The internet, social media, and mobile devices are the fundamental requirements for conducting business and engaging in society. Most of us use the internet (and the deep web) throughout the day, every day. But, do we understand how it works – technically? This infographic describes the various layers of the internet, and some of the primary data sources found within each layer.
Thanks to our analyst and content teams, DarkOwl published over 100 pieces of content this year, a new record for the team. DarkOwl strives to provide value in every piece written, highlighting new darknet marketplaces and actors, trends observed across the darknet and adjacent platforms, exploring the role the darknet has in current events, and highlighting how DarkOwl’s product suite can benefit any security posture. Below you can find 10 of the top pieces published in 2022.
Don’t forget to subscribe to our blog at the bottom of this page to be notified as new blogs are published.
Beginning in February, the DarkOwl team actively tracked the fallout from Russia’s invasion of Ukraine, through April. The effects of the kinetic military operation caused ripples across the global cyber space including critical underground ecosystems across the deep and darknet, resulting in the first ever global cyberwar. Read blog.
In August, CEO and Co-Founder, Mark Turnage, hosted a webinar on the topic of cyberwar, “What Does a Real Cyberwar Look Like.” Ukraine’s call for help sparked off the first ever global cyberwar which for the first time in history has been waged between two countries simultaneously with a land war. This webinar looked at what we have learned from the cyberwar to date. The transcript and recording can be found here.
In August, DarkOwl analysts discovered multiple escrow-enabled decentralized marketplaces on the dark web that claim to be affiliated with the Sinaloa Cartel. One such marketplace called “Cartel de Sinaloa” is reportedly directly associated with the Sinaloa Cartel and Los Chapitos. Their marketplace uses the same logo – a red and black skull with “Cartel de Sinaloa” written underneath it – as the avatar of a Facebook group page operating with the same name. Another marketplace calling itself “The Sinaloa Cartel Marketplace” focuses on offering hitman for hire style services. Both services require authentication for user access, which forces visitors to create a username and password to view the marketplace past the login screen and adds protection from bots and crawlers. Read more.
Industrial control systems (ICS) and their adjacent operational technologies (OT) governs most everything societies rely on in the modern age. Manufacturing facilities, water treatment plants, mass transportation, electrical grids, gas, and oil refineries… all include some degree of ICS/OT incorporated in their industrial processes. Research from DarkOwl analysts identifies an alarming number of threats on the darknet and deep web that could effectively target and compromise Critical Infrastructure. Full report here.
The darknet is home to a diverse group of users with complex lexicons that often overlap with the hacking, gaming, software development, law enforcement communities, and more. DarkOwl’s Glossary of Darknet Terms is a continually evolving resource that defines the common vernacular, slang terms, and acronyms that our analysts find in places like underground forums, instant messaging platforms (such as Telegram), as well as in information security research pertaining to the darknet. Check it out.
In this research, our team reviewed some of the most widely proliferated infostealers on offer on the darknet and discovered an elaborate data exfiltration ecosystem, with low-entry cost, providing cybercriminals access to a wealth of personal information without the victim’s knowledge. We also learned many infostealers are offered in alignment with a malware-as-a-service (MaaS) or “stealer-as-a-service” (SaaS) rental model with subscriptions-based access to the malware executables and associated command and control C2 botnets. Read here.
Through August and September, DarkOwl analysts took note of an increased amount of darknet activity surrounding the current geopolitical tensions between China and Taiwan. Using darknet, deep web, and high-risk surface web data, this report endeavors to shed light on the digital underground’s reaction to the countries’ political tensions stemming from China’s “One-China Principle” and its refusal to recognize Taiwan’s independence.
This report demonstrates how recent cyberattacks in August augment political criticism of Taiwan. Of particular note is the on-going barrage of leaks surfacing as a result of attacks against key organizations in both countries, and discusses the general darknet sentiment regarding China’s global reputation and their potential invasion of Taiwan. Full report here.
The darknet (or “dark web”) is a thriving ecosystem within the global internet infrastructure that many organizations struggle to incorporate into security posture, but is becoming an increasingly vital component. In certain cases, that is because taking raw data and turning it into actionable security intelligence requires leveraging DARKINT – or data points sourced from the darknet and other OSINT sources that together form a risk and/or investigative portfolio. Learn more.
The darknet, which is also referred to as the dark web, is a segment of the internet that is only accessible by using specialized software or network proxies. Due to the inherently anonymous and privacy-centric nature of the darknet, it facilitates a complex ecosystem of cybercrime and illicit goods and services trade. Adjacent to the darknet is the deep web and instant chat platforms that play an increasing critical role in facilitating this illicit information availability. Pseudo-anonymous discussion forums and vendor marketplaces hosted on the deep web along with Telegram private and public channels provide additional platforms by which threat actors communicate and circulate sensitive and stolen credential data.
In this blog, we review how sensitive, server-side access credential data – such as AWS private/secret keys, Django secret keys, and API tokens – are captured, circulated, and sold across darknet marketplaces and criminal communities. Read here.
In June, users across darknet forums have voiced interest in abortion-related pills and services following the leaked Supreme Court documents and advocate for organized protests in support of and against the potential ruling. Once the U.S. Supreme Court officially issues their ruling, we anticipate a more concerted response from darknet marketplaces in offers for abortion related drugs and services. The darknet will also continue to be a resource for activists to organize political protests and circulate sensitive information related to the abortion debate. Read more.
DarkOwl analysts regularly follow “darknet threat actors” that openly discuss cyberattacks and disseminate stolen critical corporate and personal data. Such analysis helps DarkOwl’s collection team direct crawlers and technical resources to potentially actionable and high-value content for the Vision platform and its clients. In this edition, analysts dive into SiegedSec, who formed in late February 2022, coincidently days before the invasion of Ukraine, adopted variations of the tagline, “sieging their victim’s security.” DarkOwl analysts observed SiegedSec provide proof of the defacement and/or compromise of at least 11 websites with rather juvenile and crude language and graphics included in the defacements. In April, the group claimed they had successfully defaced over 100+ domains offering proof of a hosting chat dialogue indicating the account passwords had been changed and the defacements corrected, but the group hinted they still had access to the domains. DarkOwl analysts also discovered several thousand compromised LinkedIn profiles with references to SiegedSec. Check it out.
Thank you to everyone who reads, shares and interacts with our content! Anything you would like to see more of, let us know by writing us at [email protected]. Can’t wait to see what 2023 brings! Don’t forget to subscribe to our newsletter below to get the latest research delivered straight to your inbox every Thursday.
With 2022 at a close, our content and marketing teams reflect on a number of exciting events, trends and changes the DarkOwl team experienced this year. We look forward to an even more successful and prosperous 2023 and wish the same for all our customers, partners and readers! Thank you for your support over the past year and continuing to read, engage and share our content. We hope you continue to find the topics we cover valuable, enlightening and interesting. Last marketing plug of the year… don’t forget to sign up for our weekly newsletter to make sure you receive updates about latest from our research and content teams!
As our EVP of Sales likes to say “in person is back,” and we are so glad to be able to see our customers, partners, and prospects face to face after a couple years of a virtual world. In 2022, the team attended several events all around the world from San Francisco, Las Vegas, London, Prague, Paris, Dubai, Hyberbad, and many more. Thank you to everyone who sat down with DarkOwl along the way. We hope to see even more you on the road in 2023. Check out where we will be in 2023 and request time to meet here.
Not only did the team around the world for client meetings and conferences, but throughout the year the Headquarters in Denver, CO hosted several employee events, welcoming all remote employees several times to team building weeks, Sales Kick Offs, and the annual Holiday Party. With a workforce that is becoming more and more remote friendly and DarkOwl focusing on finding the best talent, making sure that everyone at DarkOwl stays connected is of upmost importance.
DarkOwl places great emphasis on learning from customers and making sure our products are always providing value. We make a continuous effort to enhance our dark web data products with features geared towards analyst and threat intelligence teams. Below are a couple highlights of big launches we had this year.
In June, DarkOwl added, Ransomware API to the product suite. Ransomware API allows users to monitor ransomware sites for indicators of compromise. This product was created as a direct response to customer requests and needs. Our insight and historical perspective into the darknet is unique, and we wanted to make it easy for people to find this critical information about their vendors or clients. With this API product, content on these sites – including organization mentions – can now serve as an important risk indicator for a variety of use cases.
Leveraging the world’s leading and continuously updated darknet data index, you can gain insight into potential risk by conducting targeted ransomware searches. Ransomware API enables users to safely query continuously sourced and updated ransomware sites, primarily but not exclusively hosted in TOR and Telegram, run by criminal gangs, and threat actors to detect mentions of criminal activity against an organization.
Read more about Ransomware API on our product page or in our interview with Director of Product, Sarah Prime.
In November, DarkOwl released a new feature to Vision UI, “Entity Explore,” enabling end-users to gain more relevant insights from their vast dataset of dark web content. Entity Explore shows results for queries in the form of a new dashboard, around tokenized objects with critical contextual information. The dashboard also incorporates new features geared toward increasing analyst efficiency and functionality, enabling things such as ease of exporting and parsing of information to best lead users towards actionable intelligence.
Entity Explore was developed as the result of feedback from DarkOwl’s clients, who were seeking an easier way to drill into the dark web exposure and easily export that information for reporting and further analysis. With Entity Explore, users are now able to extract data from DarkOwl’s collection in a format that has mainly been limited to DarkOwl’s API Customers.
As of early October, DarkOwl Entity API uncovered and archived over 9 billion emails, 16 billion credit card numbers, almost 2 billion IP addresses and over 390 million cryptocurrency addresses in the past year.
You can read more about Entity Explore and it’s features here.
