of Telegram members in various “Z blogger” channels is correlated with a “surge in Telegram’s advertising market” like WarGonzo and Grey_Zone. This blog will take a look at recent posts from 3 different “Z blogger” channels in an effort to better understand how this content has recently been utilized as a propaganda motif.

BLOG

Mental Health Strategies for OSINT Investigators

Some types of OSINT research expose analysts to explicit, obscene, extreme, or otherwise uncomfortable content. In honor of World Mental Health Day, the DarkOwl team will be conducting research looking to:

  • Explain the risks that are inherent to some types of OSINT research, primarily taking a mental health perspective.
  • Disseminate the results of some independent research I am conducting, where I can provide to attendees strategies other OSINT researchers use to mitigate the risks to mental health from exposure to extreme content.
  • Facilitate a conversation with attendees who are comfortable sharing what strategies they employ to mitigate risks to their mental health from this exposure.
EVENT

DarkOwl @ ISS Latin America in Panama City, Panama

DarkOwl Senior Intelligence Analyst, Steph Shample will be presenting “Use of Darknet for National Intelligence and Law Enforcement Purposes.” This session details the intelligence available on deep/dark web (DDW) platforms, as well as adjacent platforms such as Telegram and Discord, which can be enriched and used by law enforcement and government officials to reduce criminal activity and simultaneously protect national security. Types of intelligence include: tracing financial transactions to illuminate drug, weapon, human trafficking, and other supply chains that contribute to malicious activity, whether fiat or cryptocurrency transactions; hybrid incidents events that threaten both cyberspace and physical safety; and the kinds of equipment, kits, and material sold by criminal actors that contribute to digital attacks against critical infrastructure and key resources (CIKR), threatening the safety of everyday services.

Attending ISS Latin America? Make sure stop by Table Top #6 and schedule a time meet with a DarkOwl team member here.

BLOG

Q3 Product Updates

Stay tuned for our quarterly update blog highlighting new product features and collection stats updates. Always something exciting coming from our Product and Collections teams!

BLOG

Leak Sites Increase

In May, our analysts noticed and published a piece on the increase in leak sites. Stay tuned for an update this month on this topic and what the team is now noticing.

EVENT

DarkOwl @ OsmosisCon in New Orleans, LA

DarkOwl’s Damian Hoffman, Product Engineer and Data Analyst, will be leading a discussion on Mental Health Strategies for OSINT Investigators.

Pre-conference, Damian will also be conducting a demo titled “Finding Actionable Intelligence in Dark Web Data for OSINT Investigations.” The goal of this session is to further educate the intelligence community on how threat actors on the darknet pose a threat to national security and showcase Vision UI, the industry leading platform for analysts to simply, safely, and comprehensively search the largest commercially available source of darknet data.

Attending this conference? Stop by Booth #22 and schedule time to meet with us here.

EVENT

DarkOwl @ GITEX in Dubai

Going to be at GITEX, the world’s largest tech show, exploring the latest innovations, products and services within AI, Cybersecurity, Mobility and Sustainable Tech, in Dubai? Make sure to schedule time to meet DarkOwl FZE CEO, David Alley.

BLOG

Internalized Domain Name Homoglyphs: Can You Spot the Difference? 

Homoglyphs are characters from one language set that look like other characters of a different language set. Threat actors use different character sets to cause confusion and register domain names similar to legitimate domains, but with one or more characters from another language, for phishing and credential harvesting campaigns. In this blog, DarkOwl analysts will outline several examples, all including an example screenshot of the fake website.

BLOG

Fraud is inarguably a global problem that is not going away any time soon. The DarkOwl team has published several pieces around fraud and scams, including a blog on their differences. Our October piece will dive into recent trends of fraud specifically.

BLOG

Spooky Findings on the Darknet

The darknet can be a scary place. For Halloween, we will highlight some spooky findings from our analyst team. This is one you will not want to miss!

WEBINAR

As the digital landscape continues to evolve, so do the threats that target it. Staying ahead of cyber adversaries requires a deep understanding of the latest trends and innovations in the cybersecurity space. In this 30-minute session, on Tuesday, October 31 at 12pm ET, Socialgist CRO, Justin Wyman and DarkOwl Co-Founder and CEO, Mark Turnage, will explore a variety of critical topics shaping the cybersecurity landscape:

  • Key VC Raises in Cybersecurity: Capturing Industry Attention
  • Understanding the Major Players: Who’s Raising the Stakes
  • Harnessing Security Solutions: How Organizations Protect Their Assets
  • Addressing the Talent Gap: Scaling with Data Aggregators and Services
  • Pioneering the Use of AI: How do LLMs and AI Come into Play

Save my Spot! (Can’t attending live but want the recording? Register and we will be sure to send it to you)


Curious to see how darknet data can improve your cybersecurity situational awareness? Contact us.

Threat Intelligence RoundUp: September

October 02, 2023

Our analyst team shares a few articles each week in our email newsletter which goes every Thursday. Make sure to register! This blog highlights those articles in order of what was the most popular in our newsletter – what our readers found the most intriguing. Stay tuned for a recap every month. We hope sharing these resources and news articles emphasizes the importance of cybersecurity and sheds light on the latest in threat intelligence.

1. MGM cyberattack claimed by ALPHV/BlackCat ransom gang – Cybernews

ALPHV/Blackcat ransomware group claimed responsibility for the MGM cybersecurity incident this week. Down slot machines, nonfunctioning key cards, and more services were interrupted at MGM resorts and hotels nationwide. News articles broke Wednesday, 13 September, that ALPHV/Blackcat ransomware gang was responsible. However, DarkOWL analysts went to the ALPHV onion page, and no new data was listed yet. MGM data from 2013 were the only results. On 14 September, new rumors emerged that “Scattered Spider” was also involved in the incident. Scattered Spider is an English-speaking cybercrime group which teamed up with ALPHV in early 2023. Additionally, Scattered Spider hit Caesars Entertainment on 7 September. Caesars paid tens of millions to remain operational and did not experience an outage. Read full article.

