Author: DarkOwl Content Team

September 23, 2025

Dark web “pharmacies” have become a global black market for prescription medications and counterfeit drugs. These underground vendors operate on hidden parts of the internet, accessible only with special software like Tor, and sell everything from opioid painkillers and anxiety meds to fake pills. Recent international crackdowns have led to hundreds of arrests across multiple continents, showing just how far-reaching and organized this trade has become. By using encryption and anonymous networks, dark web drug sellers connect with buyers around the world while evading traditional law enforcement. This blog looks at where these rogue pharmacies are found and the platforms they use to move drugs outside the law. 

Where They are Sold

Darknet Marketplaces

The majority of dark web pharmacy operations take place on multi-vendor marketplaces – hidden websites (with “.onion” addresses) that function like illicit versions of eBay or Amazon. Vendors set up listings for drugs, and buyers browse and purchase through the marketplace. These sites provide built-in escrow payment systems and customer review ratings, which help establish trust between anonymous buyers and sellers. Well-known examples from the past include Silk Road and AlphaBay, and new marketplaces continually arise to replace those shut down by police. 

Independent Vendor Sites

Some drug sellers also run their own standalone websites on the dark web. Instead of using a shared marketplace, they maintain a dedicated “storefront” hidden service. For example, one U.S. vendor continued operating a personal darknet website offering several types of illicit pills even after facing initial charges. These independent sites let a vendor control their platform, though attracting customers can be harder without the built-in traffic of a large market. They also lack the escrow protections of major marketplaces, meaning buyers have to trust the vendor directly. 

Encrypted Chats and Forums

In addition to Tor websites, a portion of illegal drug trade is arranged in private forums or encrypted messaging apps. Recent threat intelligence reports note a shift toward dealers making direct deals via platforms like Telegram, Signal, or Discord. Vendors advertise in chat groups or forums and then accept orders one-to-one, often taking payment in cryptocurrency. This method helps them reach less tech-savvy buyers (who may not navigate Tor) and avoid the fees or exit scams associated with big darknet markets. However, like independent sites, these direct transactions usually forego escrow – increasing the risk of scams or non-delivery if the buyer isn’t careful. 

How They Operate  

Sourcing & Production 

Supply acquisition 

• Diverted Rx stock, bulk APIs from overseas brokers, or outright counterfeit precursors; opioids/benzos are common targets.  

Counterfeit manufacture  

• Pill-pressing with dies/logos to mimic pharma tablets (e.g., “Xanax” bars); dosage is inconsistent and unregulated.  

Platform & Presence 

Channel selection  

• Multi-vendor marketplaces (escrow, ratings), independent Tor shops, and encrypted chat/closed forums; vendors diversify IDs to hedge takedowns.  

Reputation management

• Leverage market feedback systems; promote “stealth,” shipping success rates, and refunds to drive buyer trust. (Observed repeatedly in takedown summaries and market analyses.)  

Security & Comms 

 Anonymity stack

• Tor access; PGP for messages; crypto payments (BTC; privacy coins like XMR increasingly preferred per EU assessments).  

Operational security (OPSEC)

• Rotate handles, swap P.O. boxes/mailing points, segment roles (pressing vs. packing vs. posting), and avoid reusing identifiers.  

Listings, Sales & Payment 

Product listings 

• Detailed SKU pages (dosage, “brand,” batch claims), pricing tiers, bulk discounts; some offer testing “proofs.”   

Escrow & dispute flow  

• Funds held until delivery confirmation; DM/PGP comms for issues; off-platform direct deals used to avoid fees—higher scam risk.  

Fulfillment & “Stealth” Shipping 

Packaging

• Vacuum sealing, odor barriers, concealment in benign items, innocuous labels/returns; postal systems are the primary vector.  

Drop & distribution

• Frequent post-office drops.  

Cash-out & Continuity 

Funds handling

• Peel chains, mixers, P2P off-ramps. 

Migration & recovery

• After market seizures, vendors relist quickly elsewhere under new monikers.  

Risk & Authenticity Note (for Rx specifically) 

Authenticity is unreliable

• A non-trivial share of “pharma” listings are counterfeit or misbranded (e.g., fake alprazolam/oxycodone); several rings pressed millions of pills sold as name-brand meds.  

Are Dark Web Pills the Real Thing? 

Most pills sold on the dark web are not genuine pharmaceuticals. Law enforcement has caught countless vendors making their own tablets with pill presses, stamping them with real drug logos, and selling them as Xanax, oxycodone, or Adderall. Some are made with raw ingredients shipped from overseas; others are mixed in makeshift labs with no quality control. 

The danger is what’s inside: pills advertised as painkillers often contain fentanyl, and fake Adderall tablets have been found packed with meth. Even if a pill looks real, its contents may be wrong, too strong, or contaminated. A single counterfeit dose can be deadly. 

Scams are common too—some sellers simply take your money and never ship. Marketplaces use escrow to limit this, but if you buy directly through a website or chat, you’re on your own. 

Conclusion 

Dark web pharmacies may look like convenient, no-questions-asked sources for prescription drugs, but the reality is far more dangerous. Most pills sold online are counterfeit, misbranded, or laced with powerful substances like fentanyl or meth. Even when products appear legitimate, there is no quality control, no guarantee of safety, and no way for buyers to know what they are really taking. 

While these underground vendors rely on encryption, hidden websites, and clever shipping tactics to stay one step ahead, law enforcement has shown that they are not untouchable. Major operations around the world have taken down marketplaces, seized millions of fake pills, and arrested key players. Still, new vendors and sites quickly emerge to replace the old ones. 

In the end, buying from a dark web pharmacy is a gamble with high stakes. The risks include wasting money, falling victim to scams, or, most critically, consuming a counterfeit pill that could be deadly. The safest choice remains the obvious one: only use medications prescribed by a doctor and dispensed by a licensed pharmacy. 

September 18, 2025

Artificial intelligence has quickly become one of the most disruptive forces in cybersecurity. On the surface, AI promises efficiency, smarter defenses, and automation. But it is also being exploited by criminals in underground forums and marketplaces. The darknet has always been a hub for phishing kits, ransomware gangs, and stolen data markets. What has changed is the speed and polish of those attacks. AI has not created new crimes, but it has made the old one’s sharper, more scalable, and harder to defend against. 

To understand the risks, you need to look closely at how threat actors are adopting AI in three areas where the damage is already visible: phishing, ransomware, and stealer logs. Alongside that, it’s worth exploring how the darknet economy itself is shifting to a subscription-based model that feels eerily similar to legitimate tech marketplaces. 