2022 was exciting for the DarkOwl team, both in the sense that our product features and suite grew and also that the team continues to experience growth. That trend is not stopping as we are so proud to be able to continuing to invest our employees as well as grow across all teams. Check out our open positions. Join us in our mission to be the world’s leading darknet content and tools provider, empowering clients to continually improve their cybersecurity defenses.
One of DarkOwl’s key differentiators is our product team’s ability to respond to the needs of our clients and collect the data that matters the most to them. This year, DarkOwl was proud to assist our national security and government partnerships by providing crucial insights into data leaks and cyber activity surrounding the war in Ukraine.
For many of our commercial clients, the darknet remains a hub for criminal activity for things such as ransomware – a problem faced by over two-thirds of organizations. As such, we ensured we had access to the areas of the darknet frequented by these groups, including the blogs that many ransomware gangs host and update themselves on Tor.
We also saw data aggregators in the threat intelligence space reiterating a need for a vaster coverage for not only traditional darknets, but also emerging darknet adjacent spaces. Based on this need, we nearly doubled our expansion into messaging services such as Telegram and similar popular chat platforms. As of time of publication, our AI-powered crawlers have access to over 11,700,000 documents from 1,700+ Telegram Servers. We also added 714,513,235 email addresses, 100,532,810 new plain text passwords and increased our domains by 22.7%.
As cybersecurity incidents become more sophisticated, more and more critical data is being shared on the darknet. This year, DarkOwl partnered with numerous organizations both domestically and internationally to bring more darknet data to threat prevention and intelligence analysts than any year prior.
We understand how incredibly challenging it is to maintain insight into everything the threat actors have insight into. This year, we put an emphasis on leveraging our company’s expertise in darknet technology to gather the data that allows our clients and their customers to stay ahead of potential threats. This includes former military – as well as the sociology of users on hidden networks –
As supported by conversations that DarkOwl team members had at with several of our customers at the DoDIIS Worldwide Conference this winter, our OSINT technology partners are receiving consistent positive feedback on the data they’re finding by accessing DarkOwl’s database through their existing threat intelligence platform via DarkOwl’s API products.
Newly announced partnerships include:
One of our earlier updates from this year came in the form our a total rebranding of DarkOwl’s website this February. The redesign concept came from an internal discussion about how DarkOwl as a brand could re-interprate how we represent hidden networks such as the darknet. Our vision (no pun intended) was to use Art Deco design concepts to represent the darknet as a complex component of the internet, rather than an elusive “hidden” concept.
DarkOwl is proud to partner with several non-profit organizations focused on making the world a better place. In honor of National Non-Profit Day, we sat down with key members of the National Child Protection Task Force and the International Justice Mission to get a glimpse into the work that they do on a day-to-day basis and how DarkOwl contributes. Hearing their stories and how our work behind the scenes is making a difference, makes day-to-day tasks so much more worth it. You can read the full blog here.
For the holiday season and to honor our commitment to non-profit organizations, we donated to the Raptor Education Foundation on behalf of our clients and partners. As a result of this donation, we adopted an adorable, wide-eyed Great Horned Owl! We are so excited to welcome this “unusually large male raptor” (as he’s been described by his handlers) to the DarkOwl family. You can learn more about him on his dedicated adoption page.
In our previous blog on dark net use cases, we focused on intelligence agencies, law enforcement, and government and how darknet data plays a critical role in their investigations and reporting. In this blog, DarkOwl analysts outline the top commercial darknet use cases and detail real-world applicative use cases and examples of DarkOwl’s software-as-a-service (SaaS) darknet data platform and help identify and describe how key data sources in the criminal underground can be leveraged to facilitate analysis and reporting required across commercial entities’ security departments.
Key corporate executives, CXOs, Board Members, and essential technical staff are at elevate risk of targeting for social engineering and phishing attacks from threat actors. Some high-profile executives, political and government employees require increased physical protection as threats of direct violence against them appear in darknet sources and social media.
Data from the darknet can serve as predictive telemetry of potential threats against corporate and government leadership. DarkOwl has observed threat actors leaking detailed personal profiles, termed “doxxes”, of individuals in the darknet. Social anarchist groups also utilize the darknet for coordinating attacks against key facilities and events that are contrary to their beliefs.
A dox (also doxx) is a detailed public record of someone’s identity. To ‘dox’ someone is to publish private information about that person – as a form of public shame and generated to enact revenge on the company or person for some perceived wrongdoing. The dox presents a significant security threat to the company and the individual, with detailed information such as their mobile phone numbers, residential address, social media accounts, bank accounts, and familial associations publicized and subsequently targeted for phishing, fraud, and even kidnapping for murder or extortion.
The personal information of executives and VIPs are often shared on darknet websites which specialize in the distribution of doxxes. While many of the executive dox shared on the darknet observed by DarkOwl include familiar celebrity VIPs like Mark Zuckerberg or Jack Dorsey, other lesser known executives are also exposed as a result of some grievance experienced by the psychologically delicate cybercriminal.
In another example, earlier this year while Roe vs Wade was in the process of being overturned by the US Supreme Court, cyber criminals leaked detailed information from the justices to the deep web. In 2021, anti-democratic party hacktivists similarly leaked personal details of key cabinet members and staff from President Biden’s Administration and suggested their homes and families be targeted for extreme fraud and murder.
DarkOwl’s darknet data can significantly augment cyber-criminal investigations by providing key additive informational components – often in conjunction with other open sources like social media activity – to create a more comprehensive picture of the case itself, the criminal’s behavior, and psychological intentions, or simply fill in critical intelligence gaps and solidify evidence such that indictments and subsequent legal action may be executed.
Using DarkOwl in conjunction with other open sources and utilities, an investigator can easily identify and a track threat actor’s digital fingerprints and subsequent virtual breadcrumbs, such as social media accounts, usernames, aliases, avatars, email addresses, PGP keys, and cryptocurrency wallet identifiers.
The snapshot example below details how DarkOwl identified and tracked a Portuguese-speaking threat actor involved in mobile device malware development. The lower third of the graphic, consisting of evidence collected from the darknet and DarkOwl Vision – confirmed the suspect’s activities across various underground communities in the darknet and a leaked IP address provided a potential physical location of João Pessoa, Brazil.
Russia’s late February military invasion of Ukraine and on-going offensive operation was preceded by numerous opportunities for geopolitical situational awareness prior to the invasion, and subsequent monitoring of the conditions is available with a surge of new Telegram channels documenting live events ‘on-the-ground’ and conversations between users that have unique perspectives of the conflict.
Commercial organizations, including retail outlets, are targeted daily by dozens of active ransomware-as-a-service (RaaS) gangs that operate exclusively on the darknet. A ransomware incident against a commercial organization can cause serious loss of revenue and interrupt operations for weeks while incident response and remediation is carried out. Shoprite, in South Africa, experienced a ransomware attack from Ransom House group who subsequently leaked the usernames, IDs, and personal information of its consumers when the company failed to pay the extortion.
Many employees who are unhappy with their employers – including both corporate or government civilians – often rant in darknet chat rooms and forums, under the cloak of anonymity, about their working conditions, abusive bosses, or annoying coworkers. Sometimes the posts include calls for ‘darknet hackers’ to revenge them and attack the organization’s networks so they don’t have to work.
DarkOwl users can monitor the darknet for malicious mentions of their organizations that include information that is limited to employees and staff with authenticated or limited access to information, e.g. the ‘insider threat.’
DarkOwl uncovered a post on a darknet forum where a corporate employee detailed organizational issues with members of a specific team at the company and called out the management team leaking their names and their emails accordingly. With this information, the company can launch an internal investigation to identify the employee and mitigate the risk to the organization, through supervisor and HR intervention and/or termination.
International ransomware threat actors also regularly solicit for insider threats to shorten the cyber-attack lifecycle by using employees with direct access to company IT resources instead of brute forcing network credentials or exploiting vulnerable network devices. Often instead of the network appliance mentioned the specific company name is included in the solicitation.
Corporate brand recognition, reputation, public perceptions are paramount in establish market share and sustaining fiscal certainty in uncertain economic conditions. Darknet data can be utilized to uncover derogatory mentions of a company or corporate identity that can help mitigate risks to the organization’s long-term success.
The image below includes an announcement on Telegram by pro-Ukrainian hackers calling for the boycott of purchasing Nestle products due to their continued operation in Russia and subsequent economic support for the Putin-backed Kremlin.
In the days following the post on Telegram, prominent darknet threat actor group, KelvinSec compromised Nestle’s company network and leaked sensitive databases containing their customers, transaction, and shipping data.
DarkOwl’s darknet data can provide indication of concerted efforts to sell or circulate counterfeit goods and identifications, in addition to monitor for potential identity theft. Passports, driver’s licenses, and military identity cards are regularly offered for sale on darknet marketplaces.
Darknet fraudsters intent on financial fraud of individuals are sophisticated enough to bypass identification verification utilities, such as ID.me. Users on Telegram offered a compromised ID.me with driver’s license and social security number for $20K USD earlier this year. Others offer “ID.me bypass” methods for sale on fraud forums and public chats.
Driver’s licenses are available for sale across many darknet marketplaces and Telegram groups. A vendor on Nemesis decentralized darknet market offered USA driver’s license templates to create fake identification cards for as little as $5.00 USD with guaranteed refund if the template was unsuccessful. Canadian templates are more expensive at 300 CAD for a template of only the province of Quebec.
Large data leaks, like GiveSendGo shared on DDoSecrets, includes photographs and scans of US and Canadian military identification cards that could be leveraged by threat actors for identity fraud and/or unauthorized access to military installations.
Supply chain attacks are industry-agnostic cybersecurity attack methods that cause damage and destruction to an organization via compromising less secure elements in the organization’s supply chain. This has been observed across many ransomware groups – who operate within the darknet and target suppliers and vendors of major victims and utilize the organizational data, exfiltrated from the compromised network to carry out additional attacks on the same organization and vendors and suppliers connected to the victim.
