Author: DarkOwl Content Team

[Developing] BreachForums’ Alleged Admin Pompompurin Arrested, Dark Web Reacts

Last Updated 28 March 2023 – 23:09 UTC
28 March 2023 – 23:09 UTC

Connor FitzPatrick Appears in Court

Last week we reported that an individual alleged to be the administrator of the dark web forum BreachForums was arrested in New York. On Friday, March 24, Connor FitzPatrick appeared in court charged with facilitating the unauthorized purchasing and selling of stolen identification documents, unauthorized access devices, unauthorized access to victim computer systems and login credentials.

What is really interesting is how the FBI were able to identify FitzPatrick as Pompompurin. It seems from the affidavit provided in court that Fitzpatrick made several mistakes that ultimately led to his downfall. Proving that human error is a big factor in the attribution of cyber criminals.

FitzPatrick logged on to both BreachedForums and its predecessor RaidForums from IP addresses which were registered to his parent’s home address. Furthermore, he also made access to these forums and cryptocurrency wallets, exclusively funded by the bitcoin address linked to Pompompurin’s account, from a mobile device registered in his name. What’s more, Fitzpatrick provided his real email address to the admin of RaidForums, as proof that a breach he had purchased was not complete. Although he stated this was not his address a fact that was identified by the FBI when they were able to seize RaidForums in early 2022.

Upon his arrest FitzPatrick claimed that he earned approximately $1,000 a day from his activities on BreachForums which he mainly used to maintain the forum – one wonders if this was worth the 5 years in prison he is likely to receive.


March 21, 2023

Almost exactly a week ago on March 15, 2023, an admin of the popular darknet and deep web site BreachForums who goes by the alias Pompompurin was arrested in Peekskill, NY. In this blog, DarkOwl analysts review what has happened to date and will continue to the monitor the situation and update this blog accordingly.

Pompompurin Identified and Arrested

Pompompurin has been identified as US citizen Conor Brian FitzPatrick. FitzPatrick was charged with one count of conspiracy to commit access device fraud and bail was set at $300,000 – paid for by his parents. 

After news of the arrest broke publicly on March 17th, the reaction on BreachForums was quick, with members scrambling to find out what had happened and concern that the forum had been taken over by the FBI in a similar way to what happed with RaidForums. Raidforums was seized by the DOJ in April 2022 and had been taken over by them previous to the announcement of the arrest of the alleged administrator “Omnipotent” – Diego Santos Coelho. 

Thread chatter on the soon-to-be defunct forum revealed members questioning if the news of Pompompurin’s arrest was real – even pointing to their user activity being “away” for the 48 hours beforehand as evidence that the news was in fact accurate.

Figure 1: Users on BreachedForums discussing the news announcement of its administrator’s arrest, Source: DarkOwl Vision

The users of BreachForums wanted to know if they could delete their accounts to avoid meeting the same fate as Pompompurin at the same time that they seemed to be discovering that he had been arrested. They posted elements of reporting as well as details of FitzPatricks’s true identity.  

Figure 2: Users of BreachForum discussing arrest, Source: Breachforums

BreachForums emerged in April 2022 in the wake of the takedown of RaidForums, and allowed users to buy and sell data which had been obtained through illegal means. The admins of the site ran an escrow service ensuring that sellers received the funds that they had requested. The site was widely used by cybercriminals to purchase stolen data and hosted controversial leaks such as data stolen from the Washington DC healthcare exchange. 

Pompompurin was also known to conduct cyber-attacks himself, admitting in an interview with Brian Krebs in November 2021 that he was responsible for sending fake emails using the fbi.gov domain. He claimed at the time this was done to point out vulnerabilities in the FBI systems, but it undoubtably put him higher on the FBI’s radar leading to his recent arrest.  

Interestingly when Pompompurin was arrested, he admitted to his role as admin on BreachForums and the use of this alias. 

“When I arrested the defendant on March 15, 2023, he stated to me in substance and in part that: a) his name was Conor Brian FitzPatrick; b) he used the alias ‘pompourin,’ and c) he was the owner and administrator of ‘BreachForums,’ the data breach website referenced in the Complaint,” FBI special agent John Longmire testified

This fact does not appear to have been looked on favorably by users of his forum, with discussions turning to how to evade the FBI by living in a different country than the US and not attacking US companies from within the US.

 Figure 3: Discussions on how to evade the FBI, Source: BreachForums

On the other side, numerous users appeared to have some sympathy for “Pom” (as he is commonly referred to), with some stating that he was one of the nicest admins they had ever worked with and that he would delete accounts if you asked nicely.

One user even volunteered responsibility for any content they hosted on the dark web forum, ostensibly to alleviate potential legal trouble on Pom‘s behalf

Others offered to support him financially in his time of legal trouble.  

Figure 5: Users voice words of support among the fallout, Source: BreachForums

Discussion also centered around how it was that the FBI were able to identify the true identity of Pom with fingers being pointed at an open source intelligence company, with whom Pom had apparently registered. With threats being made to attack that company.  

They also showed concern about whether Pompompurin would share any information or become an informant with the “feds” with users being worried that their registration information would be found by the FBI.  

BreachForums had a co-admin who indicated that the FBI may have been able to access the systems if Pompompurin had shared this information or left his computer open when his parents home was raided. 

 Figures 6 and 7: More chatter around the potential fallout – including FBI involvement, Source: BreachForums

It was quickly shared that all of Pompompurin’s access had been disabled and that the co-admin was checking to see if they could confirm that the FBI were able to infiltrate the site. 

Figure 8: BreachForum’s co-admin chatting about checking FBI access, Source: BreachForums

While the discussions remained largely focussed on potential risks for the remaining active users, others continued to point to a grassroots effort to protect Pom from Law Enforcement Operations.