Phishing Gets Smarter 

Phishing is one of the oldest tricks in the book. Traditionally, it relied on blasting out mass emails and hoping a few recipients clicked on malicious links. These campaigns were often riddled with error, bad grammar, odd formatting, and suspicious sender addresses. They worked well enough to snare the unwary, but many were easy to spot. 

AI has changed that. In 2023, tools like FraudGPT and WormGPT appeared for sale across darknet forums and Telegram channels. FraudGPT was promoted as a chatbot with “no limitations, no filters, no boundaries.” It promised to help criminals craft polished phishing emails, generate fake websites, and even produce malicious code. Sellers marketed it in the same way a SaaS startup would market legitimate tools, with clear feature lists and monthly or annual subscription options. Reports suggest prices started around $200 per month or $1,700 per year, and the tool quickly gained traction among low-skill actors. 

WormGPT took a similar path. Built on GPT-J, an open-source large language model, it was pitched as a blackhat version of ChatGPT. Access was sold for about $110 per month. Its purpose was direct and simple: create convincing phishing emails at scale. No broken grammar, no obvious red flags, just messages that looked like they came from HR, finance, or a trusted business partner. 

The sophistication of phishing is no longer limited to email. Voice cloning and deepfakes have introduced new angles. A call that sounds exactly like your CEO asking for an urgent wire transfer is no longer a far-fetched scenario. In fact, there have already been documented cases where voice cloning was used to defraud companies out of millions. With AI, creating those convincing imitations is faster, cheaper, and accessible to far more actors. 

Phishing is no longer amateur hour. It is a professionalized service where attackers can outsource creativity to AI. 

Ransomware Learns New Tricks 

Ransomware groups are also adapting AI to their playbooks. Their goal is still the same: encrypt critical systems, steal sensitive data, and demand payment. But AI is streamlining the process. 

Some ransomware crews are using AI to refine malicious code and bypass defenses more effectively. Others are experimenting with automated infection chains where AI scripts help identify weak points in networks and tailor payloads to exploit them. In some cases, AI has even been proposed for ransom negotiations, where chatbots could pressure victims with manipulative tactics and personalized responses. 

This isn’t happening in a vacuum. Ransomware gangs are structured like businesses. They often run affiliate programs, recruit developers, and maintain support channels for buyers. AI fits neatly into that structure. It reduces the technical barrier, speeds up development, and frees attackers to scale operations. 

The real danger is not just that AI makes ransomware more efficient. It also makes entry into ransomware easier. Someone with little coding experience can join an affiliate program, buy access to AI tools, and launch a campaign without building malware from scratch. The result is more actors competing for victims, which increases the volume of attacks globally. 

Stealer Logs Become Supercharged 

If phishing is the entry point and ransomware is the hammer, stealer logs are the raw material that fuels countless other crimes. A stealer log is a collection of data siphoned from an infected machine: usernames, passwords, browser cookies, autofill data, cryptocurrency wallets, system details. For years, these logs have been sold in bulk on darknet markets. 

AI has made them far easier to exploit. Instead of combing through messy text files manually, criminals now use AI-driven tools to parse, filter, and prioritize data. They can search for keywords like “PayPal” or “VPN” and instantly extract the most valuable credentials. Dashboards sold with these logs make it simple for even unskilled actors to profit. 

Consider Rhadamanthys, a stealer that first appeared in late 2022. By mid 2024, version 0.7.0 introduced an unusual AI-powered capability: optical character recognition. It could scan images on infected devices and extract text, including cryptocurrency wallet seed phrases. This meant that even if users thought they were safe storing keys as screenshots, the malware could still retrieve them. 

Rhadamanthys is sold openly on forums. Licenses go for about $250 per month or $550 for 90 days. Its operators actively update the malware, provide customer support via Telegram, and advertise new features. In 2024, it was deployed through phishing campaigns disguised as copyright infringement notices, targeting victims across Europe, Asia, and the Americas. 

Beyond individual families, the stealer ecosystem is vast. Russian Market alone lists millions of stolen logs, and services like MoonCloud repackage them into searchable databases distributed via Telegram. These markets are increasingly structured and automated, looking more like data brokers than ad-hoc criminal sales. 

The Darknet as a Service 

One of the most striking trends is how the darknet has adopted the language and business model of the tech industry. Gone are the days of one-off toolkits passed quietly between hackers. Today, the underground thrives on subscriptions and services. 

Fraud as a service. Phishing as a service. Ransomware as a service. Infostealers with monthly licensing models. AI has lowered the barrier to entry so far that the ecosystem resembles a SaaS marketplace more than a shadowy corner of the web. For a few hundred dollars a month, anyone can buy access to tools that rival those used by advanced threat groups. 

This professionalization is why the threat landscape feels so much more crowded. More people can play the game. The cost of entry is low. And the tools are good enough to work. 

Why Visibility Matters and How DarkOwl Helps 

If criminals are scaling with AI, defenders cannot rely on traditional defenses alone. Organizations need visibility into the spaces where these tools are sold and discussed. That is where DarkOwl provides value. 

DarkOwl monitors darknet forums, encrypted channels, and marketplaces where AI-enabled tools and stolen data appear. It can identify when a new phishing kit is advertised, when stealer logs containing company credentials are posted, or when chatter about impersonation campaigns surfaces. More importantly, DarkOwl delivers context. A stolen password alone is one data point. Context explains whether it is tied to a broader campaign, how it was obtained, and whether similar data is being circulated elsewhere. 

This intelligence is not meant to sit in a report. Organizations can act on it by building alerting workflows, so security teams are notified when company credentials show up in stealer logs, updating phishing playbooks with new lures seen in underground communities, and protecting executives and brands by monitoring for deepfake or impersonation campaigns. 

DarkOwl does not just collect data; it helps organizations use it. That difference is what turns visibility into defense. 

Final Thought 

AI has not changed the fundamentals of cybercrime. Criminals are still phishing, encrypting, and stealing. What has changed is the scale and accessibility. FraudGPT makes phishing believable. WormGPT mass-produces scams. Rhadamanthys uses AI to scrape sensitive data from images. Marketplaces sell logs with dashboards and filters that look like professional analytics tools. The Darknet is evolving, and AI is accelerating the pace. 

The world cannot afford to ignore that shift. Defenders need to see what is happening in the underground as it unfolds. DarkOwl delivers that window, giving organizations the ability to anticipate threats, connect the dots, and respond before AI-driven attacks land. 

---

Have questions? Contact us.

September 16, 2025

We all know cybersecurity has its own language. As being cyber safe becomes more and more vital to both companies and individuals alike, it’s important to have a basic understanding on common terms. In this blog, let’s explore the subtle differences between antivirus and antimalware and if you need both.