2. Hackers backdoor telecom providers with new HTTPSnoop malware – Bleeping Computer

Threat actor group “ShroudedSnooper” has installed HTTPSnoop and PipeSnoop malware throughout Middle Eastern telecom providers. HTTPSnoop imitates legitimate URL patterns and blends into legitimate traffic, making detection very difficult; it also targets public servers. PipeSnoop takes advantage of deeper compromise within networks. No attribution has been discovered regarding the country of origin or intention of ShroudedSnooper. Article here.

3. Payment Card-Skimming Campaign Now Targeting Websites in North America – Dark Reading

Attacks starting in May 2023 (or earlier), by a Chinese-speaking threat actor, has exploited vulnerabilities in Web applications in the Asia/Pacific region. This month, they have expanded their targets into Latin and North America. The attacks involve skimming credit card numbers off ecommerce sites and point-of-sale service providers. Read more.

4. GhostSec Leaks Source Code of Alleged Iranian Surveillance Tool – Dark Reading

Hacktivist group GhostSec revealed the source code from Iran’s FANAP group, a technology conglomerate that has ties to the financial, government, and technology sectors in Iran. The source code reveals facial recognition, GPS and tracking systems, car license plate recognition, and other efforts in the surveillance space. DarkOWL analysts have procured the available files from Telegram. GhostSec established two Telegram channels to share with the media covering this event, as well as the files, stating the second channel was a backup in case the first was shut down. Learn more.

5. Vietnamese Cybercriminals Targeting Facebook Business Accounts with Malvertising – The Hacker News

Cybercriminals are using LinkedIn to find accounts tied to the digital marketing space, and compromising those accounts to use in social engineering incidents. Digital marketing accounts often have high numbers of followers and connections, and these numbers are easier to use to expand credential theft operations and reuse that information in malicious operations. After compromising LinkedIn accounts, the Vietnamese cyber group is using Duckport malware to perform information stealing ops, and then moving to other social media platforms such as Facebook, continuing to steal account credentials and in some instances, cookies, to reuse in the operations. Read full article.

6. Finnish Authorities Dismantle Notorious PIILOPUOTI Dark Web Drug Marketplace – The Hacker News

Law enforcement in Finland, including Finnish customs, announced the takedown of illegal dark web narcotic marketplace, Polopuoti on September 20. The drugs came from abroad into Finland, and this was a joint operation that also involved parties from Germany, Romania, and Lithuania. The marketplace had been active since May of 2022. Read full article.

7. FBI, CISA Issue Joint Warning on ‘Snatch’ Ransomware-as-a-Service – Dark Reading

Snatch ransomware employs a method to force Windows computers to go into safe mode and reboot before encrypting. The Snatch group is targeting CI/KR, including IT and agricultural firms, and the defense industrial base. They also purchase stolen data from other ransomware variants. Snatch has a very active extortion blog and has significantly ramped up activity in the past 12 months. Snatch also takes advantage of RDP, using the credentials from other ransomware campaigns to gain access and then move around the network. Learn more.


Make sure to register for our weekly newsletter to get access to what our analysts are reading on a weekly basis.

Dark Web Investigations: Uncovering the Hidden Web

DarkOwl is the darknet expert and our customizable service options allow customers to leverage our in-house expertise to save time, keep their employees safe, and fulfill the need for actionable threat intelligence. This infographic outlines several aspects of DarkOwl’s dark web investigations.

View full infographic.


Learn more about DarkOwl’s Darknet Services options.

What is Bullet Proof Hosting?

September 21, 2023

Cybersecurity might has well have its own language. There are so many acronyms, terms, sayings that cybersecurity professionals and threat actors both use that unless you are deeply knowledgeable, have experience in the security field or have a keen interest, one may not know. Understanding what these acronyms and terms mean is the first step to developing a thorough understanding of cybersecurity and in turn better protecting yourself, clients, and employees.

In this blog series, we aim to explain and simplify some of the most commonly used terms.

Bullet proof hosts (BPH) are web hosting providers that are less regulated with the services they allow compared to traditional Internet Service providers (ISPs), hardly restricting any kind of content.  BPH services are frequently used by online casinos and actors who intentionally spam or run other illicit online activities. They generally take all the material and practices that legitimate hosting services prevent (fraud, abuse, pornography, gambling, and hate speech, to name a few) and permit it. Just as legitimate businesses rely on ISPs, criminal and malicious threat actors (including state-sponsored advanced persistent threat [APT] groups) rely on the resilience of bullet proof hosting to conduct their operations.

While traditional ISPs aim to combat cybercriminals and online fraud and abuse, BPH actually empower and aid the criminal ecosystems, offering resilient infrastructure and avoidance of law enforcement operations. Even when there are takedown requests, abuse reports, or law enforcement actions, such as subpoenas, BPH ignore them. BPH will create shell companies or simply move IP ranges to keep questionable activity up and running. In some cases, BPH will even tip subpoena activity or takedown requests to the actors using their infrastructure, which gives them time to react, move their operations and prevent losing financial assets. For these reasons, BPH are crucial to the continuation of the cybercriminal ecosystem. 

The geographical component is essential to the success of a BPH operation. Bullet proof hosts usually establish themselves in areas which have vague or lenient cyber laws and policies towards these practices. Furthermore, they ensure to operate in areas which have no extradition to the Five-Eye countries: The United States, Canada, Australia, New Zealand, and The United Kingdom. Locations that commonly allow for and host BPH include: China, Romania, Bulgaria, Estonia, Panama, and the Seychelles, among others. In China, spamming is a completely sanctioned activity, whereas in the US, the FTC established tight guidelines to differentiate between “spamming” and authorized business activities, such as sending cold emails for business purposes. BPH also rely on the pseudonymity of cryptocurrency payments to operate. In this way, they almost facilitate a “don’t ask, don’t tell” mentality for the criminal underground, allowing actors to carry out nefarious operations while turning a blind eye or pleading ignorance.

Another term for BPH is DCMA-ignored hosting. The Digital Millennium Copyright Act is geared to protect copyright holders from theft of their material and aid in combating copyright infringement online. It only applies to specific ISPs who meet certain regulations. Most BPH do not meet these standards and regulations. The most effective way to combat the material hosted by BPH is to blacklist their entire IP block. 