Figure 9: Discussions around how to remove logs and other digital evidence tying Pompompurin to BreachForums, Source: DarkOwl Vision

On Sunday the admin “Baphomet” announced that he would be closing down Breach Forums as he was concerned that the FBI did in fact have access. He posted on the groups telegram channel as well as posting a more complete message explaining his decision.  

Figure 10: Breach Forums closing down announcement, Source: Telegram

Interestingly, he stated that the Telegram channel would maintain operation and that he was looking to create new infrastructure which would replace BreachForum even working with competitor marketplaces. As of writing, the onion site has been taken down and is unreachable.  


DarkOwl will continue to monitor the dark web and adjacent sources such as Telegram to identify any new of emerging groups and sites which may take the place of BreachForums. Stay up to date.

DarkOwl Presents on Darknets at Digipol

March 17, 2023

Last week, DarkOwl participated in Digipol 2023 in Hyderabad, India. Digipol’s mission is to “internetwork the law enforcement and defence agencies with right security solutions being delivered by various technology developers from all over the world.” The summit focuses on education and exploring advancements and innovations in the cyber security space, with focus on law enforcement agencies and defense organizations, so that they can keep a safe and secure world. It is only open to those in the police and defense space and is not open to the public, allowing true knowledge transfer.

Representing DarkOwl was David Alley, CEO of DarkOwl FZE based in Dubai and, Ramesh Elaiyavalli, CTO of DarkOwl, based out of DarkOwl’s headquarters in Denver, CO.

Throughout the event, there are several technology sessions highlighting key advancements and technology solutions. Speakers include those from law enforcement, defense agencies, and security industry experts. Digipol takes a very strategic approach, focusing on providing first class education and practical demonstrations on top law enforcement topics and issues to promote technologies and innovations in a way that law enforcement agencies and defense agencies can adopt and adapt to better their cyber investigations and capabilities.

Digipol is a great networking opportunity to interact with key figures in national and public safety, with almost all states and union territories of India present, whether it be at the booth, a training session or presentation. David Alley shared, “Digipol is a great balance between training, education and networking. Not only did we get to meet many new faces, but seeing so many clients present was a great benefit for us.”

Presentation: DarkNet Primer and Intelligence Use Cases

In addition to networking and promoting DarkOwl at the booth, David Alley was able to give a live presentation to attendees demonstrating DarkOwl Vision: Darknet Intelligence Discovery and Collection. Vision UI is the industry leading platform for analysts to simply, safely, and comprehensively search the largest commercially available source of darknet data. The goal of this session was to further educate the international intelligence community on how threat actors on the darknet are evolving in their use of new tools and methodologies. Many of the attendees expressed that they were unaware how many darknets there are – confirmation that having a platform to share this information like Digipol provides, is essential to continuing darknet education.

Due to the layer of anonymity it provides, the darknet is often a hub for illegal activity. However, investigating crime on the darknet and deep web poses technical challenges, including the fact that darknet sites are continually coming on and offline with pages vanishing from one minute to the next. The technology DarkOwl leverages to scrape and index hidden digital undergrounds are key to the mission of obtaining proactive situational awareness for protection of the nation’s security initiatives. Vision provides a user friendly interface with powerful querying capabilities to search, monitor, and create alerts for critical information.

DarkOwl Vision has been used to support local and federal police investigations, as well as work done in intelligence/fusion centers and federal agencies to uncover human trafficking, opioid selling, terrorism, security issues, and other illegal activity, making it the perfect tool for this audience to be able to dive into. DarkOwl was proud to be able to share our ongoing initiative to support the global law enforcement community in their efforts to police illegal and nefarious activity on the darknet.  


DarkOwl looks forward to continuing their presence at Digipol events in the future. You can see what conferences we will be attending coming up and request time to chat with us here.

[On Demand Webinar] Top Trends and Predictions in Open Source Intelligence

March 16, 2023

In 2023, OSINT will continue to quickly evolve as investigators across a myriad of industries seek to disrupt crime, fraud, and threats. To help OSINT practitioners understand what to expect for 2023 and beyond, two respected leaders in the industry will share their predictions about what’s on the horizon for open-source intelligence.

In this webinar, originally held March 14, Rob Douglas, Co-Founder & CEO of Skopenow, and Mark Turnage, Co-Founder & CEO of DarkOwl, will share their insights on emerging threats and the latest OSINT tools and techniques to detect and prevent them.

Get Transcription

DarkOwl Grows International Presence at ISS World Middle East & Africa

March 10, 2023

Last week, DarkOwl participated in ISS World Middle East & Africa in Dubai, UAE. ISS World Middle East & Africa describes itself as “the world’s largest gathering of Regional Law Enforcement, Intelligence and Homeland Security Analysts, Telecoms as well as Financial Crime Investigators responsible for Cyber Crime Investigation, Electronic Surveillance and Intelligence Gathering,” making it the ideal event for DarkOwl to grow our international presence, build relationships in person and spread the importance of darknet data to the international intelligence and law enforcement communities.

ISS World takes pride in focusing on education and training covering the areas of law enforcement, public safety, and government and private sector intelligence communities, with a full day dedicated to solely seminars led by law enforcement officers and Ph.D. Scientists. Talks throughout the event cover topics ranging from how to use cyber intelligence to combat drug trafficking, cyber money laundering, human trafficking, terrorism and other illicit activities.

Representing DarkOwl at ISS World Middle East was David Alley, CEO of DarkOwl FZE based in Dubai and Damian Hoffman, Product Engineer and Data Analyst out of DarkOwl’s headquarters in Denver, CO.