Antivirus Vs Antimalware

The terms “antivirus” and “antimalware” are often used interchangeably. It is important to understand that while they are related, there is a historical difference and a functional distinction.

Antivirus

Antivirus is a type of software designed to detect, prevent, and remove malicious programs from a computer or network. While the name historically refers to software that protects against computer viruses specifically, the term has evolved to encompass protection against a wide range of cyber threats. It acts as a crucial defense against various digital threats that can harm your system, steal data, or compromise your privacy.

Traditionally, antivirus software excelled at:

• Signature-Based Detection: This method relies on a vast database of “signatures” – unique digital fingerprints of known viruses. When a file is scanned, its code is compared to these signatures. If a match is found, the virus is identified and dealt with.
• Preventing Replication: Its primary objective was to stop viruses from attaching themselves to legitimate programs and spreading across your system or network.
• Cleaning and Quarantining: Upon detection, it would either “clean” (remove the malicious code from an infected file) or “quarantine” (isolate the infected file to prevent it from causing further harm) the threat.

One can think of antivirus as a specialist. It was exceptionally good at identifying and neutralizing the self-replicating, often disruptive, digital invaders that defined the early days of cybercrime.

As the threat landscape evolved, so did the sophistication of malicious software. Viruses were still a threat but now, we were up against worms, Trojans, spyware, adware, ransomware, rootkits, and more. This is where the lines begin to blur and the term “malware” enters. It is important to note that while all viruses are malware, not all malware are viruses. This difference between malware and virus is the crux of the difference between “antivirus” and the more encompassing “antimalware.”

Antimalware

Antimalware is a type of software designed to detect, prevent, and remove all forms of malicious software (malware) from computers and other digital devices. Unlike traditional “antivirus” that historically focused primarily on computer viruses, antimalware offers a broader, more comprehensive defense against the entire spectrum of digital threats.

Threats that antimalware defends against include:

• Viruses: The original self-replicating programs that attach to legitimate software.
• Worms: Standalone malicious programs that spread across networks without needing a host program.
• Trojans (Trojan Horses): Programs that appear legitimate but hide malicious functions, often creating backdoors for attackers.
• Ransomware: Malware that encrypts a victim’s files, demanding payment (ransom) for their decryption.
• Spyware: Software that secretly monitors and collects information about a user’s activities without their knowledge or consent.
• Adware: Software that automatically displays unwanted advertisements, often bundled with free programs.
• Rootkits: Malicious software designed to hide the existence of other malware and enable persistent privileged access to a computer.
• Keyloggers: Programs that record every keystroke made by a user, potentially capturing sensitive information like passwords.
• Bots/Botnets: Software that allows an attacker to remotely control a compromised computer, often as part of a larger network of infected machines (a botnet).

Antivirus traditionally focuses on file-infecting threats; Antimalware is more adept at combating newer, evolving threats that may not be file-based.

A Side by Side Comparison

A Real Life Example: Mustang Panda

Earlier this year, researchers at TrendMicro have observed the Chinese state-sponsored threat actor Mustang Panda (also known as Earth Preta) using a new technique to “evade detection and maintain control over infected systems.” Specifically, the hacking group uses the legitimate Microsoft Application Virtualization Injector (MAVInject.exe) to “inject payloads into waitfor.exe whenever an ESET antivirus application is detected.”  As highlighted in TrendMicro’s report, Mustang Panda is known for targeting victims in the Asia-Pacific region, with one of its recent campaigns utilizing a variant of DOPLUGS malware to target multiple countries in the region, including Taiwan, Vietnam, and Malaysia. The threat actor notably targets government entities, and “has had over 200 victims since 2022.” 

Do You Need Both?

DarkOwl does not recommend having both an antimalware software and an antivirus software. This can cause conflicts and redundancies, as well as slow down your computer. It is recommended to have one comprehensive security solution active at a time. This single program will provide all the necessary layers of protection without causing conflicts. This is why many companies have moved from branding their products as “Antivirus” to names like “Internet Security,” “Total Protection,” or simply “Endpoint Protection” to reflect the broad range of threats they address.

As always, practice good cyber hygiene – check to make sure that your current software is up-to-date and offers multi-layered protection.

Conclusion

Ultimately, the distinction between “antivirus” and “antimalware” is not just semantic; it reflects the evolution of the cybersecurity landscape. While antivirus was our original digital defense, designed to combat the classic computer virus, today’s multifaceted threat environment demands a more comprehensive solution. A modern antimalware program is that solution, offering multi-layered protection against everything from file-infecting viruses to sophisticated ransomware and fileless malware.

As we’ve established, you do not need both—and for the sake of your system’s performance and security, you shouldn’t run both. The best practice is to choose one powerful, reputable security suite that is regularly updated. This single tool, combined with your own vigilance and good cyber hygiene, is your strongest defense against the full spectrum of digital threats today and in the future.

---

Don’t miss anything from DarkOwl. Subscribe to email.

September 09, 2025

In 2023, investigators in a midsize U.S. city were tipped off to a darknet marketplace vendor offering “same-day delivery” of fentanyl-laced pills within specific zip codes. The listing named street corners and used coded references to local schools. It was not discovered by routine patrols or a community tip. It was found in an online space most local agencies never check: the dark web. 

The dark web is not just a place for global cybercriminal networks. It is a sprawling ecosystem where local-level threats are planned, traded, and discussed. Understanding what is being said about your city, and acting on it, can mean stopping crime before it happens. 

Why the Dark Web Matters for Local Agencies 

A Hidden Hub for Localized Criminal Activity 

Criminal forums, encrypted chat channels, and darknet leak sites often contain references to specific cities, schools, or government offices. These may range from targeted doxxing threats against police officers to lists of stolen IDs from local residents. Without visibility into these spaces, agencies risk missing critical intelligence (NIJ). 

Growing Scale of Criminal Commerce 

Dark web markets remain a preferred channel for selling drugs, stolen goods, counterfeit currency, and hacking tools. Europol has documented that some sellers specialize in hyper local delivery, building trust with buyers in their own city. One marketplace studied by the NIJ generated $219 million annually, a portion of which was linked to transactions tied to specific U.S. cities. 

Evidence of Real-World Impact 

The FBI’s Internet Crime Complaint Center (IC3) reported 880,418 cybercrime complaints in 2023, a 10 percent increase over 2022, with losses exceeding $12.5 billion (FBI IC3). While many of these cases start online, a significant number have local victims and suspects, with planning or stolen data originating from the darknet. 