In August of 2023, researchers in the cyber threat field broke the news that Cloudzy, a New York company actually run out of Tehran, Iran, was providing infrastructure to both nation state and criminal cyber actors. Researchers estimated that 40 – 60% of Cloudzy activity was malicious. Like other BPH, Cloudzy takes payment in cryptocurrency and claims to protect the privacy of its users. Cloudzy also ignored takedown requests and abuse reports. However, Cloudzy goes above and beyond a normal BPH profile, hiding its company ties to known governments and criminal conglomerates worldwide and masquerading as a legitimate provider. In addition to known nation state actors tied to using Cloudzy infrastructure, ransomware affiliates and initial access brokers were observed using Cloudzy services in their operations.   

Examples in DarkOwl Vision

After the Cloudzy research broke, DarkOwl analysts observed some of the latest trends for BPH in 2023. It is a competitive market where the actors using these services expect full time support, dedicated servers, and protection from online threats such as DDoS attacks, while also expecting protection from law enforcement. They want cheap and reliable service as well. Promises like live time are critical because of efforts to remove BPH from operation. It takes time for criminals to set up what they want to use the BPH for – if they are immediately taken down, that is lost revenue and opportunity for the cybercriminals. Several screenshots from DarkOwl Vision below:

Figure 1: Threat actor “darknite23” advertises BPH services with a guaranteed live time; Source: DarkOwl Vision
Figure 2: An actor solicits BPH services in a Telegram channel; Source: DarkOwl Vision

Actors on discord discuss the merits of having either a virtual private server (VPS) or dedicated BPH, and name CrazyRDP and Privatealps as bonafide BPH. A VPS can be easily moved or relocated in the instance of abuse or if they are targeted by law enforcement: 

Figure 3: Actors on a chat platform server discuss some of the believed better BPH service providers; Source: DarkOwl Vision
Figure 4: Actors discuss BPH costs and services to use in their various operations; Source: DarkOwl Vision
Figure 5: Users discuss merits of a BPH on Exploit, one of the top criminal markets; Source: DarkOwl Vision

Conclusion

Bullet proof hosting providers are known to facilitate the cybercriminal underground, their actors, front companies, and all types of illicit activities. In an ever-connected world where humans are looking to express themselves, promote their causes, cling to freedom of expression, or even make extra money, balancing online freedom and preventing invasions of privacy is crucial. However, freedom of expression cannot be lumped in with inciting violence, promoting continuing online hate, terrorism, and violent campaigns, in addition to attempting to compromise and extort businesses, critical infrastructure bodies, and government entities. Bullet proof hosts facilitate and enable some of the worst actors in the space. They must be studied and observed in order to prevent them from gaining more momentum and enabling additional compromising activities online. 


Questions or comments? Put me in touch!

Chatting with DarkOwl Analysts: Who Are They and What Do They Do?

September 19, 2023

The darknet is a haven for illicit activities many of which can pose a direct threat to organizations and individuals with stolen data being made available for purchase, access to illicit goods, and hacking activities. In addition, forums are used to discuss all manner of topics from extremism to CSAM to hacking practices and education.

Accessing and analyzing data from the darknet is challenging, even for the most experienced of analysts. DarkOwl is the darknet expert, with access to the largest database of darknet content. Our customizable service options allow customers to leverage our in-house expertise to save time, keep their employees safe, and fulfill the need for actionable threat intelligence.

Interview with the DarkOwl Darknet Analyst Team

DarkOwl’s Director of Marketing, Dustin Smith, sat down with Erin, Director of Intelligence, Senior Threat Analyst, Steph Shample, and Darknet Intelligence Analyst, Richard Hancock, to understand a little more about their backgrounds, why they love cyber, projects they’re working on, and some tips and tricks for new analysts.

Editors Note: Some content has been edited for length and clarity.


Why did you get into cyber security and the darknet space in particular? 

Erin: I kind of fell into it. I worked for the government and I was put onto cyber work, so that’s kind of how I started in cybersecurity. And I really enjoyed it. There’s a lot of fascinating characters and interesting people to investigate in that area. It’s very much been, in the 15 years or so that I’ve been doing it, a growth space with more information and more techniques and things happening all the time. So there’s always new stuff going on. And then the dark web has always been something that people are utilizing and using as a means of communicating. It’s always been fascinating in terms of its darkness, I guess, for want of a better phrase. 

Rich: For my entrance into cyber security, I also kind of fell into it. It’s interesting because a lot of people who have a background in government contracting, working directly for the government and counterterrorism and linguistics, like myself, transitioned into cyber threat hunting. And I think that reflects a level of how foreign policy and national security interests are evolving as well. But actually, my first entrance into open source intelligence investigations was actually through a recruiting job where I had to get really good at finding people’s contact information online. That’s where I developed a lot of my Google dorking, Boolean skills is in the recruiting world. I didn’t study computer science or anything science related in college, I studied Arabic and international studies and something I tell a lot of younger people that are trying to get into cybersecurity is just because you didn’t study something technical, doesn’t mean you can’t work in cybersecurity. 

Steph: So we all kind of fell into it because I was also government. What’s interesting is that I have almost the exact same start as Rich, in that I was doing counterterrorism work. You take those investigation skills for online patterns of terrorists and kind of trying to get into closed networks and you have to take that to the cyber world as well. But same situation – I had no computer science, I was  studying humanities in college. And then it was the linguistic aspect that… the needs were like, hey, Iranian cyber actors are coming online, African terrorists are using French forums… Can you translate this? Do you know what’s going on? So I think getting into it was accidental, but staying in it was definitely intentional because there is never a dull day.  

There’s never a dull moment. You have to learn something new. It’s not a matter of, “oh, I like learning new things.” If you want to stay competitive in the field and if you want to stay on top of your game, you have to advance with technology. And so that makes it really exciting. Furthermore, to come into the Internet world that none of us had a background in, no computer science is one thing, but when you start seeing TORs and these closed down platforms and these kind of CAPTCHAs and you’re just like, “how did these people come up with this and how can they navigate this?” And then also wreak havoc across the world on every industry. From what Rich said, it influences policy, the defense sector, but it also influences the financial sector and industry of all kinds. And what these people can do, cyber criminals, namely on the dark web from remote places. It’s fascinating. And do you want to be part of the good or do you want to be part of the bad? Do you want to combat that and the damage they have internationally, or do you want to just let them go? So that’s why I stayed in it. And it’s amazing, especially the dark web. It’s fascinating. 