Networking with cybersecurity professionals from around the world and connecting face to face is one of the true benefits of this show. David and Damian had people from United Arab Emirates, Qatar, Jordan, Egypt, Iraq, Morocco, Turkey, Latvia, Lithuania, Azerbaijan, Romania, Ukraine, Pakistan, India, Bangladesh, Indonesia, Malaysia, China, United States, Spain, UK, Germany, Italy, Ireland, Israel, Uganda, Rwanda, Tanzania, South Africa, Angola, Kenya, Zambia, and Australia all visit the DarkOwl booth. International shows demonstrate that cyber security is a global problem, no company and no government is immune to the potential risks associated with the world going truly digital. Damian Hoffman noted that there were “nonstop conversations all day;” covering how DarkOwl data relates specifically to cryptocurrency addresses, Telegram, ransomware groups, stealer logs, data integration and more. The quality of conversations and questions shows that darknet is a top concern amongst the security and intelligence communities.

Live Demonstration of DarkOwl Vision: Darknet Intelligence Discovery and Collection

In addition to networking and promoting DarkOwl at the booth, David Alley was able to give a live presentation to attendees demonstrating DarkOwl Vision: Darknet Intelligence Discovery and Collection. Vision UI is the industry leading platform for analysts to simply, safely, and comprehensively search the largest commercially available source of darknet data.

Due to the layer of anonymity it provides, the darknet is often a hub for illegal activity. However, investigating crime on the darknet and deep web poses technical challenges, including the fact that darknet sites are continually coming on and offline with pages vanishing from one minute to the next. The technology DarkOwl leverages to scrape and index hidden digital undergrounds are key to the mission of obtaining proactive situational awareness for protection of the nation’s security initiatives. Vision provides a user friendly interface with powerful querying capabilities to search, monitor, and create alerts for critical information. DarkOwl Vision has been used to support local and federal police investigations, as well as work done in intelligence/fusion centers and federal agencies to uncover human trafficking, opioid selling, terrorism, security issues, and other illegal activity, making it the perfect tool for this audience to be able to dive into.

If you are in Dubai and want to meet with DarkOwl, you are in luck! We will be at GISEC Global next week (March 14-16). Stop by Stand C 102, Hall 5 or request time to chat with us below!


DarkOwl looks forward to continuing their presence at ISS World events in the future. You can see what conferences we will be attending coming up and request time to chat with us here.

HWG Renews DarkOwl Partnership to Give Clients Continued Access to Sophisticated Dark Web Monitoring

February 16, 2023

Denver, CO – February 16, 2023 – Denver-based dark web data provider DarkOwl is proud to announce the renewal of their partnership with HWG, an Italian-headquartered cybersecurity company that specializes in providing analyst driven cybersecurity solutions and consulting services.

HWG maintains a team of cybersecurity experts to monitor customer digital environments in order to prevent, detect, analyze, and respond to cyber threats. In continuing to partner with DarkOwl, the industry leader in actionable dark web data, HWG is able to offer deep insight into darknet intelligence while monitoring companies’ information systems, detecting anomalies, and containing and responding to cyberattacks.

HWG has used DarkOwl’s darknet data for critical insights such as:

  • Credential Leakage: proactive monitoring of customer-related domains to identify possible compromised credentials on the dark web.
  • Company Reputation: proactive monitoring of brands to understand if there are targeted arguments containing possible related risks.
  • VIP Exposure: proactive monitoring of names and emails of the client’s C-level employees.

Per a statement from HWG CEO Enrico Orlandi, this continued partnership is largely because HWG considers DarkOwl to be an important ally in their mission to fight against cybercrime and protect their customers from potential attacks.

“It is essential for our business to have partners that allow us to offer our clients a top-quality service,” Orlandi announced. “DarkOwl is one of these partners thanks to their extensive knowledge of the darknet and the massive database of dark web content. Their data is critical for us to provide and improve a service that truly matches the needs of businesses to prevent and mitigate cyberattacks.”

Mark Turnage, CEO of DarkOwl, also commented “By renewing this partnership, HWG is demonstrating to their customers that they are committed to offering the most sophisticated cybersecurity solutions to support their suite of services through the Security Operations Center.”

About HWG 

Founded in 2008, HWG provides cyber security operations and consulting services to large and midsize enterprises with advanced security requirements, that don’t plan to keep security expert teams and infrastructure internally. As a trusted security provider for companies in over 20 countries, HWG knows how to improve cybersecurity resilience even across complex and sensitive environments like financial, automotive, industrial, telecom and others.  For more information, visit https://www.hwg.it/en

About DarkOwl 

DarkOwl uses machine learning and human analysts to collect automatically, continuously, and anonymously, index and rank darknet, deep web, and high-risk surface net data that allows for simplicity in searching. DarkOwl is unique not only in the depth and breadth of its darknet data, but also in the relevance and searchability of its data, its investigation tools, and its passionate customer service. DarkOwl data is ethically and safely collected from the darknet, allowing users secure and anonymous access to information and threats relevant to their mission. For more information, visit www.darkowl.com.

DarkOwl Represents Darknet Data at CyberTech Global

February 10, 2023

Last week, DarkOwl participated in CyberTech Global in Tel Aviv, Israel, where cyber industry executives, government officials, and decision makers from a range of sectors including critical infrastructure, insurance, retail, health and government, defense, R&D, manufacturing, automotive, gather from all around the world. This event showcases the latest technology, innovations and trends in the cyber security space. CyberTech describes themselves as “the cyber industry’s foremost B2B networking platform conducting industry-related events all around the globe.” Their events take place around the world from Tel Aviv and Rome, to Tokyo, Singapore, Panama, and more. The DarkOwl team was thrilled at the opportunity to sponsor this year and represent the importance of actionable darknet data in any security posture, product or tool.

“Cyber. We live it. Breathe it. All at the forefront of global innovation.” – CyberTech Global

CyberTech Global proved to be a great event for networking and meeting key players in cyber from multinational corporations, startups, and government agencies. As companies and individuals continue to go digital, cyber attacks and criminals become more sophisticated, and it is imperative that the industry continues to work together and innovate to combat cybercrime. Representing DarkOwl at CyberTech Global was President and CFO, Russell Cohen, based out of DarkOwl’s headquarters in Denver, CO and David Alley, CEO of DarkOwl FZE based in Dubai.