Common Local Mentions on the Dark Web 

1. City and County Names – Drug vendors advertising “free delivery within [city limits]” or fencing stolen goods. 
2. Schools and Universities – Targets of swatting threats, harassment campaigns, or worse. 
3. Police Departments – Mentioned in extremist forums or ransomware leak sites after data breaches. 
4. Hospitals and Public Services – Victims of cyberattacks where stolen patient data is posted for sale. 
5. Street-Level Detail – Criminals using neighborhood or landmark names to coordinate illicit meetups. 

These are not hypothetical. They appear regularly in open-source criminal case records and public takedown reports. 

From Discovery to Action: How Agencies Can Use Dark Web Intelligence 

When local law enforcement gains visibility into the darknet, it often changes how investigations unfold. For example: 

• Drug Enforcement – Narcotics units can identify vendors selling in their jurisdiction, connect them to street-level operations, and coordinate controlled buys. 
• Cybercrime and Fraud – Financial crimes units can trace stolen credit cards, bank logins, or PII from local residents back to breaches. 
• Threat Assessment – School resource officers or fusion centers can evaluate online threats referencing specific campuses. 

This process often begins with keyword and geographic monitoring, searching for place names, zip codes, or organizational identifiers in darknet marketplaces, forums, and leak sites. Tools like DarkOwl can streamline this by indexing these spaces and allowing agencies to search them without direct engagement. All DarkOwl data is collected in compliance with U.S. Department of Justice guidelines, ensuring passive, lawful acquisition from darknet and darknet-adjacent sources. 

Case Studies: Real-World Ransomware Attacks on Police Departments 

In 2021, the Babuk ransomware group breached the Metropolitan Police Department in Washington, D.C., and leaked thousands of sensitive internal files on a dark web site. These included disciplinary records, intelligence reports, and details about confidential informants. The incident was described by cybersecurity experts as one of the most serious ransomware attacks ever against a U.S. law enforcement agency. Investigators had to rapidly assess the scope of the breach, contain the fallout, and communicate with the public while attackers continued to post stolen material. 

In a separate case, 200 gigabytes of data from the Presque Isle Police Department in Maine was leaked online by Distributed Denial of Secrets (DDoSecrets). The dataset contained decades of emails, internal reports, and sensitive law enforcement files. While the organization chose not to make the entire dataset publicly available, the breach was confirmed and highlighted the vulnerability of smaller police departments to cyberattacks. 

These incidents are a reminder that police departments of all sizes are potential ransomware targets and that early detection of leaked data on the dark web can help agencies respond more effectively. 

Challenges and Best Practices 

• Legal Compliance – Work only with vetted intelligence sources that follow DOJ guidance. 
• Evidence Handling – Ensure dark web data is preserved in ways that maintain chain of custody. 
• Training – Provide investigators with skills to interpret darknet information and link it to real-world cases. 
• Partnerships – Collaborate with state, federal, and fusion center partners to share findings. 

Conclusion 

Your city is likely being mentioned on the dark web, whether in a passing conversation or as part of a targeted plot. For local law enforcement, this is no longer an obscure cyber issue. It is a street-level problem with online roots. 

By incorporating dark web monitoring into investigative workflows, agencies can spot emerging threats, connect them to local activity, and act before harm occurs. In a world where crime moves between the physical and digital in seconds, ignoring the darknet is no longer an option. 

---

Learn how DarkOwl informs law enforcement investigations.

September 02, 2025

Our analyst team shares a few articles each week in our email newsletter which goes every Thursday. Make sure to register! This blog highlights those articles in order of what was the most popular in our newsletter – what our readers found the most intriguing. Stay tuned for a recap every month. We hope sharing these resources and news articles emphasizes the importance of cybersecurity and sheds light on the latest in threat intelligence.

1. ‘Chairmen’ of $100 million scam operation extradited to US – Bleeping Computer

In an August 8 press release, the United States Attorney’s Office for the Southern District of New York announced the extradition of four Ghanaian nationals for participating in an international criminal organization “that stole more than $100 million from victims via romance scams and business email compromises.” The four individuals were reportedly high-ranking members of a Ghanaian criminal organization that targeted entities in the U.S. between 2016 and 2023. The defendants were extradited from Ghana and arrived in the U.S. on August 7. Read full article.

2. New EDR killer tool used by eight different ransomware groups – Bleeping Computer

According to BleepingComputer, eight different ransomware groups have been observed using a new endpoint detection and response (EDR) killer believed to be an evolution of the “EDRKillShifter” developed by RansomHub. EDR killers are a useful tool for threat actors as they turn off security products on targeted systems to help remain undetected. As of this writing, the eight groups seen using the new tool include RansomHub, Blacksuit, Medusa, Qilin, Dragonforce, Crytox, Lynx, and INC. Article here.

3. CTM360 spots Malicious ‘FraudOnTok’ Campaign Targeting TikTok Shop users – Bleeping Computer

Researchers at CTM360 have identified a new malware campaign dubbed “FraudOnTok” that targets users through fake TikTok Shops with SparkKitty spyware. According to the cybersecurity company’s report, the campaign is characterized by a dual attack strategy combining both phishing and malware to target TikTok users. The threat actors utilize replicas of TikTok Shop, TikTok Wholesale, and TikTok Mall to deceive users into believing they’re using the genuine platforms before stealing cryptocurrency wallets. Read more here.

4. Cyber Espionage Campaign Hits Russian Aerospace Sector Using EAGLET Backdoor – The Hacker News

Researchers at SEQRITE Labs have observed a cyberespionage campaign targeting Russian aerospace and defense industries. According to the company’s report, the campaign has specifically targeted employees at Voronezh Aircraft Production Association (VASO), one of Russia’s largest aircraft production entities. The activity has been dubbed “Operation CargoTalon” and functions by delivering a backdoor called EAGLET to exfiltrate data. The threat actor is currently being tracked as UNG0901. Read here.

6. Hacker extradited to US for stealing $3.3 million from taxpayers – Bleeping Computer

In an August 5 press release, the U.S. Department of Justice announced the extradition of a Nigerian national to the U.S. from France “in connection with hacking, fraud, and identity theft offenses.” According to the statement, the subject participated in multiple fraud schemes, including one targeting U.S. tax businesses to defraud the IRS since at least 2019. The scheme involved other Nigeria-based co-conspirators who used spear phishing emails to hack “several U.S. based businesses located in New York, Texas, and other states.” Read full article.

7. CERT-UA Warns of HTA-Delivered C# Malware Attacks Using Court Summons Lures – The Hacker News

In an August 4 press release, Ukraine’s Computer Emergency Response Team (CERT-UA) warned of a series of cyber attacks carried out by the threat actor UAC-0099 against “state authorities, the Defense Forces, and enterprises of the defense-industrial complex of Ukraine.”  As noted in the statement, the threat actor delivers MATCHBOIL, MATCHWOK, and DRAGSTARE malware via phishing emails. The emails are predominantly sent from UKR.NET addresses and are presented as official “court summons.” Read full article.