I love how you transitioned into why you stay in cyber. Rich and Erin, do you have comments to add? 

Rich: I’ll draw back to the link that Steph and I have, which is our cultural interests and linguistic interests, which got us into the industry. Why I’m going to be staying in it is because I’m constantly learning. I’ve had darknet experience at previous jobs, but the amount of information that I’ve learned since being here [at DarkOwl] and how much better I’ve gotten at doing cyber investigations and the exposure to different industries is because we’re not just selling to one particular type of client. It has been incredible. Developing darknet subject matter expertise is a really, really valuable skill that can be used in so many different ways moving forward. 

Erin: I just really enjoy it, honestly, that’s why I stayed in it. I love figuring stuff out. I love a puzzle of, you’ve got to find something and how do you go and find it? And one of the things I think in the industry that’s so different from government is it’s really on you to go and find that information. I think in government and military, you’re getting SIGNIT [signals intelligence], you’re getting all of this information coming to you, and then you just do stuff with it. Whereas in the jobs that we do, it’s a case of: what can we find and what places are we going to look and who do we need to talk to find out that information? Steph and Rich say it’s having those linguistic abilities or having that knowledge of the different cultures and knowing the kind of subsectors of the groups within the dark web and what they’re interested in and what you need to talk about in order to kind of to get in with them. It’s just interesting. I enjoy it. And as the other guys have said, it’s constant learning. It’s a constant challenge. There’s always new things to do. It always keeps you on your toes. 

Dustin: Erin, do you come from a computer science or tech background or more humanities? 

Erin: Humanities. I always say to people when I’m talking about my job and what I do is that I’m not technical but I have the ability to translate technical stuff to other people. I can take the technical information and tell you what it means in clear English. 

Steph: Can I piggyback off of that? I think another side skill that emerges when you talk about backgrounds, like Rich said, you don’t have to be from a computer science background or be a programmer, but all of us have the ability from government customers to industry customers to be able to translate what cyber actors are doing, nation states, governments at every level to C-Suites, Generals to HR [human resources] and everybody that has hands-on information. We get better at that every time there’s a new group or a new tactic because we have to essentially translate, how does this impact you? What is your risk and how can we help you make your environment better and safer? And it really is circumlocution direct approach, translation, running it off of each other. It’s a foreign language and its own lexicon in and of itself. And it’s really cool. 

Switching gears a little bit, now that we know who you guys are. Explain the concept of Darknet Services and why DarkOwl launched this offering. 

Erin: I think what Steph just said is a really great segue into this. One of the things that we’re able to do is take that technical information, take the trends that we’re seeing, take the groups that we’re seeing and put it into a report or presentation for people to understand what it is they’re looking at. The dark web is a very complex place, there are a lot of different groups on there, a lot of different individuals using it for a lot of different purposes. It can sometimes be kind of tricky to understand everything that’s going on and what that actually means and how that fits into the wider context of what’s going on in the cyber world and in the criminal world more widely and in geopolitical politics. And all of those things depend on what background you’re coming from or what and who you’re looking at.  

So the idea with Darknet Services at DarkOwl is we really wanted to support our existing customers and any new customers that come on board with our expertise of investigations and the dark web. We can help explain what they are looking at, what risks they should be concerned about, what remediation, if any, action that they can take, and really support them throughout any investigation needs. 

Steph: It’s everything that she just said. Absolutely. Darknet Services is also a really great offering because let’s face it, the tech and the dark web especially is intimidating and there’s a security risk. So we [DarkOwl analysts] assume that risk because we know it. Most of us have dealt with it for over a decade, if not two decades. So if you are an individual who isn’t comfortable with the darknet, you don’t know what you’re exposing inadvertently, you don’t want to be the weakest link in your organization, but you want to know what’s out there. We take that risk and we can do it as far as one website, or we can do it for a whole host of threats, a specific industry that you want to look into or a specific group that you want to look into. And we take being able to do those services very seriously because we want to make a positive contribution and a positive change.  

Furthermore, let’s be serious about the fact that there’s new stuff emerging that even we [DarkOwl analysts] need outside assistance with doing. The platforms are ever-emerging and ever-changing. So, let the services team assume the risk to keep your organization protected because it is intimidating out there. But we do know the dark web, where to go, and how to be safe. 

Rich: I think one point to add to that is the ideal audience for Darknet Services at DarkOwl could be somebody who’s more beginner when it comes to darknet knowledge, or somebody on the more veteran experience side. To explain that further, let’s say you’re trying to better understand what the main risks are to you as an organization, and doing some ongoing monitoring. It could be a more simple engagement for somebody who’s newer to the darknet and with the eventual hope that they’ll be able to do some of the investigating on their own within our platform. But also there’s opportunities for people who might have more complicated queries about what’s going on in the darknet and maybe specific asks for what is going on in this particular community or things like that as well. So I think it’s just important to note that there’s not one ideal audience for Darknet Services. It can be somebody who’s more experienced on the darknet or not as well. 

Steph: Great point. Can I also add to that, like you said, it’s varied audiences and you might be a veteran, or you might be brand new. Furthermore, maybe you know that your company or organization is fairly safe and has good cyber hygiene, but your suppliers or your vendors or your third-party don’t. And maybe you don’t know how to investigate them and you don’t want to have that awkward conversation of like, “Hi, are you subjecting us to ransomware or credential theft?” So that’s another place where we come in and we can look at your supply chain and your vendors and that way you can have a more robust picture of all potential risks. 

Erin: The other thing I just thought of as well is it’s not just about doing that investigation and looking at groups or looking at your exposure. We can also do data acquisition as well. So we’ve had a lot of customers that have come to us and said “we’ve been told our information is out there or we’ve seen someone advertising this particular piece of information. Can you please go and get it for us or can you confirm that it’s there and what’s in it?” And that’s a really tricky thing for a lot of people to do as well, because it involves interacting with threat actors, which most corporations don’t allow their employees to do and you probably wouldn’t want to do. There’s a lot of other factors that go into that. We are experienced in working with those factors in order to get that information that the customer wants. So there are several use cases that we can support. 

Why is darknet data important in cyber investigations and risk monitoring? 

Rich: Dark web data is just another component of open-source intelligence. There’s darknet intelligence, open-source intelligence, different forms of intelligence, and in order to conduct all source intelligence analysis, you need a factor in dark web intelligence  into your picture. 