CyberTech Global is truly a global conference with countries from all of the world presenting throughout the week. There were representatives from Israel, the United States, Canada, the United Arab Emirates, Morocco, Thailand, the United Kingdom, Italy, Rwanda, Japan, Belgium, Greece, and several more. They covered topics ranging from cyber war to application security, cyber and human rights to API security, supply chain security to cloud security. According to CyberTech Global, this 2023 event in Tel Aviv was record breaking in terms of attendance! CyberTech Global provided endless networking opportunities and the ability to focus on person to person relationship building.

Russel Cohen, CFO and Co-Founder of DarkOwl, noted “Everyone who came to our booth knew about the darknet. I mean everyone; high school, college students, and retired army or former cybersecurity professionals. All knew about what made the darknet unique.” This supports DarkOwl’s mission of being the leading provider of actionable darknet data; our passion, our focus, and our expertise is the darknet. Having access to darknet data is not longer a “nice to have,” it is essential for analysts and cyber security leaders alike to inform and make sophisticated cybersecurity programs and decisions. It is a necessity to monitor the darknet for direct or potential threats to businesses in order to take action to prevent potentially devastating cybersecurity incidents.


DarkOwl looks forward to continuing their presence at CyberTech Global events in the future. You can see what conferences we will be attending coming up and request time to chat with us here.

Threat Intelligence RoundUp: January

February 01, 2023

Starting this year, our analyst team decided to share a few articles each week in our email newsletter which goes every Thursday. Make sure to register! This blog highlights those articles in order of what was the most popular in our newsletter – what our readers found the most intriguing. Stay tuned for a recap every month. We hope sharing these resources and news articles emphasizes the importance of cybersecurity and sheds light on the latest in threat intelligence.

1. New Dark Pink APT Group Targets Govt and Military with Custom Malware – Bleeping Computer

A new advanced threat actor known as Dark Pink or Saaiwc is using custom malware to steal confidential information, including microphone recordings, and spread malware by USB. Initial attack vectors include phishing emails disguised as job applications to prompt the victim to download a malicious ISO file. One attack chain deploys Cucky or Ctealer information stealers, and another uses a custom DLL side-loading procedure with a custom malware named KamiKakaBot. Read full article.

2. Emotet Malware Makes a Comeback with New Evasion Techniques – The Hacker News

Notorious Emotet malware has new detection-evasion techniques including an SMB spreader for lateral movement using hard-coded usernames and passwords and a Chrome browser-targeting credit card stealer. Emotet first appeared as a banking trojan malware in 2014, was taken down by authorities in 2021, but came back later that same year. It is considered an APT (advanced persistent threat), typically distributed via phishing, and is modular. Macros cannot be used for payload distribution and the initial infection since Microsoft has blocked them by default. The new method sees victims move decoy Microsoft Excel files to the default Office Templates folder to distribute Emotet because the OS system already trusts it. Read more.

3. Too Many Default ‘admin1234’ Passwords Increase Risk for Industrial Systems, Research finds – CyberScoop

Recent research shows critical infrastructure companies, most of which is privately owned, are lacking in cybersecurity best practices, resulting in major concern by the Biden administration as critical infrastructure companies operate in almost aspects of our daily lives. Read more.

4. FBI Says North Korean Hackers Behind $100 Million Horizon Bridge Crypto Theft – The Hacker News

The FBI confirms that North Korean hackers from Lazarus Group and APT38 stole $100 million in cryptocurrency from Harmony Horizon Bridge. APT38 is known to specialize in financial cyber operations and is considered a North Korean state-sponsored actor. The initial attack vector included social engineering employees via what appeared to be a recruitment effort to who would then download the “rogue” applications. Part of the funds have since been frozen. The remaining BTC was transferred to 11 separate wallets controlled by the actor. The actor attempted obfuscation by transferring to Avalanche, Ethereum, and Tron networks. Read full article.

5. Hackers Now Use Microsoft OneNote Attachments to Spread Malware – Bleeping Computer

Microsoft OneNote is installed by default and included with Microsoft Office 2019 and Microsoft 365. It is being used by threat actors to attach remote access malware and infect victim’s devices via phishing emails. The malware is reportedly capable of lateral movement for further infection, stealing passwords, and cryptocurrency wallets.

The phishing emails have appeared as fraudulent DHL shipping notifications and shipping documents, invoices, ACH remittance forms, and mechanical drawings. OneNote does not support macros but lets users insert attachments into a NoteBook. When the NoteBook is double clicked the attachment launches. This feature is being exploited by threat actors by “attaching malicious VBS (Visual Basic Script) attachments.” When these VBS attachments are double clicked they will, on their own, launch the script to download and install malware from a remote site. Read here.

6. Dridex Malware Now Attacking macOS Systems with Novel Infection Method – The Hacker News

A variant of the Dridex banking malware, associated with EvilCorp, has been observed using a new infection method to target Mac OS systems. Microsoft blocks macros by default. A Mach-O executable file will overwrite all the user’s document files, which eventually can act as bearers for Dridex’s malicious macros. Read full article.

7. Iranian Government Entities Under Attack by New Wave of Backdoor Diplomacy Attacks – The Hacker News

The Iranian government experiences cyberattacks by threat actor, BackdoorDiplomacy, between July and December of 2022. In addition, the threat actor has been tied to a number of cyber attacks targeting government entities since 2010. Read more.

8. CISA Warns of Flaws in Siemens, GE Digital, and Contec Industrial Control Systems – The Hacker News

On January 18, the U.S. Cybersecurity and Infrastructure Security Agency (CISA) published Industrial Control systems (ICS) advisories for Siemens, GE Digital and Contec products. Less than a week earlier, CISA had released 12 other alerts impacting Sewio, InHand Networks, Sauter Controls, and Siemens. Read more.