8. US sanctions North Korean firm, nationals behind IT worker schemes – Bleeping Computer

In a July 24 press release, the U.S. Department of the Treasury’s Office of Foreign Assets Control (OFAC) announced the sanctioning of the North Korea-based Korea Sobaeksu Trading Company and three associated individuals for their participation in fraudulent remote IT worker schemes. As previously noted in DarkOwl’s Weekly Intelligence Summaries, the DPRK government uses these IT worker schemes to generate illicit revenue. The IT workers involved in the scheme use “fraudulent documents, stolen identities, and false personas to obfuscate their identities and infiltrate legitimate companies.” Learn more.

---

Make sure to register for our weekly newsletter to get access to what our analysts are reading on a weekly basis.

August 28, 2025

Cybersecurity might as well have its own language. There are so many acronyms, terms, sayings that cybersecurity professionals and threat actors both use that unless you are deeply knowledgeable, have experience in the security field or have a keen interest, one may not know. Understanding what these acronyms and terms mean is the first step to developing a thorough understanding of cybersecurity and in turn better protecting yourself, clients, and employees. 

In this blog series, we aim to explain and simplify some of the most commonly used terms. Previously, we have covered bullet proof hosting, CVEs, APIs, brute force attacks, zero-day exploits, doxing, data harvesting, and IoCs. In this edition, we dive into credential stuffing. 

Credential Stuffing 101 

Credential stuffing, often shortened to ‘cred stuffing’, is a widespread technique utilized by cybercriminals to test if historically exposed e-mail addresses and password combinations are valid logins across multiple commercial websites. Opportunistic cyber criminals automate the testing of large ‘combo lists’ containing compromised e-mail addresses and passwords against commercial websites and once a successful authentication occurs readily steals the PII (personally identifiable information) and financial information, often saved, on the e-commerce shopping platform’s user profile.

Wordlists and compromised lists of email address and password combinations are the foundation for credential stuffing operations. Many multi-million record data leaks in circulation on the darknet make potential username/password combinations easily discoverable and exploitable at scale. Such leaks are utilized as input for credential stuffing scripts and applications. Wordlists are also in regular circulation amongst darknet threat actors, and some are already integrated into Linux distributions favored by pen-testers and hackers alike.

Figure 1: Wordlist Github Repository Popular with Offensive Security Specialists

Credential stuffing using malicious software and botnets affects not only the individuals but also the commercial organizations whose user accounts are surreptitiously accessed, as many immediately assume access was achieved due to vulnerabilities with the commercial service provider’s technical configuration instead of a simple credential stuffing technique conducted en masse. The uncertainty potentially erodes consumer and stakeholder confidence warranting that commercial agencies consider credential stuffing in their internal security frameworks and corporate risk assessments as well.

To the left we see an example of a combolist (a list of email addresses and password combinations that may be used in a brute force attempt or credential stuffing operations to gain unauthorized access to servers and services) that was leaked and posted on a darknet site. Databases from data harvesting will often include usernames and passwords, fullz (full identity profiles), financial records or health records. These are all often highly confidential or sensitive and can cause a lot of harm and headache when posted without consent.

Credential stuffing campaigns exploit password reuse and utilize email address and password combinations to attempt logins outside of the source of the original leak. Although you can’t prevent commercial services getting breached and usernames, email addresses, and password combinations getting leaked, you can follow some simple steps to ensure you employ robust password hygiene and reduce the risk of a password getting brute forced or exploited in a credential stuffing campaign. We review this steps later on in this blog.

Credential Stuffing in the Wild 

The North Face

In a customer notice letter in June, The North Face revealed that on April 23, 2025, it was discovered that customer information was stolen in a credential stuffing attack. Exposed information includes full names, purchase histories, shipping addresses, email addresses, dates of birth, and phone numbers.  

Hacking Forums Seized in “Operation Talent” 

In January, the hacking forums Cracked[.]io and Nulled[.]to were seized following an international law enforcement operation dubbed “Operation Talent.” The joint operation involved law enforcement departments from the United States, Italy, Spain, Europe, France, Greece, Australia, and Romania. Additional impacted sites included starkrdp[.]io, mysellix[.]io, and sellix[.]io. As highlighted by CyberScoop, SellIX allowed users to create storefronts for illicit goods while StarkRDP—the remote desktop hosting service—“was allegedly leveraged by threat actors to anonymize attacks.”  

The seizure of multiple major online forums linked to cybercrime reflects ongoing international law enforcement efforts to crack down on cybercrime by dismantling infrastructure used for illicit activity. Cracked[.]io and Nulled[.]to in particular were known for hosting cybercriminal activity, including “password theft, cracking, and credential stuffing attacks.” Similar large scale law enforcement operations have been observed in recent years, including the takedown of BreachForums in May, 2024.  

New Atlantis AIO platform automates credential stuffing on 140 services

In March Bleeping Computer reported a new cybercrime platform called “Atlantis AIO” which automates credential stuffing attacks on over 140 online services. Atlantis AIO features modules for brute-force attacks, CAPTCHA bypass, and automated account recovery. It targets various services including email, e-commerce, banking, and VPNs. Compromised accounts are often sold on underground forums. To defend against such attacks, the article recommends using strong, unique passwords and multi-factor authentication, and for websites to implement rate limiting, advanced CAPTCHAs, and suspicious behavior monitoring.

Actor Spotlight: ShinyHunters

ShinyHunters is a cybercriminal group known for their high-profile data breaches and relentless pursuit of sensitive information, and has carved out a reputation as one of the most prolific and dangerous actors in the cybercrime arena. They are known to infiltrate company databases, exfiltrating sensitive information, and then selling this data on underground forums or using it for extortion purposes. They are not shy about sharing this information on dark web sites created to share exfiltrated data. ShinyHunters utilize advanced hacking techniques to gain unauthorized access to company systems. They often exploit vulnerabilities in web applications, engage in credential stuffing attacks, and use phishing campaigns to steal login credentials. 

How to Avoid Being Exploited in a Credential Stuffing Campaign

Everyone can follow some simple steps to ensure you employ robust password hygiene and reduce the risk of a password getting brute forced or exploited in a credential stuffing campaign.