Steph: I think there’s an evolution of intel. Rich is right, darknet intelligence is a component. We’re not saying only focus on the dark web, but you do need a robust picture. Additionally, cyber actors in the evolution of technology follow the trends too. In the 2010s, when I first got on the darknet, these actors, and it’s still true to this day to an extent, feel safer on the dark web. They feel that it’s not as monitored as the open net or the clear net so they reveal TTPs [techniques, tactics and procedures], usernames, aliases, their whole criminal ecosystem. And now we were seeing threat actors on darknet adjacent sites, like chat platforms such as Telegram. You have to keep moving with them because they’re not as open on the dark web anymore, but they are on Telegram and other platforms and we can follow that evolution and follow that chatter to get some really deep insight that they don’t think is being monitored. 

Erin: Just to echo that, although we’re a dark web company, we also cover a lot of dark web adjacent sources and we’re seeing them becoming more and more integral to the investigations that we’re doing. With the Russia-Ukraine War, we’re seeing a lot of pro-Russian and pro-Ukrainian Telegram channels that have thousands of followers. Telegram is becoming a really important vector. Seeing how threat actors communicate is going to always be a key aspect to knowing what they’re doing so we need to be aware of those communications, and also look at things on the dark web like marketplaces and forums, to gather trends. By doing this, we’re able to see what types of cryptocurrency actors are using, how they’re doing their escrow services, how are they doing financial transactions, what drugs are most popular at the moment, etc. One of the things that we’ve seen recently is there’s been an increase in black market pharmaceuticals of things like Ozempic because people want to lose weight rather than the more traditional drugs that people would think of. We’re seeing increases in counterfeit and things like that.  

To just touch on ransomware- ransomware is increasing exponentially and has been throughout last year and into this year. Ransomware groups are using the dark web to advertise the victims that they’re targeting. Then when they don’t get their ransom, the data from those victims is released. There’s a huge amount of information there. For corporations to know what exposure they have, it’s really important to be checking through all of those things because as Steph said, it’s third parties and vendors as well. Just because you didn’t get a ransomware attack doesn’t mean that your data hasn’t been exposed. Again, as Rich says, darknet data is part of the whole ecosystem of doing open investigations, and it’s something that should be covered. The Darknet is an area that a lot of people forget about. They tend to focus on social media, surface web forums, data brokers, and things like that and aren’t looking below the surface, and I think that’s where you find most of the useful information. 

Rich: I have one quick point I want to add about our data collection and why we equally collect from places like Telegram and darknet forums like Exploit. One threat actor I can speak about that’s gotten a lot of attention in the media recently is this guy Canadian Kingpin who’s selling services that take advantage of ChatGPT and using them for fraudulent products and services and selling them on places like Exploit and other forums. But one of the main ways this vendor first gained a reputation was through their Telegram channel, which goes by a different name. They also include the name Canadian Kingpin in there. But this threat actor is actually mostly involved with bank logs, targeting fraudulent products, targeting banks. But they’re also now involved with ChatGPT fraud bots and things like that. And they equally have a presence on Telegram and from what we were seeing in our research about 5 or 6 other darknet marketplaces, deep web forums and darknet forums as well. 

Steph: I have to jump in on that because Rich killed that. Not only are industries going to move to AI, but so are criminals. We have to watch that. Rich is exactly right and we are so aligned on our team – without even comparing notes, I had noticed Canadian Kingpin and his Telegram channel and then I got with Rich to see if he had any notes about it and he already had this threat actor mapped out into all of the forums that he just talked about. So I had seen his Telegram and Rich was like, here he is in 6 or 7 different forums and we were like, we have to watch this guy. His services are out there, he’s ahead of the curve. 

Any other themes and trends that you are seeing on the darknet? 

Steph: I think Erin really nailed it with the mention of Russia and Ukraine that put Telegram as well as the dark web and other adjacent services on everyone’s radar. I think a lot of people were a little doubtful of the dark web or OSINT contributions until that conflict started. And then it was basically a hybrid conflict taking place physically, but then also taking place on the dark web and on social media. When Afghanistan fell two years ago, the Taliban had some similar use cases. They were more on social media. It just goes to show you the absolute importance and trends of these actors and groups that once banned technology, and that’s in more regions of the world than just Afghanistan. Now you can track their checkpoints by Snapchat traffic and then you can go to Telegram and confirm if they’re talking about, “yeah, we’ve set up this checkpoint here. We’ve killed 30 people trying to escape.” This is going to continue. It’s going to be the same on Telegram and the dark web and keeping track of this is really going to be disparate. And we have to follow all of those disparate sources and continue to follow the trends that are emerging. 

Erin: Ransomware is a huge one, the growth of this area is massive and I think people aren’t really sure about it and want to understand what their exposure is. I would say leaks, in general leaks are not going away. We are seeing hundreds of them daily, information that’s being shared. Generally, some of the things that we’re seeing and since we’ve started the services is people are worried generally about what their exposure is. In this digital age with regulation and media – if anything goes wrong, it’s all over the news. People are really concerned about what exposure they have and want to make sure that they’re getting as much coverage as possible, which is great. But obviously, we would always err towards prevention rather than the cleanup. Another one that I’ve seen growing is physical security. With a lot of protests happening in recent years and other events, people are very concerned about when their employees are traveling to certain areas and making sure that they know if people are talking about that area or that building or any kind of attacks that they might take. And as always, phishing is not going away – phishing and smishing. We’re seeing actors getting more sophisticated with that, and through some of the other data sets that are out there from ransomware, data leaks, etcetera, they’re able to garner more information that they can use for those phishing attacks to make them more likely to work.  

Rich: I have one more trend I’ve noticed as well, and that is more from an industry level, from a threat intelligence perspective, investigations perspective. There’s an increasing appetite for digesting dark web data. We’ve observed this is larger tech companies that are actually creating their own dark web investigations departments with their own budgets. When large tech companies are making decisions like that, I think it shows a bit more maturity in the industry. Then, the type of data that we’re seeing would be most mentioning those type of companies, we’ll go back to Telegram one more time because the most the most common threat we’re seeing on Telegram and consequently also dark web marketplaces right now would be any company that facilitates or has a large mobile application user base. Those kind of companies are the most targeted on the dark web and Telegram right now in terms of fraudulent products. So whether it’s a Netflix account, a Spotify account, Amazon Prime, Pizza Hut, you name it, those are the most common threats on the dark web because it’s so easy to sell that information on there. 