9. Expert Analysis Reveals Cryptographic Weaknesses in Threema Messaging App – The Hacker News

Analysis reveals loopholes in cryptographic protocols of Threema. These include an adversary impersonating a client, cloning the victims account, recovering private keys, and more. The company has countered, saying that while the findings are interesting theoretically, in most cases the prior steps needed to carry out the attacks would have larger ramifications than the findings. Read here.


Make sure to register for our weekly newsletter to get access to what our analysts are reading on a weekly basis.

Data Privacy: The Basics

January 27, 2023

According a 2022 poll by Ipsos, 84% of Americans are highly concerned about their personal data safety and privacy on the internet. Further, 37% reported that they have fallen victim to an online data breach. More specifically, 86% of Americans believe that businesses and organizations collect more information than they need and 51% are worried that this data could fall into the wrong hands. 

Given the growing concern Americans have regarding data privacy as shown in the statistics above and in honor of data privacy week, our analysts decided to shed some light on what data privacy is, why it is important to understand, the role the darknet plays in data privacy and how DarkOwl views data privacy. According to the National Cybersecurity Alliance, the goal of Data Privacy Week is to spread awareness about online privacy – data privacy should be a priority both for individuals and organizations. 

An Intro to Data Privacy 

According to the Storage Networking Industry Association “data privacy, sometimes also referred to as information privacy, is an area of data protection that concerns the proper handling of sensitive data including, notably, personal data but also other confidential data, such as certain financial data and intellectual property data, to meet regulatory requirements as well as protecting the confidentiality and immutability of the data.” 

Personal data or Personally Identifiable Information (PII) is data tied to a specific individual that could potentially identify them. This would include one’s social security number, address, contact information, medical records, online behavior and more. Data privacy is the idea that an individual can decide what personal information to share and with whom. 

As the internet plays a vital role in our daily lives, data privacy importance continues to increase. Understanding what you are sharing and how that information is being used is increasingly vital to ensure your data is protected. 

Cybercriminals Are After Your Personally Identifiable Information (PII)

A recent study conducted by Imperva revealed that 42.7% of the time, hackers go after personally identifiable information (PII). The number of compromised records year-over-year has grown 224% since 2017 and cybercriminals target PII on the darknet, as it is the most valuable information to then commit fraud or identity theft. The darknet continues to grow at an alarming rate, and as the darknet data market grows with increased product variety and volume, prices fall.

PII and Credentials

DarkOwl’s Vision UI is the industry leading platform for analysts to simply, safely, and comprehensively search the largest commercially available source of darknet data.

The data stored in DarkOwl’s repository offers a stark glance into the vast amount of PII exposed on the darknet and deep web. As of time of publishing, DarkOwl’s database contains:

  • 392,474 Unique social security numbers
  • 9,333,991,605 Email Addresses
  • 2,543,145,887 Unique email with associated passwords 
  • 1,974,025,999 IP Addresses
  • 16,725,211 Credit Card Numbers
Figure 1: Example of PII being offered for sale on a Tor darknet site, including Social Security Numbers, Source: DarkOwl Vision
Figure 2: Example of Corporate Gmail accounts being sold for as little as $13.16 USD on a darknet marketplace, Source: DarkOwl Vision

Exploitable Financial Banking/Credit Card Info

Figure 3: Breakdown of exposed Credit Card Numbers in DarkOwl’s data by type, Source: DarkOwl Vision

One of the ways that threat actors leverage the trove of PII on the darknet – including data such as credential, healthcare, and account information – is to cross reference data with other potentially unconnected information (like CC numbers) to parse together and exploit payment information. This often includes hacked and verified credit cards, some of which come with a pre-disclosed balance.

DarkOwl frequently observes these types of items for sale on darknet marketplaces, as pictured here.

According to a recent study done by Privacy Affairs, credit card data, such as a Walmart account with credit card information, can be purchased for just $10 and a USA backed credit card details with CVV for just $17.

By having visibility into the exposed data on the darknet, businesses can ensure their clients and customers PII is not being exploited for financial gain.

Figure 4: Sample of average cost per sale of credit card information on dark web, Source: Privacy Affairs
Figure 5: Example of multiple accounts and credit card/financial assets for sale – likely as the result of threat actors taking advantage of various instances of leaked data, Source: DarkOwl Vision

Tips to Protect Your Data 

For Individuals

The National Cybersecurity Alliance provides lots of tips and tricks to help individuals protect and manage their personal data, from adjusting privacy settings to turning on multi-factor authentication (MFA) and how to identify phishing messages. This article from CyberNews also provides tips and free tools to protect your data.

Some tips from DarkOwl analysts: 

  • Don’t reuse passwords across different accounts 
  • One in five passwords is “easy to guess” – make sure your password does not include personal information such as birth dates or family names. 
  • Use an automated complex password manager like Lastpass, Bitwarden, or 1Password
  • Use multi-factor authentication (MFA) for important accounts like financial and banking sites
  • Follow this step-by-step guide to removing your personal info from common web directories such as ZoomInfo and Whitepages.com

For some interesting statistics around passwords, check out our infographic and more information on password best practices, check out our blog.

For Businesses

For businesses, the Federal Trade Commission provides a great resource when it comes to protecting personal information for their employees and customers, as most all companies keep some level of personal information in their files. If this information is leaked or falls into the wrong hands, there is a large risk of reputational and financial loss, not to mention law suites. As the FTC states, “safeguarding personal information is just plain good business.”