• Turn on multi-factor authentication (MFA) for important accounts like financial and banking sites.
• Use an automated complex password Manager like Lastpass, BitWarden, or 1Password.
• Don’t reuse passwords. Have unique password for every login and streaming service you sign up for.
• Choose passwords at least 16 characters in length.
• Include symbols and numbers for increased complexity.
• Avoid using passwords with dictionary words or names.
• Don’t use sequential numbers or the word “password”
• Don’t use the year of your birth or anniversary in your password.

---

Keep up with DarkOwl. Follow us on LinkedIn.

Interview with DarkOwl’s Alison Halland and Jennifer Ewbank

August 26, 2025

For the fourth year in a row, in honor of Women’s Equality Day today, August 26^th, the DarkOwl marketing team highlights the women in our workforce. This year, our DarkOwl Chief Business Officer, Alison Halland, interviews a member of our Board of Directors, Jennifer Ewbank. DarkOwl is very proud of our women leadership and workforce and strives to continue to build a balanced workforce with the most talented and effective team possible.

Interview: Thoughts on Being a Women in Cybersecurity from Two Members of DarkOwl’s Team

To commemorate Women’s Equality Day, we sat down for a candid interview about working in the cybersecurity industry with two women from our team.

Editors Note: Some content has been edited for length and clarity.

Intro

In a world increasingly reliant on digital infrastructure, the need for robust cybersecurity has never been more critical. Yet, as the threats evolve, so too must our approach to building the defenses. One of the most promising avenues for strengthening our digital shield lies in fostering a more diverse and inclusive cybersecurity workforce, particularly by empowering women in this vital field.

While challenges remain, the landscape is shifting. Just a few years ago in 2019, women constituted only about 20% of the global cybersecurity workforce. Today, that number has modestly, yet significantly, climbed to around 25%, with projections aiming for 30% by 2025 and potentially 35% by 2031. This upward trend is a testament to the incredible talent and dedication of women who are stepping up to fill a critical void, especially given that an estimated 3.5 million cybersecurity roles remain unfilled globally between 2022 and 2025.

Over half of all cybersecurity professionals, regardless of gender, entered the field from non-IT backgrounds. This includes 17% who transitioned from entirely unrelated careers, 15% who leveraged formal education, and another 15% who are self-taught or independently explored the space. This highlights that a passion for problem-solving and a dedication to digital safety are far more crucial than a traditional tech background.

Beyond professional strides, the statistics also underscore the importance of fostering safer online spaces. While not directly about careers, it’s telling that only 23-24% of women feel comfortable expressing political opinions online, compared to around 40% of men. The significantly higher fear of online harm, from misogyny to cyberstalking, and its heavier psychological impact, leads women to use more “safety tools” and engage less in online participation. By championing women in cybersecurity, we’re not just building a stronger defense for everyone, but also fostering a more equitable and secure digital world where all voices can thrive without fear.

Join us as we celebrate the trailblazing women who are shaping the future of cybersecurity, inspiring the next generation, and proving that diversity is our greatest strength in the digital age.

---

Alison: Thank you so much, Jennifer, for taking this time. I always enjoy speaking with you. And for those of you that don’t know, Jennifer Ewbank served as the Deputy Director of the CIA for Digital Innovation. And you were there from 2019, having recently retired in January of 2024. Did I get those dates right? 

Jennifer: I was in that role from 2019 to January 2024, and then I retired from CIA a couple months after that. Yes.  

Alison: And then Jennifer joined the DarkOwl board in 2024, and she’s been instrumental in helping us navigate the government landscape and providing us with so much feedback. So thank you for that, Jennifer. Thank you. 

I wanted to do something a little bit different and dig into some of your background. Women’s Equality Day is coming up August 26th, and this is celebrated every year to commemorate the anniversary of the 19th Amendment to the Constitution, which granted all of us women the right to vote. I wanted to ask some questions geared both at your background, how you got into the CIA, and focus a little bit on women in that field.  

As we know, there’s a huge gap globally right now in that field. There’s an estimated 3.5 million cybersecurity roles that were unfilled in the last three years. So there’s a talent gap. And, according to some of the statistics I was looking at, women only represent about a quarter of the global cybersecurity workforce, which is up from 20% in 2019. But I think that’s a pretty modest increase. 

To kick things off, I am curious what it was like coming up through the CIA – specifically as a woman and if you ever faced any kind of imposter syndrome, or just speak a little about what it was like to be a female within the CIA organization. 

Jennifer: Thank you. So a bit of this is going to be like archaeology for young people, right? Because, you know, I joined the CIA long, long, long ago. I didn’t join in a technical field, I joined in the operational world. Hollywood would have you think that that’s James Bond, which is obviously glamorized and dramatized. But, there’s some truth to the fundamental tasks that one has to perform in operations. So that is collecting secrets about what your adversaries around the world want to do to harm the United States and our allies. So that’s terrorist plots, it’s plans to proliferate weapons of mass destruction, it’s plans to penetrate our government with espionage, lots and lots of plans for a coup, plans for international narcotics trafficking. And the job was to go out and find those things and thwart the threats. 

Alison: How old were you when you stepped into the operation?  

Jennifer: I was young. So, I was in the State Department first, joined in my late 20s, and then a few years later, now people are going to do their math because you have a lot of smart people at DarkOwl. A few years later, the Cold War ended and our mission really changed at the State Department. I had joined thinking I was going to fight international communism through diplomacy, which was, you know, kind of corny, I think people would think today, but that’s how I grew up – a child of the 60s and the space race. And those things really mattered to me. And so the mission changed. I had a great experience, but I thought, hey, I want to do something else. And I wanted to do something a bit, I don’t know, let’s say bold. So I went off and did something that most rational people don’t do, which is join the CIA and become an operations officer. So I was still young at that point. 

I spent decades moving around the world to different countries every couple of years, learning a different language, meeting new people, tackling new issues, and then climbing the ladder at the CIA in the operational world to become a chief of station, which is their senior most role in each country, that is responsible for everything CIA does, but also is kind of a coordinator, integrator of everything the broader intelligence community does. 

I served in that role four times. As I tell people, it was small, medium, large mega stations all the way through the stack. And then after that last experience, I was invited to take this Digital Tech Deputy Director role by our Director. 

Alison: Had any females served in those roles?  

Jennifer: It’s a good question because when I joined, there were very, very few women in operations. It had a certain stereotype of who a “successful” officer was, and that stereotype was a very outgoing, extroverted, sociable guy. And there was a reason for that stereotype because that’s what the world was and those were the people who were successful. And somehow I thought, well, I can do that. And all those things I just described, I am not a single one of those things: not a guy, not an extrovert. I’ll phrase it this way, it’s an extreme career. If I wanted to be an astronaut, which I wanted to be when I was a child, or a fighter pilot, or a firefighter, it’s an extreme career, it’s all consuming, and it demands a lot of people. It demands everything of you. It’s full commitment. I thought, you know, I’m going to try that. 