DarkOwl’s darknet data platform supports continuous monitoring for and quantifying supply chain and vendor risks. Many third, fourth, and even fifth party vendors do not always expeditiously inform their stakeholders of critical cyberattacks and the early mention of the supplier on a ransomware blog site hosted on the darknet can assist all organizations connected to the victim, regardless of role or capacity, establish a solid defense posture with increased security awareness and proactive protection. Simply monitoring for mentions of an organizational website domain over time can be an indicator of risk.
In the example graphic below, DarkOwl captured where various organizations connected to the Volvo car corporation were attacked by multiple ransomware groups over the course of a year. It is highly likely that the data exfiltrated from the attacks in 2021 was utilized in the subsequent attacks against Volvo’s subsidiaries and their suppliers.
DarkOwl regularly reviews topics designed to inform both corporate and personal entities of threats discussed on the darknet. In this blog, we will cover credential stuffing to augment other research activities like, “The Darknet Economy of Credential Data: Keys and Tokens” and “Zoom Accounts For Sale on the Darknet Highlight On-Going Need for Better OPSEC” which also discuss credential data risks. We will discuss the motivations and techniques behind combolist cracking and credential stuffing attacks and explore some of the recent darknet communities that rely on credential stuffing operations for their own criminal agendas.
Credential stuffing – often shortened to simply ‘cred stuffing’ – is the process of automatically testing exposed username and password combinations against website login forms for potential account take over (ATO) or malicious exploitation. When we think of darknet threat actors we often visualize sophisticated computer users, with elite programming and scripting skills, conducting cyber operations at scale with numerous monitors of black screens and scrolling green text. Credential stuffing utilizes customized and readily available scripts to test thousands (if not millions) of credential combinations against web applications for verification automatically.
In software development lingo and even some corners of the darknet, this process is described as technically a form of “fuzzing” or ‘black-box’ testing of a website or web server application. Many of these scripts and functional utilities are in circulation for free across darknet communities – with tutorials and instructions – and available for the novice cybercriminal interested in entering the ‘cred stuffing’ market little knowledge of elite scripting or hacking.
Wordlists and compromised lists of email address and password combinations are the foundation for credential stuffing operations. Many multi-million record data leaks in circulation on the darknet like Collection #1-5, RockYou, and the Compilation of Many Breaches (COMB) make potential username/password combinations easily discoverable and exploitable at scale. Such leaks are utilized as input for credential stuffing scripts and applications. Wordlists are also in regular circulation amongst darknet threat actors, and some are already integrated into Linux distributions favored by pen-testers and hackers alike.
There are numerous Wordlist generator utilities one could use to automate the creation of random strings of a specified length of alphanumeric characters, symbols, and common dictionary words. DarkOwl analysts have observed mentions of CeWL and Pydictor on forums popular with Chinese threat actors and others like BEWGor (yes, pronounced “booger”), Crunch, and the Common User Passwords Profiler (CUPP) across other deep web communities.
Another user on Telegram enthusiastically referred other channel members to a repository containing Bopscrk, advertised as a “smart and powerful” wordlist generator that combines wordlist data and personal information for the account targeted like date of birth and favorite musical artists, to generate customized permutations of passwords with higher probability of success.
Links to wordlist text files and wordlist generators are shared across darknet forums and chatrooms that facilitate ATO and many of them are hosted on Github. As of time of writing, there are over 5,000 repositories containing wordlists on Github alone. Dictionary lists in English are the most common, but other languages are also available.
Scalable exploitation of stolen or compromised data will persist and we anticipate the development of more sophisticated automation utilities and maintenance of existing lists to continue. Since offensive security specialists will also continue to develop and utilize wordlists for their network vulnerability assessment activities, cybercriminals will leverage these where available. Anything that is readily in use for offensive security purposes will also be exploited for malicious gain.
Once a threat actor has several wordlists in their arsenal, they will utilize credential stuffing utilities and botnets to test various username and password combinations (called ‘combos’) against web applications and websites. Often cybercriminals will reuse web application testing programs like OpenBullet or SentryMBA that were originally designed for good but are now coveted and circulated by cybercriminals for optimizing crime. Older programs like Vertex and Apex work similarly to Sentry, but struggle to authenticate with more enhanced SSL or HTTPS secured websites.
Credential stuffing programs are traded hand-in-hand with proxy lists in order to conduct operations while resembling organic network traffic and obfuscate the reality that all the account logins originate from the same IP address. Programs such as AzLiquidGold, SlayerLeecher, BlackBullet, STORM and Snipr were designed by hackers with the pure intent as proxy-enabled scrapers and “combo-checkers.” Residential proxies are available for purchase for under $5 USD on most darknet forums and marketplaces.
There are numerous deep web and darknet forums and Telegram channels that support the credential stuffing economy of the darknet. Users in the darknet often refer to those in the business of validating and circulating authentication user/password combinations through the process of credential stuffing as “crackers.” Actors share validated credential data on darknet forums and describe them as “freshly cracked” on markets and Telegram groups. Other accounts on offer are described as “logs” – which can be confusing when the vernacular is mixed with malware-based information “stealer log” offers. However, in the credential stuffing and cracker community, “logs” is short for “logins.”
Accounts are further advertised as high quality (HQ) or ultra-high quality (UHQ) with and without two-factor authentication (2FA) or described as full access (fa) indicating that some additional personally identifiable information (PII) is available to maintain persistent access the online account. Accounts for popular online commercial applications, email providers and streaming services are compiled and sold in bulk for a higher price. Some accounts sell for as little as $1.50 USD per account and combos in higher volumes, e.g. 100,000 accounts for Hotmail or Outlook for 100 Euros.
Higher volume databases of cracked accounts also appear on forums as “combolists” that are traded and sold for further exploitation. Some combolists are advertised by web platform, geographic region, and others are simply described as “mixed combos.” DarkOwl has observed several advertisements containing millions of verified account credentials in a single file.
Defensive security measures like multi-factor authentication (MFA) provide some degree of protection against account takeover using a compromised server username/password combination. Unfortunately, one cannot assume MFA is 100% effective at protecting the victim account from an ambitious cybercriminal. Many individuals disregard exposure in a combolist with such security measures in place, and will not even bother to update the account with a new more complex password. The flaw in this logic is that once a combo has been verified, especially for a target with high probability of financial or information return, such as blackmail or extortion crime, then a cybercriminal will willingly purchase the combo with more malicious intention. Using an exposed combo for a personal email account like Yahoo facilitates additional targeted phishing or social engineering on social media or other platforms to obtain additional PII to bypass MFA, e.g. security question answers, seed phrases, mobile phone numbers, and digital identity authenticator tokens.
Other leaks of personal data, such as LinkedIn profiles and telecommunications and mobile phone provider’s databases, provide the foundation for conducting a targeted attack against a victim, especially for websites with basic SMS-based One Time Password (OTP) protection. There are also tools readily available like Burp Suite that support OTP-bypass attacks installed in Kali Linux. When MFA bypassing for more sophisticated applications is required such is the case with corporate network accounts, then the cybercriminal might utilize simswapping, also known as simjacking or port-out scamming techniques.
While a simple commercial combolist and verified accounts appear for free or even relatively cheap in the darknet marketplaces, accounts with potentially higher financial return like validated accounts from banking or financial institutions and cryptocurrency wallets trade at significantly higher prices. One user on Telegram advertises individual Coinbase accounts for sale at $60-100 USD depending on the value of the wallets. Even cold wallets have been successfully compromised using sophisticated social engineering methods that cyber fraud criminals pride themselves on.
While credential stuffing as a technique is not new, the new tools and tactics that are emerging are increasingly sophisticated. As ransomware attacks have become more frequent in recent years and continue to be on the rise, the availability of leaked credential and user data has as well. This ultimately makes credential stuffing even more efficient as a means of brute forcing account takeovers, as there is more data for hackers to cross reference and attempt to use to gain access.
The internet, social media, and mobile devices are the fundamental requirements for conducting business and engaging in society. Whether checking email, catching up on industry news or accessing customer information, most of us use the internet (and the deep web) throughout the day, every day, in a variety of capacities. But, do we understand how it works – technically – even at a basic level? Do we understand the differences between the internet and the deep web or what it means to go even darker into the decentralized anonymous networks like the darknet?
Below is a breakdown of the various layers of the internet, from “regular” search engine-compatible websites to complex hidden networks.
The term internet is short for internetwork, which is a system created by connecting any number of computer networks together. An internet allows for communication between devices that are a part of that internetwork.
The internet is the most well-known example of an internetwork. This is the internet that we find indispensable to our daily lives, and it links billions of devices across the world through a network of networks using standardized procedures or protocol. The traditional server client architecture and HTTP protocol is the backbone of the internet and used extensively in websites and mobile applications.
Browsing websites on the web is not the only way in which information is shared via the internet. Email, instant messaging, and file transfer protocol (FTP) are other ways to share information like emails, messages, and files.
To clarify, the web is not synonymous with the internet and should not be confused with it. The “world wide web” is simply a way of accessing websites over the medium of the internet.
The websites we browse each day make up only a small percentage of the internet.
These sites, collectively known as the surface web (or “clearnet”), are visible and accessible to common search engines such as Google and Yahoo. Youtube videos, blogs, Instagram are all examples of surface web content most interact with every single day. While estimates vary, many experts agree that the surface web comprises roughly 4% of all online content. For more reading on how search engines crawl and index web content, there are several articles that describe systems like Google in detail.
High risk surface web consists of areas of the surface web that have a high degree of hosting criminal or illicit content. Many of the users of the high risk surface web also maintain access to other, darker networks and communities. This includes some “chan”-type imageboards, transient paste sites, and other select non-authenticated forums that mirror dark web sites with surface web top level domains (TLDs).