Additional tips from DarkOwl’s IT and Security Teams center around honing in what matters the most to your business. For example, a company that houses large quantities of sensitive customer data in-house will likely need to focus on safeguarding that information via internal measures to a greater extent than a company that works with third party companies to store such information. In the latter case, a greater emphasis may be placed on managing potential risks to the vendor storing this customer data, as well as putting additional restrictions around email communications and network privileges granted to that vendor.

Phrased differently, in order for companies to keep their data safe, security teams need to audit and assess what data is the most vital to protect the operations and privacy of the organization and its customers, as well as what type of data that is. Once determined, business should:

  • Control access to that data by implementing least privilege access measures
  • Encrypt it
  • Install an alerting system that logs actions and can alert proper people on events

Further recommendations include:

  • Implement security training across the company
  • Physical safe guard if you house on premises data
  • Move to the cloud
  • Monitor third-party access
  • Keep software up to date
  • Routinely check industry standards
    • Security Technical Implementation Guides (STIG)
    • National Institute of Standards and Technology (NIST)
    • Institute of Electrical and Electronics Engineers (IEEE)
    • Open Web Application Security Project (OWASP)
    • International Organization of Standards (ISO 2700)

DarkOwl’s Stance on Data Privacy

DarkOwl considers Data Privacy to be one of the most paramount aspects of business’ cybersecurity posture. To put this into practice, we have continually invested in technologies and practices that ensure that both our internal system data, and all information related to our clients and partners are highly protected.

For example, customer search and query information process by the DarkOwl API offerings is not saved or logged for any period. Furthermore, all end-user login information is safeguarded in accordance with the most up-to-date privacy and security recommendations, including least privilege access parameters as well as others that minimize human risk.

Of additional note, none of the data we collect is purchased or illegally obtained, making DarkOwl the most prolific darknet dataset in the industry to exist on the market that does not enable or perpetuate cybercrime. You can find out more about where we get our data here.


To learn more how your business can make sure to protect your customers, prospects, and employees PII, contact us.

What is Retail Fraud?

January 25, 2023

The simplest way to describe retail fraud is theft from a commercial retail establishment resulting in financial loss and harm to the retailer. Retail fraud is a criminal offense and there is a myriad of ways retail fraud can occur, both physically in a store and virtually online. With a shift towards more e-commerce-centric shopping environments, virtual retail fraud at scale has surged and darknet cyber criminals are at the crux of this fraud economy. In this blog, DarkOwl analysts review some of the most popular methods in use by cyber criminals and retail fraud related discussions observed in underground criminal networks.

Purchasing and/or Reselling Goods for Less than Market Value

Freebie Bots

Since most retailers have inventory available for purchase online, there is a growing network of opportunistic software developers deploying “bots” designed to capitalize on human errors and mispriced product SKUs (stock-keeping unit). Freebie bots scour the Internet, scraping e-commerce websites to discover items that have been accidentally mispriced and then purchase those products in bulk for resale. The developer or administrator of the bot will resell those items on other sites such as eBay, alibaba, and others, gaining significant profit. Since the retailer is beholden to transact at the erroneous price, the retailer is negatively impacted financially because they end up filling a high volume of mispriced orders.

Such bots are regularly discussed and traded on popular darknet adjacent chat platforms like Discord. In the figure below, threat actors discuss the “cook group bot” where deals from online food services are scraped and available for exploitation.

Figure 1: Source DarkOwl Vision
Figure 2: Freebie bot advertisement Source: Telegram, Channel Redacted

Counterfeits

The illicit trade of counterfeit goods is a long proven multi-billion-dollar international industry – which according to counterfeit experts, continues to be led by China. According to Europol, surface web monitoring helps crack down on the major counterfeit goods suppliers, but many sophisticated networks have simply shifted to the darknet and use decentralized darknet markets to sell their counterfeited items.

DarkOwl has observed darknet marketplaces that feature a section of “counterfeit goods” comprised of physical counterfeited items a buyer can purchase and have sent to them directly. Watches and fine jewelry are the most common physical goods offered on underground marketplaces, but clothing and electronics are also often on offer.

Figure 3: Listing for counterfeit Rolex watches on Nemesis Source: Tor Anonymous Network

Sweethearting

Sweethearting is a term used to describe a type of social engineering where employees are manipulated by criminals to give away or falsely discount products for purchase and/or potential future resale. Employees are often eligible for store discounts, 20 to 30% off the purchase total, which are applied to purchases initiated by the fraudster.

Employees typically give these undeserved discounts to close friends and family members, but in other cases, employees have been conned into giving them to criminals as well. Such discounts can add-up over time. One such example of costly Sweethearting involved an ex-Amazon employee from Arizona who issued $96,000 worth of refunds to accounts that they owned/were under their control.

Point of Service (POS) Malware

In addition to social engineering-led fraud, there are a subset of threat actors who develop malware and viruses designed to take advantage of Point of Service systems (POS) to conduct advanced retail fraud.

Such malicious code installs remote command and control of the front and back ends of the system, and manipulate prices at scale or as needed for individual fraudulent transactions. Often, such malware is utilized to apply steep discounts and manipulate SKU prices. A threat actor can remotely and temporarily manipulate the price without the retailer’s knowledge, and transactions still appears legitimate until a financial audit discovers the price (and subsequent profit) discrepancies. 

Figure 4: POS malware advertised Source: Telegram, Channel Redacted

Refund-Specific Fraud

There are multiple forms of e-commerce fraud which usually entail purchasing items online, with intention to keep items, but receive financial compensation for defect or issue with delivery of the item. Popular methods of e-commerce refund fraud discussed on the darknet include using refunds-as-a-service, directly targeting employees, and did not arrive (DNA) fraud.

Refunds-as-a-service are a darknet affiliate scheme, primarily discussed on Telegram, where refund fraud is committed at scale on behalf of a customer. Customers outsource and solicit expert advice to receive a full or partial financial refund for items bought online and in stores. Like other “as-a-service” commodities on the darknet, the “refund serviceproviders facilitate fraud for a percentage of the refund.