The challenge, back to our theme, was that there really were very few women. I didn’t work for a woman directly for, oh, I don’t know, 15 years. And I didn’t really have in my orbit people who would be role models or sponsors or mentors who happened to be women. The good news, in a way, and of course, like any large organization, the CIA has had its issues over the years, but, in some ways, the CIA is the ultimate meritocracy. It is all about outcomes. And so you deliver, and now that’s not to say that there aren’t individual cases where people experience discrimination of one kind or another, because of course, they’re human just like any other place. And so, good is balanced with people who aren’t so great. But more or less, it is a meritocracy and that’s how you kind of succeed. And so luckily for me, I worked for bosses who were keen to just get great results.  

If I can just make a little bit of a detour, I’ll share with you. So my first tour, as we call our assignments overseas, my first tour as a case officer with operations, I would say the first year, I really did flail about a little bit trying to figure out how I’m going to do this. Because, again, there was a certain stereotype for how the job was done. And I’ll oversimplify, but it’s, you know, roll into a diplomatic reception, lots of glad handing and, you know, whiskey in one hand and a cigar in the other hand. And, inviting everybody, invite guys out to play golf and late-night drinking. Socially, it was a certain stereotype. And I wasn’t any of those things. And in the country where I was serving, it was not usual for young women to come rolling into a reception alone and chat up men. And so it wasn’t structured for my success and I wasn’t really designed for that. And so I had, at the end of about my first year, I won’t call it a crisis, but a real moment where I had to dig deep and I thought if I’m going to succeed I have to figure out a different way to do this and I’m not ever going to succeed if I play this game by the rules that exist today.  I had to – this is going to sound a little strange perhaps – sit back and really analyze who these people were who were succeeding in a traditional model: those who were out in our environment had access to secrets that we really needed to collect for the agency and for our country. And then what were my comparative advantages in this environment? What were the things that I could do that other people couldn’t do? And there were some things. And I had, I’ll say modestly, I had exceptional foreign language skills in this very difficult language. None of the men in my office did. So that gave me a leg up. I had, therefore, a deeper connection to culture and history of that country than others did. I was very good at what we called handling things – our assets, our sources, really maximizing the collection of intelligence, handling the cases well with good tradecraft, securely. There were things that I did well and that I could handle a large volume of work. And so I could just continue – continue to pump out more and more and more and more. And so, I found a way to take those things that I did well and turn them into my special way of doing the job and delivered results. As I was saying, it’s a meritocracy. And so, at the end of that second year, I sat down with my supervisor and we had an annual performance review. He was a great guy, very candid. He said, look, I’m struggling with how I evaluate you. And I said, okay, talk to me about that. And he said, you’re producing a lot, but I don’t see the classic approach and skills being honed. I said, okay, that’s fair enough. But is the challenge to produce or is the challenge to be like everybody else? And to his credit, he said, you’re right. And we had a narrative section, then we had numbers, we scored on various skills. And so he struggled with the scores. He’s like, you know what, you’re right. And he gave me the top numerical score for all those categories because of the delivery. So that’s a really long way of saying that meritocracy did matter. But that’s not to say it was easy, not at all.  

Alison: Was there scrutiny over your different approach? Sounds like there was.  

Jennifer: There’s a lot. That’s an interesting question, actually, because in the CIA, particularly in the operational world, there’s a lot of autonomy. You are trained, you are vetted, you are trusted to do things appropriately without supervision because the job is alone. You’re out doing your job alone. And so you go out and do your thing, come back and report. You’re expected to report fully and with integrity in detail on everything you’ve done. And so I did not encounter resistance along the way. So it’s really a long way of saying that it’s a really hard job. It’s a really hard job and it takes everything out of you.  

I wrote a book review recently. Somebody had written a book about being a woman in the CIA, and I said something about it being a career guided by the goddess Kali, you know, both destruction and creation simultaneously – a job you love, even as it’s basically ripping you apart. And it’s just, all-consuming, and it was. So I will say that’s a long description of the job, but I came up through that world in a career that tracked the development of digital tech and its application to this very specialized, challenging mission. 

And so when I, in 2019, was returning from one of these big posts, our largest place overseas, our director invited me to become one of her deputy directors for digital innovation, as you mentioned, which is all the digital tech stuff. So IT, global secure communications, cybersecurity, cyber collection, open source intelligence, data science, artificial intelligence, a bunch of policy and legal stuff and then training and education, et cetera. Lots of other things hanging off of that directorate, but a big job. And her intent in doing that was to bring somebody with a field perspective, a practitioner, to come partner with amazing technologists to serve as a bit of a catalyst. And that was a great experience for me. I hope people who worked with me would say the same. I think it was overall quite successful. But that was my, let’s say, non-traditional path into digital tech. 

I wasn’t completely ignorant of it all. I had some background and I’d certainly been on the user end of every new technology that we had created. And by nature of the teams that I led overseas, we were actually right in the mix innovating with technologists to solve tough problems in tough places. And so it gave me, I would say, a complimentary perspective on what we needed to do in digital tech to succeed. 

Alison: Do you feel like you garnered more respect in that role because you had already been in an operational role and actually been boots on the ground, as they like to say? 

Jennifer: Well, you know fair question – so the CIA is a large organization and like any large organization you have your different tribes and cultures and so coming into digital tech, I would suggest there were probably a few senior officers there, officials who thought that they should be in my job. Right? Why do we need this outsider? And so there was a bit of skepticism. It did help in two different ways, initially it helped in terms of credibility with folks in the operational world and the analytic world – kind of more directly mission facing roles – recruiting spies, producing analysis for the president, doing the things that the CIA was created to do. And so with them, I think it gave me direct credibility. And there was a lot of engagement around what they needed? What were we doing well? What could we do better in the future, etc. So I think that was helpful for what was a relatively new organization at the time, this directorate. 

And then over time, and it didn’t take that long, I figured out what my complementary skill set would be to lead that organization and part of it was really all around that connection to mission – the connection to the big “why,” a sense of purpose around what we are here to do and then rallying that organization around a common understanding of what our key challenges were, which were in the form of a particular very aggressive and capable adversary. I think that helped a lot because I didn’t try to pretend that I was going to be the best data scientist or that I was an expert at cybersecurity more so than the CISO, none of that. I always approached those discussions with humility in terms of the technical expertise, but confidence in terms of what I understood we needed to accomplish and I think that balance worked.  

Alison: Did that skepticism motivate you or intimidate you? 