While .com domains are the most common website domain, DarkOwl regularly tracks various TLDs that are popular with criminals. Our analysts have observed an increase in .top, .ru, and .cc TLDs. Many high risk surface websites popular with Chinese threat actors end in the TLD .cn.
Beyond the surface web, an estimated 96% of online publicly accessible content is hosted in the deep web and the darknet.
The deep web consists of website content that cannot be found or directly accessed via surface web search engines such as Google and DuckDuckGo. Examples of deep web sites include websites that require any authentication credentials, such as registered email address and password, unlinked sites that require the direct URL to access, sites that are purposefully designed to keep search crawlers out, and databases. The majority of content resides in the deep web.
Deep web databases commonly have their own search functionality which allows users to access the data contained within them. Government databases, patient medical records, and library catalogs are just a few examples of deep web databases. While these databases do not always require login credentials, many of them do.
Banking website portals for accessing account holder data and credit card statements are technically in the deep web because most banking websites will not allow access to their sensitive servers without authorization. Most social media is technically deep web content.
A specific example is the Denver Property Taxation and Assessment System website which allows users to search property assessment and tax data by entering a Denver-based address into the system. However, if you enter this same Denver-based address into a Google search (and even include terms such as ‘property assessment’ or ‘tax data’), you will not find any documents or URL results from the Denver Property Taxation and Assessment System website. This database and its search functionality are one example of a deep web database that is hidden from surface web search engines and technically resides in the deep web.
Beyond the deep web is the darknet.
The darknet is any anonymous network, built on top of the internet, that is purposefully hidden, meaning it has been designed specifically for anonymity. Unlike the deep web, the darknet is only accessible with specialized tools and software – browsers and other protocols beyond direct links or credentials. You cannot technically directly access the darknet by simply typing a darknet address into your web browser, even though browsers like Brave offer private tabs with Tor for enhanced privacy.
Most people associate the darknet with Tor, but Tor is one of many darknets available. Let’s explore some of these darknets in more detail:
Navigating these networks can be frustrating and challenging for any OSINT/Darknet investigator and the public often incorrectly uses the terminology associated with these different layers of the internet. Any website that hosts or serves illicit content whether it is in the surface web, deep web, or darknet is technically a segment of the “dark web.” Dark web and darknet are often used interchangeably by us and other information security researchers.
Join us next time when we explore more darknets and darknet adjacent chat platforms like Telegram and Discord. Get on the list so you don’t miss it!
Entity API, part of the DarkOwl API product suite, allows users to access highly-targeted, structured information from the largest commercially available collection of darknet and deep web sources, which include Tor, I2P, Zeronet, Data Breaches, encrypted chats, IRC, and authenticated forums. Learn how to monitor cryptocurrency mentions in the datasheet below.
Entity API users are able to search for a crypto address that DarkOwl has captured from darknet sources including illegal marketplaces and vendor forums to detect wallets with problematic activity.
DarkOwl is proud to announce their new partnership with MST Egypt, a leading provider of comprehensive and innovative integrated IT solutions starting from assessing the client needs to full solution implementation and maintenance.
Egypt-based IT solutions company MST and U.S.-based data company DarkOwl are proud to publicly announce their new business partnership. The agreement enables MST to include DarkOwl’s data as part of its security offerings, and comes as the result of a need from their clients to have more insight into the darknet.
DarkOwl is known in the industry for having unmatched access to forums, pastesites, marketplaces, and chatrooms on underground networks such as Tor, I2P, ZeroNet, and Telegram, as well as deep web and high-risk surface web sites. The darknet remains a hub for criminal activity for things such as ransomware, a problem faced by over two-thirds of organizations.
“As cybersecurity incidents become more sophisticated, more and more critical data is being shared on the darknet. Without tools like DarkOwl’s, it is incredibly challenging to maintain insight into everything the threat actors have insight into, and stay ahead of potential threats,” said DarkOwl’s CEO Mark Turnage. “We look forward to continuing to grow our darknet and deep web coverage to ensure MST customers have access to the most up-to-date and relevant darknet insights.”
The CEO of MST, Mr. Mohsen Sobh, expressed that DarkOwl was already bringing immediate value to their client base. Per his statement, “thanks to DarkOwl’s solutions, our customers have much more visibility of what is happening to their data assets in the darknet market, which proactively prevented them from deep malicious activity that may impact their reputation.”
“We are enthusiastic to move our partnership with DarkOwl to add extra value to our customer visibility and security intelligence solutions that will enrich their security efficiency,” Sobh added.
The decision by MST to enhance their IT solutions with top-tier darknet is consistent with their dedication to expanding their scope of coverage to enable their customers stay ahead of threats and potentially attacks.
About MST
MST was established in 2001 with the purpose of providing different organizations with high quality IT solutions. Systematically, we have successfully expanded our scope of services to be a leading provider of comprehensive and innovative integrated IT solutions starting from assessing the client needs to full solution implementation and maintenance. MST has extended its geographic coverage to include regional and international markets such as UAE and USA.
About DarkOwl
DarkOwl uses machine learning to automatically, continuously, and anonymously collect, index and rank darknet, deep web, and high-risk surface net data that allows for simplicity in searching. Our platform collects and stores data in near real-time, allowing darknet sites that frequently change location and availability, be queried in a safe and secure manner without having to access the darknet itself. DarkOwl offers a variety of options to access their data.
Or, watch on YouTube
Mark Turnage, CEO and Co-Founder of DarkOwl, and Anusha Iyer, CTO and Co-Founder of Corsha, discuss how API Security professionals can benefit from darknet data in forming a more comprehensive understanding of malicious threat actor (TA) tactics, techniques, and procedures (TTPs) and providing effective detailed security recommendations, remediations, and product solutions. API Security related topics, like “API hacking”, “stolen API tokens”, and “API MITM attacks” are regularly discussed in detail in darknet forums, tokens sold and traded in underground digital marketplaces, and API exploitation code shared amongst threat actors.
For those that would rather read the presentation, we have transcribed it below.
NOTE: Some content has been edited for length and clarity.
Kathy: Hi, everybody. Thank you for joining today’s webinar.
Before we begin, I want to take a moment and introduce our speakers. Anusha Iyer, President, CTO, and Co-Founder of Corsha, and Mark Turnage, CEO and Co-Founder of DarkOwl, both of whom have many years of experience working in the cybersecurity industry. Anusha is a Carnegie Mellon alum. She started in the Washington, DC area at the Naval Research Lab. At NRL her focus was on reverse engineering and tactical edge networking. She started Corsha with a friend a few years ago and is passionate about helping organizations get API security right, and making security accessible, easy to adopt, and even self-assuring. Mark is a graduate of Yale Law School, Oxford University, and the University of Colorado, Boulder. He serves on numerous corporate and nonprofit boards, and is a private investor in technology, software, and manufacturing startup companies. He is also a senior advisor to the Colorado Impact Fund and a technology advisor to the Blackstone Entrepreneurs Network. And now I’d like to turn it over to Anusha to begin our webinar.
Anusha: Thank you Kathy and thanks to everyone for joining. We have an exciting agenda today. We’re going to look at API security and specifically API credentials and what an API security related incident looks like. We’ll tell you a little bit about Corsha as well as DarkOwl. We’ll go into why API security is so critical, some mechanisms to combat some of the threats and the attacks that we’re seeing, how the darknet can provide insights on this problem. Then [I’ll] turn it over to Mark to talk about DarkOwl and what is the darknet, how DarkOwl can deliver darknet data and give you more insights and analytics into where information is showing up on the darknet. And particularly with respect to APIs, what are threat actors saying about APIs on the darknet? And then we look forward to your questions and final thoughts.
DarkOwl and Corsha actually met a few months ago at Black Hat and had an interesting conversation around the proliferation of API credentials and how they are increasingly being used to gain unauthorized access to systems and services.
Increasingly we are seeing these types of data showing up on the dark web and being leveraged to execute breaches against organizations, like Toyota. Recently Toyota was notified of a breach where they had an API access key for T connect system. That’s part of their connectivity app to give things like wireless access and so forth to vehicles, and apparently, they had inadvertently checked in a hard-coded API secret into a repo about five years ago. It’s been available for five years in a public repo. And then they just released that over 2,900 records were exposed since then, giving access to customer names, customer information, and so forth. This is one example of what the threat landscape looks like and what the implication can be of API credentials getting into the wrong hands.
Similarly, recently FTX and 3Commas revealed that an API exploit was used to actually make illegitimate transactions, to FTX transactions. And this was done using API keys that were obtained from essentially users and phishing attacks actually accessing other systems. Right, so 3Commas, the platform came out and said that the API keys were obtained from outside of the platform, but certainly still pose the risk of being able to then be used off-environment, unauthorized, to then make financial transactions. These trades were basically from keys that were gained from phishing and browser information stealers.
Kathy: We’ve had a questions come in on these first couple of slides. Someone would like to know, is the fact that APIs are being targeted – is that a relatively new phenomenon?
Anusha: That’s a great question. It is an increasingly leveraged phenomenon. I wouldn’t say that it is new necessarily, but it is increasingly leveraged. Because APIs tend to be an underserved element with respect to cybersecurity postures of most enterprises. Increasingly organizations are relying on APIs. As they look towards digitally transforming application ecosystems into microservices, APIs end up forming the backbone of communication and application ecosystems. And further, more and more organizations are moving towards cloud, moving towards ephemeral scale, and that just creates a proliferation of environments where these credentials are potentially obtainable.
Mark: And that’s echoed by what we’re seeing in the darknet where discussions around API exploits, API keys, stealing API keys, and selling them is a relatively new phenomenon in the darknet over the last couple of years. We’re seeing the same thing from the criminals’ perspective that Anusha is observing in real life.