Steph: I would add hacktivism as well. Early on it was like actors would log on, maybe deface a website and put an obnoxious picture. But now to the ransomware point, which we’ve discussed, is continuing to just explode. Actors are now, if they can get inside of an organization and no matter what their viewpoint, no matter where they stand on an issue, an actor takes umbrage with that and then goes after it and exposes that company for supporting a cause, disputing a cause. So hacktivism is tying into ransomware. It’s tying into all of the fraudulent campaigns, for example, if Netflix takes a stand on some issue that’s common in the US, somebody’s going to go after that because they disagree and say, “Well, I have 8,000 Netflix accounts that I can sell. Netflix doesn’t support cause xyz. Here they are.” Hacktivism is also bleeding into the other cybercriminal ecosystems. It’s very interesting. 

Any projects that are coming up that you guys are really excited to dive into? 

Steph: It’s really nerdy to say, but every day. I came back to the dark web, this area for a reason. But ransomware is how I got my start in cyber. It’s what I initially started translating, and I’m absolutely obsessed with it. I can’t believe how it’s evolved, how common it is. It’s not just nation-states, it’s criminal actors. It’s everywhere. It’s going to be increased by AI. So, for me, I am probably most excited about ransomware projects and combating that and doing our part to contribute to lowering that risk globally. I’m really excited about that. 

Erin: I am trying to think what projects we can actually talk about, to be honest. 

As we’ve got the analyst team set up, we’re trying to deep dive more into different areas. We’re looking at different threat actors on the dark web, we’re looking at threat areas like terrorism. As Steph said earlier, the dark web used to be a safe space and now it’s somewhat less of a safe space. A lot of forums have been taken down in this last year or so, and that’s changed the way that people are operating. It’ll be interesting to see what we can find and how things are changing in those areas. 

Steph: Another aspect of excitement is that our analyst team is getting really deep and granular on our projects. We really love it. We have to liaison and have constant back and forth with customers, they’re going to see different things that we also need to be paying attention to. It’ll be great to record what we see in trends, what we’re observing, and then match that with what the customers need and what customers are facing. That feedback from them is also going to be really integral to bettering us and bettering our Services. It’s fun to have a two-way conversation as well. And who you’re having that conversation with isn’t always going to be an analyst. They’re going to be coming at it from a different perspective and we’ll learn a ton from that.  

To wrap up, any tips or tricks for other analysts out there or beginner analysts that are looking to get into a role like this? 

Erin: Be curious. There’s a lot of information out there. There’s a lot of training out there. There’s a lot of free training and reading that you can do. There’s some really great resources on open source training. So I would delve into those. As we said at the beginning, this is a constantly evolving role and you’re always learning. So I’m always looking at those resources and things as well, going to conferences and hearing about new tools and new ways of doing things is always really interesting. So again, be curious, find out as much information as you can and don’t be intimidated by it. If it’s something that you’re interested in, I think you can figure out how to do it. 

Rich: I would say to try to find different parts of the industry that are interesting to you and excite you and maybe are related to some of your other interests. I recently saw a LinkedIn post where somebody was actually hiring open-source investigators that have a background being truck drivers because they need to be familiar with threats to transportation and the logistics industry. Just think about that. A truck driver is now an OSINT investigator. 

Steph: That’s amazing. 

Erin: I like that. 

Steph: Erin took the words right out of my mouth. And Dustin, you’ve heard me say it before, you have to be curious whether you’re brand new to the field or you’re 20 years into this. Your curiosity can’t stop, you’ve got to stay one step ahead. There’s going to be naysayers and people who poo poo the dark web or poo poo OSINT. Don’t be intimidated and always be curious. 

Rich: One point I’ll make is, if you want to get into dark web investigations, threat intelligence investigations, OSINT investigations of any sort, make sure you balance it with having some interests outside of it. I think a lot of us can relate to the fact that sometimes the subject matter of things that we’ve been engaged with in our careers has not been always the most positive. So I think it’s really, really important to balance your interests, your professional interests and aspirations with this stuff equally, with things that are totally opposite of it. 

Erin: You’ve got to have a sense of humor as well. Some of the stuff you can see on the dark web, it’s not for the faint hearted, which is probably another reason why people ask us to do it. 

Steph: Both make good points. And in addition to the sense of humor, you have to take time for your mental health. Have a sense of humor and take breaks. 


Check out DarkOwl Darknet Services and how our team can be an extension of yours.

DarkOwl Furthers International Relationships at ISS World Asia in Singapore

September 15, 2023

Last week, DarkOwl participated in the well-regarded law enforcement conference: ISS World Asia. The annual, training-oriented event describes itself as “the world’s largest gathering of Regional Law Enforcement, Intelligence and Homeland Security Analysts, Telecoms as well as Financial Crime Investigators responsible for Cyber Crime Investigation, Electronic Surveillance and Intelligence Gathering.” 

ISS World events (DarkOwl will be at ISS World Latin America in Panama City in a couple weeks – meet us there!) focus on the latest in cyber tools and methodologies specifically for law enforcement, public safety, government and private sector intelligence communities. The first full day of ISS events are dedicated to training and in-depth sessions. Trainings and topics covered throughout the event include how to use cyber to combat drug trafficking, cyber money laundering, human trafficking, terrorism and other nefarious activity that occurs all across the internet.

Representing DarkOwl at this year’s show was David Alley, CEO of DarkOwl FZE based in Dubai. While at ISS World in Singapore, David lead a seminar on Darknet Intelligence Discovery and Collection, where he demonstrated the importance of darknet data in cyber investigations highlighting the use of DarkOwl Vision UI, and how threat actors on the darknet are evolving in their use of new tools and methodologies.  Vision UI is the industry leading platform for analysts to simply, safely, and comprehensively search darknet data. Investigating crime on the darknet and deep web poses technical challenges to law enforcement, including the fact that darknet sites are continually coming on and offline with pages vanishing from one minute to the next. Vision provides a user-friendly interface with powerful querying capabilities to search, monitor, and create alerts for critical information without having to access the darknet directly. Investigators are able to search and compile evidence about persons or subjects of interest, including usernames, aliases, chatroom activity and other potentially incriminating information, and use that data to compile evidence and solve complex crimes. Countries represented at David’s presentation included Malaysia, Bangladesh, Indonesia, Australia, Kenya, Vietnam, and more.