In this model, the buyer purchases the product and then simply provides the refund service provider the details of their order and account and card information associated with it. The service provider then impersonates the customer and utilizes a series of advanced social engineering and phishing techniques to carry out the fraud. These include the use of chat bots to tell emotional stories of lost or damaged goods with the goal to illicit enough sympathy from the customer service representative to give a refund regardless of the company refund policies.

Proficient social engineers on the darknet can perform this refund service several times a week to easily make money without ever selling their methods. DarkOwl has observed compensation packages averaging 10% of the order value.

Figure 5: Source Telegram, Channel Redacted

Directly Targeting Employees

Similar to Sweethearting, another advanced social engineering refund method involves criminals directly targeting employees. DarkOwl has witnessed threat actors who specialize in fraud discuss the methods that they’ve employed to socially engineer retail employees to get discounts or refunds they didn’t qualify for or deserve. This type of fraud is typically accomplished by forming an emotional connection with the employee and using the connection to extort them and steal from the retailer.

Figure 6: Source DarkOwl Vision from Tor Anonymous Browser

In addition to targeting employees emotionally to get discounts, some refund groups may try and recruit employees to come work for them. This provides the criminal group direct insider access to POS systems, gift cards and voucher codes, and credit card transactions.

Figure 7: Source DarkOwl Vision

Did Not Arrive Fraud

Did not arrive (DNA) fraud is one of the oldest methods of e-commerce-specific refund fraud. In this scam, customers claim that their package never came or was stolen, and will ask for a full refund even though the items did arrive. The international popularity of large e-commerce retailers like Amazon has propelled this type of fraud.

Empty Box Fraud

A similar kind of fraud is empty box or partial-empty box refund fraud. In this case the purchaser lies and claims that an item was packed incorrectly, damaged, or that it was stolen during the shipping process and asks for a full refund. Similarly, a fraudster will order a small high value item with a large low value item  and initiates refund claiming that the high value item was not in the package delivered.

Figure 8: Source DarkOwl Vision

Receipt Fraud

Adjacent to retail refund fraud is receipt fraud, which entails generating fake receipts for goods never purchased at the retailer, often for the sole purposes of refund initiation or submitting falsified expense reports.

Threat actors specializing in receipt generation subscription models offer fraudsters access to numerous retailers’ receipt templates for as little as $9.99 USD per month.  Both online and in-store purchase receipts are available for purchase. Electronics retailers like Best Buy, NewEgg, and CDW are regularly mentioned in addition to shipping services like FedEx and UPS.

Figure 9: Fake Fuel Purchase Receipt, Source DarkOwl Analysts

FTID (Fake Tracking ID) Scams

DarkOwl has witnessed increased mentions of tracking-related fraud, where scammers purchase expensive and valuable items, such as electronics with the intent to initiate a return and refund. They request a refund, which prompts the retailer to send them a shipping value to affix to the returned items’ package. Instead of placing the shipping label on a parcel, they put the shipping label on an empty envelope or piece of junk mail, which upon delivery to the mailbox of the business will be mistaken for trash and thrown away. The scammer has the tracking information to prove the label was returned to the retailer’s business address, receives the refund, and keeps the high-valued item.

In the example pictured below, a fraudster on a Telegram channel boasts how Amazon workers regularly steal from returned item mail sorting facilities which can be used as a potential theory why the item was not correctly returned.

Figure 10: Source Telegram Channel, Redacted

Wardrobe Fraud

Wardrobe fraud or “wardrobing” is popular with female fraudsters who purchase high valued clothes with the intent for single use and fraudulent return. Often a customer orders an item of clothing, typically expensive clothes for a black-tie or formal event, wears it one time, by concealing the tags inside the dress, or re-attaches them, and then sends the clothes back to the retailer after use. It is often likely that these worn clothes will be damaged and/or dirty. This type of fraud is conducted both in-store purchases and online.

Darknet Threat Actors Discuss Bypassing Physical Security Measures for Theft

One of the oldest forms of retailer fraud and commerce crime is physical theft of goods from a store. During this research, DarkOwl analysts also uncovered conversations where threat actors revealed methods to bypass loss prevention physical security measures utilized in-stores, such as electronic article surveillance (EAS) ink-tags and RFID (radio-frequency identification) disruption.

Figure 11: Source DarkOwl Vision

Retailers at the Epicenter of Consumer Phishing Attacks and Identity Theft

Fake/Spoofed Websites and Sellers

Oftentimes, a retailer’s brand and reputation will be exploited by threat actors so that they can carry out elaborate scams with advanced phishing and social engineering attacks – mainly with the intention to commit identity theft. Criminals lure victims to malicious sites – with links often delivered via phishing emails claiming to be a reputable, popular store – and typically advertise a promotion or deal to entice the consumer to click. Phishing emails have become increasingly more sophisticated as their delivery mechanisms are designed to evade spam filters using techniques such as URI fragmentation and domain hop architecture.

From our Darknet Glossary, “spoofing” is a method used by cybercriminals in which they falsify the origins of network communication to mislead or misdirect the recipient into thinking they are interacting with a known and trusted source. These websites look legitimate and very similar to the real retailer’s site. Some can also have malware that a customer can unknowingly download.

Spoofing and tricking unsuspecting customers into buying from fraudulent sites is often accomplished by typo-squatting, whereby fraudsters impersonate legitimate sites and services and trick people into using them by changing the spelling of the site ever so slightly so that most don’t notice the difference.

Fraudulent websites can damage the reputation of a commercial retailer and take away sales from customers who would have bought products from the legitimate business. Spoofed websites resulting in unhappy customers hurts trust in the brand, potentially impacting future sales and revenue.

The figures below demonstrate sites that have been verified as phishing domains, e.g. Brazilian Wal-Mart and Well Fargo client login page which harvest banking authentication credentials.