Anusha: Absolutely. I would come at it from the perspective that we see the movement of organizations using more APIs, but you’re absolutely right from an exploit perspective. It is fairly new. And it makes a lot of sense, they tend to be large types of information. With the automation it’s easy to lose track of what’s legitimate and what’s not. Great question.
Another one, this one was actually a 2018 leak where it was the USPS API endpoint. And in this instance, it was more of an authorization vulnerability where if someone has a USPS account they could actually change search parameters and do a much more expansive search and essentially get records for an entire data set without being limited to exactly what they should be seeing. It’s both on the authentication side but also on the authorization side in terms of how these credentials are provisioned, leveraged, and so forth.
With that, let me hop into Corsha and tell you about our story and why we’re going after this problem space. Both myself and my co-founder come out of the DoD intelligence world. We’re focused on: how do we stop these breaches? How do we prevent unauthorized access to sensitive systems and services? And [we] decided to start course at the intersection of machine identity and API security. A lot of our early customers are out of the Department of Defense and we are working closely with Gartner to define this category and to define the space, if you will. What we’re finding increasingly is that API authentication, authorization, and security in general substantially lags behind all of the resources, effort, and human capital, put into human identity and access management. Now we need to think of these machines as entities, and as the same first-class type citizens as humans because they are accessing systems and services at a far greater rate and at a far greater impact even than just humans logging into accounts. So we started CORSHA and we’re very focused on how we can help with this API credential and API identity problem. I’m probably telling a lot of folks that are online something that they already know, which is that today API secrets are just glorified system passwords. They are largely static, often shared, rarely rotated, and don’t have a lot of good hygiene around them. They get leaked, sprayed, and sprawled across tons of environments. Mark, I’m sure you’re probably seeing this on the other end in terms of where they’re coming from, whether it’s CIC/D pipelines, whether it’s things like logs, deployment or cloud platforms, or even team collaboration sites. We already saw an instance with Toyota of GitHub. But I would venture to say that most organizations, just for the ease of sharing, probably inadvertently have leaked API keys, even internally, across systems. Because today the model of authentication is largely static, they’re ripe targets for adversaries.
Kathy: A question based off this slide: can’t secret managers like Vault or KeePass prevent these attacks from happening?
Anusha: It’s a great question. To some degree. They provide a secure mechanism to store the keys internally. But, oftentimes these APIs live in hybrid environments even in the control of hybrid parties. You may have an API that you expose to a partner, a vendor, or a customer. You would then have to rely on them properly leveraging a vault or a password manager or maintaining good hygiene around secrets to access your systems and services. So that’s part of the challenge here, is that vaults and password managers tend to be very environment or entity-controlled specific.
Because we’re using these static, essentially bearer model credentials, for authentication and even authorization, they are almost acting as proxies for machine identity. And the challenge is that they’re not very strong proxies because they are static and they’re difficult to maintain hygiene around. Whether it’s a key, or a token –like an O-auth token, a JSON web token, or even a PKI certificate –because they essentially prescribed that bearer model of authentication where “as long as I hold it, I can leverage it, it doesn’t matter where I’m coming from,” they turn into ripe targets for adversaries. I’ll stop here and say that when we talk about a machine, what are we really talking about? In our terminology we like to think of it from the zero-trust approach to it where it’s a non-person entity. Anything where you’re trying to access a system or service and there isn’t a human identity to back that access is where the API authentication approach breaks down a little bit. Whether that’s a Kubernetes pod, a docker container, VMs, even physical IoT devices –those tend to all be areas where static credentials end up getting leveraged in some way, shape, or form. Increasingly we’re seeing that these are the new attack sector vector that is increasingly in vogue.
To give you a very quick overview of what we are doing at Corsha, what we’ve done is we’ve come up with an API security platform where we can pull some lessons learned from the human identity and access management space. And we’ve come up with a way to not only do dynamic machine identity for API clients, but then leverage that to do fully automated MFA for machines. Think of a second dynamic factor where you can make sure that API calls are going with one time use MFA credentials. This gives you a lot of those nice benefits that we’ve seen on the human side with MFA where now you can pin access to only trusted machines. Even if a key inadvertently gets checked into a public GitHub repo, if MFA is enforced as a secondary factor, you’re okay there. That’s the idea: to elevate these API clients as first-class citizens, regardless of what their form factor in a way that is easy to adopt, easy to integrate, no code change, so that it doesn’t place burden on DevSecOps teams and make their day to day easier. So that they’re not having to worry about things like credential rotation as part of their workflows.
Just very high level, the essence of what we are trying to provide is security, visibility, control, even the ability on a fine-grained level to do things like start and stop access for a client. That’s a little bit of a difference with, say, this approach and say a vault. Because if you give an API key to a third party, you don’t necessarily have control over their vault. But with machine-driven or an identity-first approach to it, you can say, okay, from a control plane I’m going to dynamically start and stop API access for this collection of machines. And in that way have the expectation of access matching your threat surface. That’s a quick overview of CORSHA and the product and the problem space. I would love to turn it over to Mark and hear more about DarkOwl and what you’re seeing on the Darknet.
Mark: Thank you. The darknet is an interesting place and DarkOwl was set up specifically to allow organizations to monitor the darknet for threats to their core missions. As you can see in the lower right hand corner, our clients include many of the world’s largest cybersecurity companies who effectively use our platform and use our data to monitor on behalf of their clients. We also work, as does Corsha, with various agencies in the US Government. What we do is we go into the darknet at scale and we extract data at scale from tens of thousands of darknet sites on a daily basis. We index that data, we store that data, and we make that data available to our clients and make it searchable to our clients.
The question I get is what really is the darknet or the dark web? The two terms are conflated.
We all spend most of our time in the surface web. What you can search for off of your Google browser is effectively the search web. It represents a relatively small percentage of the data that is available by the internet, in spite of the fact that if I search for any term I’m going to find thousands, if not tens of thousands of results on my Google browser. It’s actually a relatively small percentage of the data that’s out there. Most of the data is fire-walled and it’s in what we call the deep web. My bank account information is available to me because it’s authenticated, I have the credentials, but it’s not available to Anusha and vice versa. By volume, most of the data that’s available via the internet is actually in the deep web. We specialize in the darknet, which is below the deep web. The darknet is dark for two reasons. It’s dark because you can’t get there from your Google browser. It usually requires a specialized browser or specialized access. What it does is it obfuscates user identity. Oftentimes the traffic is itself encrypted. And because of that, it is the perfect environment for criminals to operate in. Anusha and I can conduct a transaction, we can have a conversation, we can conduct a criminal transaction, buy or sell exploits with each other, drugs – there are any number of other things that we can do. A law enforcement agency could be sitting in the middle of that and see the transaction go through and see the discussion and never understand who I am and who Anusha is. And if you add in cryptocurrency on top of that, we could pay each other in an anonymous fashion. As a result, the darknet has become a haven for criminal elements.
At the bottom of that page, you’ll see Tor, I2P, Zeronet. Everything in red is data that we at DarkOwl collect from. We also collect from certain deep websites and some surface websites which enrich our darknet data. Increasingly, especially with the Ukraine-Russia war, these direct messaging platforms, such as Telegram and IRC are becoming destination points for criminals to operate in and we collect data from those as well.
Kathy: Mark, before you move on, an attendee would like to know, how big is the darknet?
Mark: I wish I had an answer to that question. We don’t know how big it is. We do know that Tor was the original darknet. It is now one of many darknets. The Tor project actually publishes data on users, number of users, numbers of connections to the Tor network, and number of sites.
Year on year, it continues to grow significantly. There are a number of sites like I2P, Zeronet, Freenet, and these other new sites that have grown. We don’t know how large it is. We have been told that DarkOwl has the largest commercially available archive of darknet data that’s available. I couldn’t prove that to you because I don’t know what the denominator is. But we know that the darknet is growing in terms of both customer usage and transactions that take place.
Very briefly, this is the kind of data that we collect. The data that most people are familiar with is at the bottom of this slide. We hold somewhere around 9 billion email addresses that we’ve collected over the years, 1.8 billion IP addresses. Those are oftentimes IP addresses or networks that are being targeted. A range of credit cards, crypto addresses, and so on. It’s a big database that we have, and it’s updated continuously and has been since we stood the company up five years ago. Then we make our data available by a number of APIs as well as a user interface for the analyst community as well. But to give you a sense, just in the last 24 hours we’ve indexed and put into our database 1.3 million documents. That gives you a sense of the scale of the type of documents that we’re dealing with.
More relevant to this conversation, though, is the next slide, which is, what are we seeing in the darknet that is relevant to the issue around API security? And the answer is a lot. We’re seeing that threat actors in the darknet are discussing stolen API secrets, keys, they’re trading the session tokens, and they’re openly discussed in these closed communities. This is a hot topic for the criminal elements in these communities. There are man in the middle attacks, there are injection methods being discussed and actually traded. Anusha and I would get into one of these forums, we’re both criminal actors, and we would discuss how I mounted a successful attack using this method. And she’ll say, can I buy that method from you or can I borrow it? Let me try it on a target that I’m thinking about. We see that ongoing. JWT authentication bypass methods are oftentimes discussed in detail. That’s been a real wake up call for me personally, seeing how creative criminals are being in these methods that they’re developing. Tools are shared.
Interestingly enough, and not particularly relevant, but the DDoS services are sold. API DDoS services are sold for cheap. One of the things we’re seeing broadly in the darknet across all sorts of threat actors is the migration of threat actors to actually selling out their services and renting them out on a monthly basis. This is just an example. We’ve seen Kubernetes targeted especially. It’s a distributed environment, so there are some vulnerabilities that the threat actors are using. Then hacking courses on and on and on.