In addition to presenting, David was able to meet with many current customers, partners, and prospects. Attending events is invaluable for face-to-face time, as expressed by David, “these events are excellent for maintaining and building relationships. We had visitors from Singapore, Malaysia, Bangladesh, Indonesia, Australia, Kenya, Vietnam, Kuwait, Saudi Arabia, Estonia, Brunei, Azerbaijan, and Estonia at our booth.” Connecting with cybersecurity professionals from around the world and hearing the latest trends, concerns and challenges that they are facing is a huge benefit of ISS shows. Being able to meet with clients provides a great opportunity to share new product features, features in development, gather product feedback, and keep up to date with the latest trends. DarkOwl looks forward to continuing our presence at ISS World events as part of our ongoing initiative to support the global law enforcement community in their efforts to police illegal and nefarious activity on the darknet. 


Interested in learning how DarkOwl can help your cyber investigations? Get in touch.

Doppel Partners with DarkOwl to Provide Actionable Intelligence and Strengthen Digital Security

September 12, 2023

Doppel, a key innovator in digital risk protection, and DarkOwl, the leading provider of darknet data, are thrilled to announce their strategic partnership to provide businesses and organizations with actionable intelligence to protect brands from phishing, counterfeiting, piracy and other digital threats worldwide.

In an increasingly interconnected digital world, where the internet is an integral part of everyone’s personal life and of every organization, the need for comprehensive, actionable threat intelligence has never been more critical. As cyber threat actors evolve in sophistication and cyberattacks increase in frequency, the ability to proactively identify emerging threats is essential to protecting a company’s brand, reputation, clients, and employees.

Through this partnership, Doppel will integrate DarkOwl’s industry-leading darknet intelligence capabilities into its product suite, enhancing its ability to proactively detect and mitigate cyber threats. DarkOwl’s unparalleled access to the darknet, coupled with Doppel’s cutting-edge AI-powered threat detection, will empower organizations to stay one step ahead of cybercriminals.

“We are excited to collaborate with DarkOwl to provide our client base with a comprehensive and holistic digital risk protection solution,” said Kevin Tian, Co-Founder and CEO of Doppel. “Integrating DarkOwl’s darknet data will give our clients further visibility into potential threats, enabling them to proactively secure their assets and mitigate threats.”

DarkOwl’s CEO, Mark Turnage, shared “Partnering with Doppel aligns with our mission to enable organizations with the resources necessary to counteract cyber threats. The combination of DarkOwl’s near-real time darknet data insights and Doppel’s cybersecurity capabilities will enable brands to identify risks and protect themselves against emerging threats.”

About Doppel

Doppel is the leading solution in modern digital risk protection for trusted brands. Our state-of-the-art AI scans over 10 million entities daily across the web, dark web, social media, and app stores, offering unparalleled breadth in detecting digital threats, including piracy, counterfeiting, phishing scams, executive impersonators, and more. Seamless integrations with domain registrars, web hosts, browsers, social media platforms, and digital marketplaces power real-time, continuous, and automated protection, making Doppel the best defense for your organization and your reputation. For more information, check out www.doppel.com.

About DarkOwl

DarkOwl is the industry’s leading provider of darknet data. We offer the world’s largest commercially available database of information collected from the darknet. Using machine learning and human analysts, we automatically, continuously, and anonymously collect and index darknet, deep web, and high-risk surface net data. Our platform collects and stores data in near real-time, allowing darknet sites that frequently change location and availability to be queried in a safe and secure manner without having to access the darknet itself. Customers are able to turn this data into a powerful tool to identify risk at scale and drive better decision making. For more information, contact DarkOwl.

DarkOwl & Datastreamer Join Forces at Big Data London to Showcase The Future of Dark Web Intelligence

September 07, 2023

DarkOwl, a leading provider of darknet data solutions, and Datastreamer, a platform that unifies unstructured data from multiple sources, are excited to announce their joint participation in the upcoming Big Data London 2023 event. The companies will demonstrate how their solution eliminates the data engineering hurdles of harmonizing darknet information with other data for wide-ranging intelligence insights. 

Accelerating Web Data Integration for Intelligence Insights

While DarkOwl delivers comprehensive darknet data to cybersecurity teams and intelligence agencies, Datastreamer automates the data processing that fuses together disparate data for consolidated monitoring. With Datastreamer & DarkOwl’s combined solution, organizations can integrate dark web data without in-house engineering teams needing to maintain complex data pipelines. Furthermore, analysts can broaden coverage by merging additional web data including TikTok, Threads, news, forums and more. Previously raw unstructured data is federated for analysts to perform queries and real-time surveillance as easily as they would with structured data. 

“Teams engaged in data product development for market insights, investment guidance, and fraud detection are increasingly interested in darknet data.” says David Strucke, CEO of Datastreamer. “It’s an honor for us to partner with a reputed leader in the dark web space to cater to these needs.”

What To Expect At Big Data London 2023

Attendees of Big Data London are invited to stop by the Datastreamer booth – X653, under the Decision Intelligence Theater to see:

  • Live Demonstrations: Watch robust pipelines with darknet and other web data in action – or bring your unstructured data challenges to us and watch data experts craft pipeline solutions on the spot.
  • Data Compliance Discussions: As a featured partner, Private AI will be at the booth to discuss how organizations can utilize data while staying compliant with HIPAA, GDPR, and other regulatory frameworks.
  • Technical Q&A: Engage in insightful dialogue with Tyler Logtenberg, Datastreamer’s VP of Operations, to discover how their platform is reshaping the way organizations use unstructured data.

A Unified Vision of Accessible Data

Considering that up to 90% of data is unstructured and the dark web holds essential information on threats to safety, both Datastreamer and DarkOwl share a vision of making complex data easier to act upon. With a bridge that makes these data types accessible – analysts are equipped with tools that cut out noise to pinpoint relevant information.