Figure 12: Wal-Mart phishing site deployed in Brazil, Source: phishtank.org
Figure 13: A verified phish website for Wells Fargo Bank Source: phishtank.org

Offers to build fake websites and all the tools to facilitate complex phishing campaigns are readily available for sale on the darknet.

DarkOwl analysts observed “custom made websites” available for sale on a darknet marketplace ranging from $50 – $300 USD. Likewise, guides on “how to phish” and create fake e-commerce websites are on offer on darknet marketplaces for as little as $5 – $10 USD with advertised financial profit of $10K USD per month.

The most popular exploited retailers are Uber, Amazon, and Netflix and phishing kits often sold in conjunction with “lead lists” containing thousands of private email addresses and phone numbers that can be utilized for sending spam in large volumes.

Figure 14: Netflix “scampage” website for sale Source: Kerberos Market,Tor Anonymous Browser
Figure 15: Netflix Payment Validation Phishing Site Sample Provided as Proof by Threat Actor
Figure 16: Advertisement for Phishing Kit Guide, Source Kerberos Market, Tor Anonymous Network

Falsifying the Authentication of Scam Pages through Website Certificates

DarkOwl analysts have also noticed website certificates such as SSL/TLS (Secure Sockets Layer/Transport Layer Security) certificates for sale in darknet fraud communities. Giving a spoofed website an authentic SSL/TLS certificates helps threat actors with their detection-evasion measures and makes the phishing/scam website to look more authentic.

Certificates provide machines a unique identity and communicate trust to visitors of the website and search engines alike. This way hackers and threat actors avoid getting flagged as not trustworthy. DarkOwl also found Russian-based threat actors offering Extended Validation (EV) certificates, widely regarded as the most trustworthy kind of machine identity, for sale on the darknet for upwards of $2400 USD.

Figure 17: EV Certificates for sale on the darknet, Source DarkOwl Vision
[FIGURE TRANSLATED]
EV Code Signing Certificate for sale.
Name and cost
• EV Code Signing certificate – $2450 (production time 1-2 weeks)
EV Code Signing Certificate – $ 2450 (production time 1-2 weeks)
• Recording service to our USB Token and shipping across Russia – $200
* $50 discount per review
* A physical USB token is required for EV certificates.
* * 50 $ discount per review
* EV certificates require a physical USB token.
Suitable tokens for an EV certificate:
USB tokens for EV certificate:
SafeNet eToken 5100
SafeNet eToken 5105
SafeNet eToken 5110
SafeNet eToken 5200
SafeNet eToken 5205
SafeNet eToken Pro 72K
It is possible to register code signing certificates for a specific company name, the conditions are discussed individually.

Fake Delivery and Shipping Notifications – via Email and SMS Phishing Campaigns

Fraudsters and scammers will use lead lists to send large volumes of fake delivery and/or shipping notifications – appearing to come from trusted retail and delivery sources – indicating that there has been an issue with the delivery, it has been delayed, or a fee need to be paid for the package to be delivered.

Usually, the notification includes a link to a fraudulent site prompting users to enter their financial information and PII (which can be leveraged by actors later) or to pay a fee to release the shipment. Such phishing campaigns using retail commerce providers occurs via both email and SMS delivery.

Gift Card, Rewards Programs, and Retail Promotion Fraud

Gift card fraud is a lesser-known form of retail fraud, yet popular amongst darknet threat actors. Gift card fraud can occur via insider threats, i.e. employees steal legitimate gift cards, as well as externally, i.e. consumers redeem stolen or counterfeit gift cards.

Fraudsters easily utilize gift cards and vouchers for illicit purchases because these forms of payment have less security protection than traditional credit cards.

Figure 18: Source Telegram, Channel Redacted

Loyalty programs and customer rewards are also stolen and/or counterfeited for resale. DarkOwl analysts have observed numerous prominent retailers mentioned in darknet fraud advertisements, such as Macy’s, Nordstrom, Kohl’s Cash, AMC Theatres, Office Depot, Bath and Body, Top Golf, DSW, Target, Costco, American Eagle, Southwest Airlines, Marcus Theatres, and numerous restaurant and coffee chains. Most gift card and reward program fraud on offer in the darknet are US-based retailers. 

Figure 19: Fraud Vendor Shop, Source: Deep Web

Phishing emails disguised as reward program promotions also lure customers to join fake loyalty programs and enter their personal information, which is systematically harvested, stored, organized by retailer into “logs,” and resold in mass in various darknet data brokerage communities across Tor and Telegram.

Figures 20 & 21: Examples of Phishing reward program promotions, Source DarkOwl Analysts

Final Thoughts

Cyber criminals and those involved in retail fraud have become more convincing, sophisticated, and organized with every holiday season. Retail fraud obviously harms commercial retailers fiscally, but also impacts the retailer’s reputation, trust in the brand, and customer loyalty overtime.

The darknet and darknet-adjacent chat applications play an important role in the evolution and proliferation of such virtual and physical theft techniques and tactics. The darknet provides and interconnected web of fraud methods that can be learned, shared, and constantly updated to outsmart legitimate retailers and trick their consumers.

Retailers can benefit from a regular darknet monitoring service for indications of the most up-to-date methods and malware used for retail fraud, to employ effective detection and countermeasures, and setup recognition education programs for their employees and stakeholders.


Interested in learning how darknet data plays a vital role in preventing, catching and remediating retail fraud? Contact us.

Copyright © 2024 DarkOwl, LLC All rights reserved.
Privacy Policy
DarkOwl is a Denver-based company that provides the world’s largest index of darknet content and the tools to efficiently find leaked or otherwise compromised sensitive data. We shorten the timeframe to detection of compromised data on the darknet, empowering organizations to swiftly detect security gaps and mitigate damage prior to misuse of their data.