These are some screenshots of some of the discussions that we have seen in the darknet. In the upper left you’ll see this discussion around leaking API keys. In the middle of the slide, you’ll see Russian threat actors describing API keys as well as the secret keys and making the secret keys available. I think those were stolen. In the lower right. I love this. You know, we figure out a way to withdraw funds using API keys without access to the account itself and on and on and on. If you get onto our platform and search for any of these terms, you’re going to find quite a lot of discussion among the threat actors and the criminal gangs around this. And you’ll see data brokers actually selling keys. Selling actual access to networks. The conclusion is that Darknet is rife with discussion around the very threats that Corsha is targeting and that was set up to respond to. Anytime you see this kind of activity, any time you kind of see this discussion going on in the darknet, you know you’re on to something. So your customers made some smart choices here in new shows.
Anusha: We appreciate that, Mark. I will say it is very interesting to see all of the discussion and the activity around Kubernetes. I think that might be even a fun double click into another session to do, because it is turning into a foundational layer of most organizations transforming their application ecosystems. It would be fantastic if we could get ahead of that.
Mark: I’d actually like to talk to the founders back at Google. It was right around 2014, if I’m correct, about Kubernetes, and ask them whether they ever had a conversation around security right at the outset. Because most people, most developers won’t. And it’s not a criticism. It’s that just most developers won’t do it. They’re thinking about how to build a scalable environment for whatever their mission is. They’re not thinking about how five or six or seven or eight years down the road, somebody’s going to be trying to attack that environment.
Kathy: We’ve actually had a few questions come in. One of our attendees would like to know: what specifically can be done from a security perspective to prevent an API attack?
Anusha: Some of it is obviously having good hygiene around primary credentials. Having policies in place for things like rotation. Certainly using a platform like Corsha as a layered defense so that you have a way to uniquely identify and control each API client. Is a very sound approach to a lot of this activity that we are seeing on the darknet. Other things like making sure that API access is least privileged, so having notions of authorization in there. Just like when you have a given user, you give them roles, and not all users have access to the same information and services on the system, APIs and API clients have to be dealt with the same way. And having ways to revoke secrets and revoke access are very important. It’s about drawing a lot of those parallels that we have with human identity and access management but into the world of APIs.
Kathy: Thank you. We also have a question of: how can security or engineering teams get better visibility into how their API secrets are being used?
Mark: One way to do that is to use a platform like DarkOwl’s platform to actually monitor the environment on an active basis. Oftentimes, you will see threat actors discussing targets by name or by IP range or by other things. Look in the upper left hand side of this slide, right there is a discussion around a very specific key from a very specific
My point is, any time you’re thinking about security more broadly, there are a number of hygiene elements that have to go into place. One of those hygiene elements is monitoring this environment where criminals are actually plotting attacks in a wide variety of different contexts, not only in the API environment. We see active threats, active exploits under way. We see targets being identified and threat actors saying, all right, that’s great, I’m going to hit them. You have to have some eyes on that environment.
Kathy: Thank you. We did have one more question come in, and that is, what should a team do today if an API secret is compromised?
Anusha: That is where having a good platform for observability in place is really important because you want to know where that API secret could have been leveraged right and have the ability to quickly revoke and rotate it. It’s both understanding impact of the leakage or the stolen credential and then mitigation strategy of how to revoke it, how to rotate it, with obviously a little downtime as possible. I think for observability using a platform like DarkOwl is really helpful because you can see the extent to which it may have been leaked or compromised as well.
Mark: Thank you, Anusha. It’s a pleasure doing this. Let’s do another one in the future once we find more threats.
Anusha: Absolutely. That would be fun. Thanks so much for the time. And thanks to everyone for listening in.
About Corsha:
Corsha is on a mission to simplify API security and allow enterprises, developers, and DevSecOps teams to embrace modernization, complex deployments, and hybrid environments with confidence. Our core technology is dual use, designed for widespread adoption, and easy to configure and deploy to both commercial and government customers. Corsha has a strong engineering team with deep expertise in distributed ledgers, cryptography, security principles, orchestration technologies, and software design. Contact Corsha.
About DarkOwl:
DarkOwl uses machine learning to automatically, continuously, and anonymously collect, index and rank darknet, deep web, and high-risk surface net data that allows for simplicity in searching. Our platform collects and stores data in near realtime, allowing darknet sites that frequently change location and availability, be queried in a safe and secure manner without having to access the darknet itself. DarkOwl offers a variety of options to access their data.
To get in touch with DarkOwl, contact us here.
Or watch on YouTube.
David Alley of DarkOwl FZE and Ivan Kravstov of Social Links dive into the topic of harnessing OSINT to expose illegal trade on the darknet. They outline the black-market landscape of the darknet and showcase a range of methods for fighting illegal trade and approach the topic of darknet marketplaces from different angles. In this webinar, they cover:
Attendees learn how to break through the perceived anonymity of the dark web and crypto transactions to identify criminal actors and track illegal trade and illicit activity.
For those that would rather read the presentation, we have transcribed it below.
NOTE: Some content has been edited for length and clarity
Ivan: Greetings everyone, today we will be hosting a joint webinar with David Alley of DarkOwl FZE and the topic will be countering illegal trade on darknet marketplaces or more broadly dark web research in general.
David could you tell us a bit about DarkOwl?
David Alley: Absolutely. It’s really great to be here and thank you to everyone for joining from all around the world. I know that we always fight the various time zones to get everyone here, so a special thanks to the Social Links team for hosting this webinar. They’ve been super helpful in getting this excellent presentation together for us.
A little bit about DarkOwl – we are American company, and our headquarters is in Denver, Colorado also known as the Mile High City. We originally started off as a cybersecurity company with a focus on penetration testing. And at that time we would do research on the darknet to see if we could find credentials to help with our pentesting work. We were really successful at that, we had a very high rate of penetrations for the pentests. We said, “why don’t we change this and actually go into being just a pure darknet company only?” That was really the birth of DarkOwl. Since then we’ve had a lot of great team members with us at DarkOwl and we’ve built a very good collection capability for us to go onto the darknet and pull out that data that is really difficult to get to.
We have a great collections team that does all of this hard work and makes it much easier for our partners like Social Links to do the next part. Which is, that once they’ve looked at that data, to make sense of it and decide what does is it mean? And how do we use it? And how do we fight crime that is emanating from the darknet?
We have a couple of claims to fame. The one we use the most is that we have the largest commercially available darknet data lake in the world. And that’s just because we have been doing it for longer than everyone else. We’ve had some very special team members over the years that have had a very unique access and understanding of the Tor Network. At one point we actually had the co-founder of Tor on our team and so it’s a really unique company. We are highly niche and highly skilled and that’s why great companies like Social Links and ours like to work together because we are complimentary. We work a lot with OSINT analysts as well, but we also provide APIs and Datafeeds for partners and that’s how we work with Social Links. I think you’re going to be pretty amazed at what the team has to show you today. I’m always impressed with what they’re able to come up with; they have a superior team. Leveraging great data from DarkOwl with great analysts from Social Links you’ll always be happy with the results. I’ll turn it back over to you Ivan.
Ivan: Thank you very much for the introduction David. A bit about us: the company was founded in 2015 we have 80 + employees at the moment with HQ in the US and EU offices in the Netherlands and the R&D office in Riga, Latvia. What we do is provide software for data-driven investigations. You can see that we have a good rating on Gartner Peer Insights and that we have received a number of
industrial awards in the past years.
Here we have a very brief slide about the average pricing of various goods on the dark web. Ranging from stolen credit cards to out of the box ransomware Trojans.
A concept that I’m sure everybody is familiar with is that there is a division into what is known as the clear web or the surface web, something which is indexed by conventional search engines, then there is the deep web which can include many different things that are not [indexed by conventional search engines] and that it takes a bit more effort to find and then there is a space commonly known as the dark web which include the Tor Network but also additional ones such as I2P, Freenet, and Zeronet.
The general principal of Tor browser network is that the traffic goes from the user through several nodes and then reaches a specific server at the end. The current total Tor network bandwidth is 400 gigabytes per second.
One of the technologies that is also utilized quite often within the platforms of communication is PGP encryption. The basic concept being that the user sends an encrypted message that can only be accessed and read with the use of a private key held by the recipient.
Now here we can see the boost of darknet marketplaces revenue from 2011 with the first precedent being the Silk Road up to 2020 [revenue] which is quite substantial.
The products and services available on those marketplaces range from drugs to tutorials, forgery, various kinds of illicit services, malware hosting, and fraud. The majority of those being drugs.
The general principle of how a marketplace works is that a buyer exchanges currency for any kind of specific cryptocurrency accepted by the marketplace. Which is predominantly Bitcoin at this moment but there is a shift towards alternative ones such as Monero or Z cash. The buyer then transfers the
Bitcoin into markets account and makes a purchase. The crypto is held in the market’s ESCROW account until the order is finalized with the market taking a commission. After the finalization of the deal the vendor is paid. Then the vendor may move the Bitcoin from the market account and potentially exchange it.
Here we see an infographic of types of entities receiving Bitcoin from dark web sources which can be KYC and for exchanges enforcing KYC or exchanges more liberal with their KYC processes. Those can also be mixing services and other entity types.
David, if you could tell us about DarkOwl’s differentiation?
David: Absolutely. As we’ve seen here we’re talking a lot about the crypto piece. And I want to talk about how DarkOwl differentiates itself and helps you with this. It is because we are able to go into these markets that we’re talking about today and were able to pull that data out for you. A lot of the Blockchain tools that you’ll be familiar with will allow you to see various wallets as they’re being tumbled and where they’ve been mixed or how they’re being exploited. But what they have difficulty doing is tying wallets to a very specific illegal activity. And that’s one of the main things that makes us different for these types of investigations. We are continuously out there crawling these darknet sites and these markets that we are in. Someone asked a question: how do we differ from our competitors? It’s just a real question of scale and scope. Many of them are in about 400 sites and we’re collecting from over 95,000 sites and about another 20,000 to 30,000 mirrors every day. It’s this massive amount of unmatched darknet content discovery that we’ve got and inside of that content is where all of these cryptocurrency wallets are which can be tied to illegal activity. You want to buy your MDMA in London? Here you go – use this bitcoin wallet or this Monero wallet.