“Time is of the essence when it comes to threat detection and mitigation. Reducing the engineering burden of implementing darknet data enables organizations to redirect efforts towards in-depth analysis,” explains Mark Turnage, CEO of DarkOwl. “The technical agility delivered by Datastreamer’s platform will hasten the discovery of emerging threats and existing vulnerabilities aimed at brands or private individuals.”

With the complexity of bad actors operating across various platforms, blending darknet data with other web sources becomes an indispensable tool for a holistic threat assessment.

About Datastreamer

Datastreamer’s unstructured data pipeline platform sets engineering teams free from the most time-consuming aspects of data ingestion and transformation. Founded by data scientists and analytics experts, Datastreamer simplifies the integration of complex data sources that traditional ETL tools don’t support. Organizations are empowered to turn diverse data into ready-to-query insights with fully managed connectors from a network of data partners. As the backbone of industry-leading data products, businesses leverage Datastreamer to train specialized AI models, perform KYC/AML diligence, extract market insights, monitor threat intelligence, and more. For more information, visit www.datastreamer.io.

About DarkOwl

DarkOwl uses machine learning and human analysts to collect automatically, continuously, and anonymously, index and rank darknet, deep web, and high-risk surface net data that allows for simplicity in searching. DarkOwl is unique not only in the depth and breadth of its darknet data, but also in the relevance and searchability of its data, its investigation tools, and its passionate customer service. DarkOwl data is ethically and safely collected from the darknet, allowing users secure and anonymous access to information and threats relevant to their mission. For more information, contact us.

A Digital Taliban: Governing and Spying under the Taliban Regime, 2 Years Later

In just under two decades, the Taliban has evolved from insurgents to a hardline ruling group who use social media and technology to suppress the population of Afghanistan. The conservative Muslim group who once banned the internet in 2001 has now harnessed it, prolifically using apps and social media platforms to recruit new members, spread its politics, threaten those speaking out against it, and spy on its own citizens. Highlights in this report from the DarkOwl analyst team include:

  • The Taliban has evolved from an internet-banning insurgency to a hardline ruling group who harness technology to recruit new members, spread its politics, threaten those speaking out against it, and spy on its own citizens. It also uses the internet to attempt to influence international opinion about its rule.
  • As the Taliban establishes its online presence, policy makers and tech experts must work to influence the Taliban to keep the internet open and keep its citizens connected. This is a tough task considering the Taliban’s ideology as well as the practices of surrounding countries, most of which are authoritarian governments with little focus on human rights and free speech. 
  • The world must fight against an isolated Afghanistan, as the Taliban present one public reality which differs vastly from actual daily life and cannot leave Afghan citizens to suffer while also experiencing the brutality of these fundamentalists.

Have any questions for our team? Interested in learning how our analyst team can help your research and investigations? Contact us.

Threat Intelligence RoundUp: August

September 01, 2023

Our analyst team shares a few articles each week in our email newsletter which goes every Thursday. Make sure to register! This blog highlights those articles in order of what was the most popular in our newsletter – what our readers found the most intriguing. Stay tuned for a recap every month. We hope sharing these resources and news articles emphasizes the importance of cybersecurity and sheds light on the latest in threat intelligence.

1. US Gov Rolls Out National Cyber Workforce, Education Strategy – Security Week

At the very end of the month, the Biden administration announced the National Cyber Workforce and Education Strategy (NCWES). This comes as the gap in talent needed to fill cybersecurity jobs remains. The new strategy will include a series of “generational investments” to address the cyber workforce needs, starting with education and making training more accessible. Read full article.

2. Researchers Expose Space Pirates’ Cyber Campaign Across Russia and Serbia – The Hacker News

Research has revealed that Space Pirates, a threat actor linked to attacks against at least 16 organizations in Russia and Serbia over the past year, has been harvesting PST email archives and making use of Deed RAT – showing that they are adding new cyber weapons to their TTPs but their main goals are still espionage and theft of confidential information. Read more.

3. Cuba ransomware group observed exploiting high-severity Veeam bug – SC Media

Cuba ransomware group exploits Veeam bug, targets CIKR. The Cuba ransomware group is actively exploiting CVE-2023-27532, which allows for procurement of stored encrypted credentials. Furthermore, their increase of activity allowed for deeper analysis revealing that the ransomware terminates if Russian language packs or the Russian keyboard is detected, likely indicating this is another Russia-based group. Read more.

4. Attackers Dangle AI-Based Facebook Ad Lures to Hijack Business Accounts – Dark Reading

Credentials were stolen after a Facebook advertisement promised to boost business productivity and revenue using the latest trends in AI. TrendMicro discovered the false Facebook pages and alerted Meta, who took the pages down. Clicking on the false ads led unsuspecting users to an LLM-themed website, which then stole cookies, browser information, user access tokens, and other sensitive data. Community researchers compared this latest campaign to the spring 2023 RedLine stealer campaign. Read full article.

5. Syrian Threat Actor EVLF Unmasked as Creator of CypherRAT and CraxsRAT Android Malware – The Hacker News

Syrian threat actor EVLF reportedly authored several Android remote access trojans (RATs) which he sold on a marketplace since 2022. The RATs can control device cameras and microphones. EVLF runs several Telegram channels in addition to selling on marketplaces. He posted on 23 August 2023 that he would be shutting down, presumably after being publicly outed by the media. Read more.

6. North Korean Affiliates Suspected in $40M Cryptocurrency Heist, FBI Warns – The Hacker News

The US FBI issued a statement indicating that individuals linked with North Korea could make efforts to convert pilfered cryptocurrency valued at over $40 million into actual funds. They attributed the blockchain activity to TraderTraitor, aka Jade Sleet. Read full article.

7. CISA Adds One Known Exploited Vulnerability to Catalog – CISA

CVE-2023-24489 Citrix Content Collaboration ShareFile Improper Access Control Vulnerability has been added. Learn more.


Make sure to register for our weekly newsletter to get access to what our analysts are reading on a weekly basis.

Copyright © 2024 DarkOwl, LLC All rights reserved.
Privacy Policy
DarkOwl is a Denver-based company that provides the world’s largest index of darknet content and the tools to efficiently find leaked or otherwise compromised sensitive data. We shorten the timeframe to detection of compromised data on the darknet, empowering organizations to swiftly detect security gaps and mitigate damage prior to misuse of their data.