I second the comments that we’re seeing a shift from Bitcoin into some of the other coins out there. We’ll even pick up coins in our collection that are not even on the chain yet. They’re brand-new wallets that are being used. We’re seeing that shift away from the traditional way of using the same wallet over and over to now criminals will create a new wallet put it up on the site for their drugs or their CSAM material or whatever it is they’re trying sell and have the payments into the air before the Blockchain tools can even detect them. You’ll see coins get recycled and because of our unique archival capability it goes back to almost 9 year’s worth of data. You can also do those deep investigations into darknet transactions that happened years ago. All of that together gives you the content that makes investigations very strong and that combined with the ability to do leak analysis as you can see from our Social Links partners is a very powerful tool. To give you an idea of what we actually have in the collection, it’s about the numbers.
It is a lot of Tor. Tor is the largest of the darknets. We also have a very large collection of from I2P and from ZeroNet. Those are the three major darknets that we collect on. And there’s some very technical reasons behind that. We also are having a lot of success picking up cryptocurrency transactions off of Telegram channels. As we know Telegram is very popular with a lot of different hacking groups and black hat hacking groups. It’s easier to use than a darknet channel. We see that a lot of hackers are also gamers, and they use Discord for communications. We see some in paste as well. What should really be focused on [in this slide] is the lower right-hand corner. That’s 347 million cryptocurrency wallets pulled out of our darknet collection. It’s a pretty big number, and every time I see a cryptocurrency wallet on a darknet site it’s always doing something bad. I’d say it’s a 99.9% probability that if you’re using Social Links and you pull out a cryptocurrency wallet from the darknet data, you’ve already done one of the hardest steps which is identifying some form of suspicious activity. I’ll turn it back over to our Social Links partners to take you through the rest of the demo.
Ivan: It may make sense to note that with Telegram and Discord channels there is indeed substantial overlap. Much more substantial obviously then with the traditional mainstream social media platforms. Telegram and Discord aren’t really called social media, but they have a significant social networking element. Telegram especially in the past few years. It is about cybercrime groups but also apart from that it could just be local, regional, or even macro-regional drug vendors. It could be people engaged with child grooming, especially on Discord, or extremist groups as we previously covered in one of our webinars with a German expert on extremism research. Now we will go into the actual examples that we have.
First we should dedicate a few minutes to talk about the method of dark web research. In this case that would mean focused on researching an individual. It makes sense to use all of this in conjunction.
From the username we can get the specific platform within this interface where the vendor or forum member is present. That can also give us insights into their stated or observed affiliations. Those are the payment methods, the posts and threads and the products. From the posts and threads you can examine the topics discussed in the details which can also tell you more about what exactly they are doing, what kind of merchandise they are dealing in, what kind of categories, and if they have a specific focus. As well as the speech patterns of the idioms and idiosyncrasies used by the individual and the shipping locations. And of course, the products also tell us more about the proper categories and sometimes product cards can contain contact details within them. Objects within this schema such as the speech patterns, the stated shipping locations of the products, the affiliations, and the specific platform can point us to assumptions about a certain region or macro-region.
For example, there is a higher probability of a vendor or a forum member on an Eastern European marketplace to be from somewhere in Eastern Europe. Payment methods can be different as well as various types of e-money, but here we’ll focus more on cryptocurrency addresses. A transaction derived from an address can tell us about the interactions it has with other addresses for groups of those. And it can tell us about the services that they are using such as mixers or exchanges. A mixing service may also have theoretically some kind of interactions in some kind of partnership program for a specific marketplace. They can also be mentioned in various reports or forums. All of those can possibly lead us to digital breadcrumbs, and that in conjunction with the assessment of the presence of the user in other forums and marketplaces and the way their personality may be reflected in their online behavior and the kinds of merchandise that they are dealing in and the kind of payment methods that they’re using is all part of an attempt to create a digital profile of an individual.
Now here we will start with the first example where we will go from an alias. We will run our first transform search for users under this alias. Here we can see some details in the properties, one of those being the side name Tochka Market. “Tochka” is a Russian word standing for point or place. We search for the products related to this vendor and we also extract their PGP open key which is quite often used by vendors. Next, we will use the products and extract the locations they are to be shipped to and from.
We can see here that those are mostly recreational drugs shipped to the United States. From a PGP open key it is sometimes possible for us to go to the email address. Not in a hundred percent of cases, which can also be said about some of the other methods that we will be applying here. Here we see a Gmail and from that we can further try to see if there are any social media profiles and any accounts connected to that email address. There is also the possibility to get reviews if it’s a Gmail account. We can see that there are accounts within Facebook, Firefox, Gravatar, Pinterest, Samsung, and Twitter connected to the email and we see several profiles within Gravatar, LinkedIn, and Skype from which we can extract additional details. In reviews we also see a cannabis dispensary seemingly located in the United States and a bar in Cameroon which matches with the location that we see here within the LinkedIn account [redacted account name] connected to the Gmail address. There is also a post promoting the sale of marijuana on a surface web source stated by the account holder to be safe and secure. Now here we can use some of the Maltego functionality to go into more data about that specific domain. The WHOIS data gives us the name of [redacted name] as a registrant and the company name [redacted company name]. [Redacted names] are both something that we have seen within the social media footprint derived from the email address. Now of course an analyst won’t be as lucky as in this instance in 100% of cases, but this is real data related to a real individual. It is possible because people do tend to make mistakes.
Now we will go through another alias. This [alias] gives us 4 accounts with the same username and it’s something that vendors to do to maintain a commercial reputation with the customer base. Now we can ask for specific platforms. We can see the Dread forum, the Hub forum, the Apollon market, and the Wall Street Market. Now we also see a single PGP key used by three out of four of those accounts and we will further ask for the posts and products. We can see that there is a certain focus on Europe. In this instance the goods are more likely shipped from Europe to locations worldwide. The principles of working with the posts are similar to the way a user of Social Links Pro or a SOC tool in general can work with social graphs. The graphs of social interactions within the digital space. From each of those we go into the thread. From the thread we can go to the other posts within it, and the other users that have been participating in those conversations.
This is just at stage of gathering data and an analyst working on a real case will of course face the necessity to analyze this communication in depth. That’s why there’s a capability here to download the content within those posts and save the text content as a text archive. Now here we see a Proton mail account- [redacted email address] so they seem to be more conscious about their digital footprint and security, but potentially we can try to search for this alias in the social media platforms available. Here we’ll try with an Eastern European platform because [redacted name] [the alias] is obviously a reference to the famous assault rifle. Here we got an account with just the cat as a picture under the name [redacted name] and while it’s not something that we will state and something that we will accuse this person of, it could be a coincidence or it could not be a coincidence. The account is not very informative, is closed, and has a profile picture of a cat. So here we are less lucky than in the first example. In some instances it’s even more obscure. Here we see an individual with the alias [redacted name] focusing on the European Union. They have two email addresses and a statement in the product description that there is a possibility to contact the vendor on Discord. We see that there is a Discord account connected to their Proton mail address, and also a Skype account which states the location as Germany. This is all on the level of analyzing people and individuals or small groups of people, because several individuals can be behind one username.
This can also be done on a macro level. We can take several capital cities or countries within a certain macro region such as Asia-pacific or Latin America and run a search into the full spectrum of dark web sources available to us to see which products are shipped to and from those locations. Here we see that some countries have more activity within the spectrum of available sources, some countries have less, and we can potentially look for vendors that are focused on two or three specific countries at once. We can also see which marketplaces are more active within a given region. Here and in Latin America Tochka market is quite active. Additionally the Apollon and Nightmare markets and then several other ones have much less activity.
Now of course it makes sense to talk a bit about the cryptocurrency aspect within dark web research. Several of those graphs are something that we’ve shared previously in some of our previous webinars. The methods can be split into two sets: passive intelligence and direct engagement. Passive intelligence may include open-source and social media intelligence, the traditional following the money approach, and the enrichment of the initial entered data that the analyst or potentially a victim of a crime may have. Direct engagement is something that implies using custom digital avatars for social engineering and also in the case of enterprises, or state organizations, offensive security procedures or threat intelligence. Some of those methods are more customary to certain kinds of professionals, analysts, and organizations than others but in the end as is the case with any kind of investigation it is all about connecting the dots, the seemingly not connected entities in a broad sense that word.
Here is a small reflection of the situation within the Bitcoin ecosystem. There are a number of addresses here, some of those belonging to militant extremist groups such as the Palestinian Al-Qassam Brigades or Hay’at Tahrir al-Sham the fellowship operating in Syria. Some of those belong to dark web vendors such as Ross Ulbricht of the founder of Silk Road. Alexandre Cazes founder of Alphabay, or the administration of the Wall Street Market that exit scammed in 2019. Some of those were because of law enforcement, some of those were ransomware groups, and some of those were to legitimate exchanges.
A way to perform this attribution to be 100% certain that a specific address belongs to a specific individual or a group is to run searches into the social media and dark web space and also into data that is provided by vendors such as DarkOwl And I must say that DarkOwl provides fascinating amounts of information of fascinating depth, and a number of these were done with the help of DarkOwl as well. Social Links is focused specifically on the Tor Network while DarkOwl, as David has mentioned, also pulls data from other sources such as I2P and Zeronet. Once you get this kind of entity you can further run the transform to get to the details and then examine the contents of those entities. The source of the networks and the date and time are also stated within the properties.
Here we have another simple example of building a timeline with the timestamps from within the transactions related to a specific address and the timestamps of the mentions of that address on a dark web forum.
All of this above is related to the situation around the exit scam performed by the Wall Street Market administration. You can see that all of the transactions and all of posts take place in the second half of April 2019.
If we talk about profiling, there been there are a number of quite famous cases that have been solved by law enforcement and by analysts within those types of organizations related to de-anonymizing an owner or a senior administrator of a dark web marketplace. There is the famous Ross Ulbricht who was using the alias Dread Pirate Roberts and a clear web alias Altoid which was the key thing that led the American law enforcement towards then. We can gather the different data from the full spectrum of sources or potentially we could very carefully try to profile the individual based on the way they interact with the customers, the way they interact with vendors, the way they behave online within the platform. Or we can try to profile those people in retrospect to see what is common between the individuals who have been involved in such activities that have been uncovered historically. We can see that the portrait of the criminal has changed over time to this day in 2022. All of those –Mr. Ross Ulbricht, Mr. Gal Vallerius and Mr. Alexandre Cazes are educated individuals in different fields. For instance, Mr. Cazes has a degree in computer science. They tend to share certain views such as being Libertarian. Libertarianism was something very much associated with the motives of the founder of Silk Road, but similar motives can be speculated about other members of that community. In the case of Mr. Alexandre Cazes, the key input was an email address that was a source of messages to newcomers within the Alphabay Marketplace which was 10 times the size of Silk Road at its peak. The support emails were to new vendors and new members.
Here we can try an example of enriching that identifier to build this graph from scratch. This can be done with the help of something called a machine within Maltego which can automate those queries under a specific logic.
Here at this moment it gives us an IP address from a leaked database, it gives us an account on Gravatar –[redacted account name] an account on Skype, and a number of email addresses with similar passwords. And also a number of additional database records that contain the email in the string. The IP address is further resolved into a Canadian netblock and that is resolved to an autonomous system number. Now we can try to do the same with the second email that we have here. This is giving us two Skype accounts and two additional IP addresses. Of course, we can run a search into the data lake of DarkOwl. From which we will try to extract additional details. Here this gives us the family name, it gives us the name of another individual, and a number of IP addresses and phone numbers. The IP address issue may be just a minor technical problem on the side of Social Links with integrating this, but you get the point. This gathering and structuring process is something that is done in retrospect, so this person has already been uncovered, already been arrested, and already committed suicide while in jail. But I think it’s obvious how beneficial industrial automated tools such as DarkOwl and Social Links can be in researching such individuals and investigating and doing criminal intelligence within those types of sources.
With Oxymonster, the alias that belonged to Mr. Gal Vallerius an Israeli-French individual, the initial input point that investigators had was this vanity Bitcoin address for which they traced output, a number of outgoing transactions to a number of addresses all leading to an account on a peer-to-peer platform [redacted address][.]com under the username Vallerius. That is exactly what we were talking about when we said speech patterns and idioms and idiosyncrasies. The investigators further compared the speech of Mr. Gal Vallerius on Instagram and Twitter accounts that are no longer in existence but we do have a Foursquare profile here with that of the user Oxymonster and there was a certain match in the patterns. Now here we can extract additional things from the DarkOwl entities that we have as well.
In another example with an email of Mr. Ross Ulbricht which was found from one of the posts on the Bitcointalk forum which was initially found a by matching the username Altoid with the first-ever mention of the Silk Road marketplace on [redacted address].org. We can also try to use those transforms to see what is connected to those identifiers.
Here we go to what is more commonly associated with Social Links. Social Media intelligence is our strongest side so far even though we’ve diversified the sources that we have and the methods available for them in the standard procedure of mapping out the digital footprint of an individual. If we return to the initial logical schema of those processes it is a necessity not just to focus on the user account or on the group or on the marketplace within the Tor Network or any of the other darknets. The process of investigation and analysis will take the analyst, if they’re lucky of course, into other kinds of domains which may include conventional social media.
There is another instance for a potential use of OSINT tools in a similar scenario, but it would make sense to use in the case of the Berlusconi Market and their administrator John Kohler Racino . The way that they were uncovered was something far more in line with the traditional work of law enforcement. They were eventually closed down as a result of the operation by the Italian Guardia de Finanza, but it was the result of operatives having ordered number of goods from the marketplace as part of an experiment and having noted that they all came from the same post station from within a small town in Italy. Here we see an example of what can potentially be found from the usernames and the accounts under the usernames that were operated by Mr. Lucino. There are two of them: one that had presence in the Dread forum and was involved in discussions around the Berlusconi Marketplace and another one on several marketplaces including Berlusconi, two of those sharing a single PGP open key with the pattern of the goods being shipped from Italy worldwide. There is some output from the Social Links identity search engine that also gives us a number of email addresses and IP addresses. Operations such as this can be advanced with the use of DarkOwl.
That is all of my part so far with the functional demonstration of the capabilities.
Another topic which we haven’t really focused on today but which is quite relevant here is the usage of those kinds of tools and the exploration and the research by professionals in the field of corporate security. The cases that we’ve shown now –they’re somewhat more in the domain of law enforcement work and criminal intelligence analysts, but the monitoring of sources, aggregating leaked databases, data breaches, are also a topic relevant to the practice within the corporate sector.
How we use those tools to detect human trafficking is a very good question and there is an organization that we have done a webinar with previously called the Anti-Human Trafficking Intelligence Initiative with very brilliant people working in that area. They have a solution of their own that works by a slightly different principal than Social Links and DarkOwl, but yes such solutions do exist and such practices do exist and they have been successful uncovering numerous instances of human trafficking and the distribution of CSAM.
David: Absolutely. Ivan, I just want to jump in and congratulate you on a really excellent presentation. As far as the human trafficking pieces, we are seeing a growth in the kind of communications and coordination that happens on the darknet for human trafficking and even more broadly for the CSAM types of materials. I would like to talk about one of the other questions that has been brought up, and it talks about the companies that have been involved in ransomware incident response. The amount of chatter that we see happening on the darknet for the different ransomware gangs has increased exponentially over the last two years, and we’ve tried to focus on it for quite some time. We’ve really seen how well they have taken their software to market. You can see that ransomware as a service programs have been proliferating widely through markets on the darknet. As far as identifying specific ransomware families, I think we have about 30 or 40 of them that we’ve already curated. Including what cipher they are using, when we first saw them appear on the darknet, and you can use it to gather some of the pricing data that you need.
Ivan: Thank you for that David. One thing that is easy to see even from this simple graph which is just a reflection of the current state of affairs in the cryptocurrency industry and specifically in the Bitcoin ecosystem is that it is very Wild West-esque at the moment. [There is] the obvious pattern of large a number of interactions with people involved in terrorism and ransomware and the trades in illicit goods in the dark web space and human trafficking and CSAM as well, although those two categories are not reflected here. The people at the Anti-human Trafficking Intelligence Initiative know much more about that topic. Interacting with legitimate exchanges such as Binance, Gemini, and Coinbase.
David: There’s a question from Andrew and it says: do DarkOwl and Social Links have the tech to crawl the deep and dark web? Almost all of our collection is technical-automated. There is a combination of techniques that you use to gain access, but then you cannot collect at scale just using human beings so it’s a combination of both. We use both for this kind of collection. Then there was one question about risk management targeted profiling and Customs control. Absolutely, specifically for the for the drugs portion…most of drug shipments that we see happening on the darknet are international transactions. The largest shipper of drugs worldwide is the United States Postal Service because it takes a federal warrant to get into a box being shipped. We see some law enforcement agencies do controlled buys. They use these tools to identify who the vendors are, how do you enter and interact with them, and it’s about the speed – how do you get ahead of this and then do controlled buys. When it comes into your country you will figure out which one of your Customs agents is taking bribes from people to let those packages in. It’s both useful for looking at criminal activity and also from an internal counter-intelligence perspective.
Ivan: Thank you David and thank you for visiting we are always glad to see you here.
David: Andrew we don’t leave you hanging out there I see your question, you’ve asked how they might go seize the ransomware payments. I don’t have any direct knowledge of how that happened, but most of these payments have to go through some form of exchange to move the money around and they likely had access to one of those exchanges that could tell them. Because remember there are some exchanges that are working with and cooperating with law enforcement and international law enforcement agencies and if they get a valid warrant from a law enforcement agency to block the transaction, they can do that. Just like it would work in the international Swift system for blocking bank transactions through the Federal Reserve Bank of New York. I would imagine that probably something like that is how it was done.
Ivan: Yes, I actually think there was an Eastern European mixing service there.
This is it on our part for today thank you everybody very much for participating and we hope that you will contact us to talk with us further about how our solutions can be implemented into your business processes. We will be very glad to see you and will be expecting you on our further webinars that are to come. David thank you for co-hosting.
About Social Links
Corsha is on a mission to simplify API security and allow enterprises, developers, and DevSecOps teams to embrace modernization, complex deployments, and hybrid environments with confidence. Our core technology is dual use, designed for widespread adoption, and easy to configure and deploy to both commercial and government customers. Corsha has a strong engineering team with deep expertise in distributed ledgers, cryptography, security principles, orchestration technologies, and software design.
About DarkOwl
DarkOwl uses machine learning to collect automatically, continuously, and anonymously, index and rank darknet, deep web, and high-risk surface net data that allows for simplicity in searching. Our platform collects and stores data in near real-time, allowing darknet sites that frequently change location and availability, be queried in a safe and secure manner without having to access the darknet itself. DarkOwl is unique not only in the depth and breadth of its darknet data, but also in the relevance and searchability of its data, its investigation tools, and its passionate customer service. Our passion, our focus, and our expertise is the darknet.