Jennifer: You know, it did not surprise me. It did not intimidate me. I mean, I’m kind of driven anyways. So I guess motivation? Sure, sure. It pushed me to dig deep and figure out what I was going to do? Again, back to that story from my first assignment last year. What were my strategic or comparative advantages? How was I going to play to my strengths and not focus on trying to polish up any perceived weakness, right? I think a lot of people waste time on weaknesses. Of course, you know, you want continuing education, you want to keep learning, you want to keep developing, all of that’s great. But if I spend all my time thinking about my relative deficiencies in, you know, coding Python, that’s a waste of my time and energy. And that’s not how you win. You win by playing to, I believe, your comparative strengths. And so I cataloged those. I looked across this organization with thousands and thousands and thousands of people and billions of dollars in budget all around the world. And yes, I can say there were a handful of things that I brought that nobody else did. And that’s what I tried to focus on. 

Alison: Did you go through the activity of actually writing those down, pen to paper?  

Jennifer: I would say it was a mental list in that instance. But over time, sure, I did kind of articulate those things. But I think that does go back to that first, that very first, very difficult assignment with the CIA, doing an impossible job. I mean, most people would consider it an impossible job. And trying to figure out how on earth I was going to succeed if what I had learned in training and the model that I saw all around me was not the model that would work for me. So very much the same approach. 

Alison: Well, I love it. That’s a good segue. I’m curious if you were in a room right now with a bunch of high school girls that wanted to go into cybersecurity or more specifically into the CIA, it sounds like one piece of advice would be to figure out your comparative advantages, potentially. What else would you share in terms of advice? 

Jennifer: It’s a good question. I actually had the opportunity a few months back. I spoke at an unusual cybersecurity conference and unusual in the sense that it was at a university and they invited a really large number of high school seniors to come explore careers in cybersecurity. And what I would try to tell people is to spend a little time and think about the broader issues at play in cybersecurity. There could be those who just like the technical challenge and that’s fantastic, right? I love that. That only takes you so far. And I think going back to something I’ve already said, figuring out what you want to accomplish in life. I don’t mean you have to know everything when you’re 18 years old, not that, but what matters to you? What’s important? How do you find a sense of purpose in what you do? Because of course you need a job, and of course you want to be paid for that job, but the thing that keeps you coming back every day, I mean it is work and there can be bad days and good days. There’s going to be challenges. The thing that keeps you coming back is if you are connected to some broader purpose. In my corny example, I really did grow up in a family where we valued service to our country, where we thought it was important to defend the United States, where you wanted to fight communism, all that kind of stuff. And without over-dramatizing it, there is a similar dynamic at play today between digital tech in open societies and digital tech in digital authoritarian countries. And there’s this whole competition playing out that is going to determine the future of humanity. And if one can stop for a moment and just think about that, most people, I think, in the United States would think: “oh, yeah, I can really get behind that”. That’s really important. I need to defend. If you’re interested in cybersecurity, fantastic. Then you’re on the front lines of that battle. 

And so I would encourage people to think about what that purpose might be. I would encourage young people, women, young girls, to be a little bold. Be unconventional. Don’t worry. Of course, I grew up like every other teenage girl that wanted to be like other people. But if I look back, the people, the heroes, the heroines who really resonated with me were completely unconventional. They were bold, resilient, a little audacious, maybe a little controversial even. And those were the people, those were the women I thought about. 

So if anybody’s looking for great books that they didn’t read when they were at school, one of them that really stayed with me was “West with the Night” by Beryl Markham. And Beryl Markham was the first person to fly westward across the Atlantic successfully. A lot of people tried and some had died in the process. Everyone thinks of Amelia Earhart, very intrepid, intelligent, compelling figure and she flew across the Atlantic East right, but West is much harder much, much harder. Earhart had had a team but Beryl Markham did it alone and westward and she was the first ever and she wrote about it in this book – that I should go back and read – but what I remember of it was just so compelling and I just thought man, what a badass, right? And something in me clicked. I’m like, yeah, you know, that’s what I want. That’s what I want. I didn’t end up doing that, but in my own way, I landed in a career that was unconventional and a little bold and on days maybe even a little bit dangerous. 

And I would just challenge young women in a society that wants to cocoon them in bubble wrap to just take some chances and be bold and try something that you think might make you nervous, might be hard. That’s okay. Just get out there and do it. 

Alison: I think that’s great advice for high school seniors that are contemplating what they want to be when they grow up, or at least where do I want to put some of my energy? Do you think organizations should encourage more participation from non-traditional groups? 

Jennifer: I think there are a lot of things that can be done. And the CIA, for whatever its reputation may be, and we’re a democracy, people are going to have different views on it, and that’s fine. There are a lot of people in the United States who might not say that they support an intelligence service. It’s just a reality of the world that every country has one, and you need to know what your adversaries are trying to do to you. So there may be people out there who think they don’t really like the idea of an intelligence service and that’s okay. But I will say that despite the reputation, it is mostly about merit. And I started at a time when there were very, very few women. And then fast forward, and when I became Deputy Director for Digital Innovation, without going down a rabbit hole here, there are five directorates. Each one is headed by a deputy director. The five deputy directors basically run the CIA, and then you have a director. And so when I became deputy director of digital innovation, all five directorates were headed by women and the director was a woman. In fact, six of the top eight positions in the CIA were women. 

And so, you know, it didn’t take me long to just pause and think, you know what? Wow, things change. Things can change. They do change. And I’ve always felt it’s my responsibility to, if I walked through a door, I need to keep it open and help others. But I never felt it was my job to give somebody a particular advantage. I wanted people to have the opportunity to compete. 

And so a couple things I’m going to say about that. I saw moments when I felt that there should have been more women in, say, some group of leadership positions. And I was also in a position years ago where I oversaw selections for key leadership positions and found myself very disappointed a few times by how few women put themselves out there for the roles. And it’s a bit of a stereotype, I understand this, but it seems to hold true. If I have a job vacancy that says you must have these 10 skills and a man has two and a woman has eight, the woman won’t apply and the man will. And I know that’s a stereotype and I’m generalizing, but there’s something to that.  

So I had to do the selection of some of the most coveted senior leadership roles and I was heading a panel to do so. I was in charge of that entire process. And one year, the deadline was passed and all the applications were in. And I looked around, I thought, wait a second, we have 10% of the applications for women for these key roles that are catalysts for something more in the future that are great jobs and they give you a leg up, right? And so the next year, when the same process came around, like I said, I never wanted to give anyone special advantage, it’s not about that, but I did start calling a bunch of people and just saying, did you see these vacancies? Have you ever thought of yourself as, in this case, a chief of station? Have you ever thought about applying? And by the way, I’m not calling to tell you that you would get a job. I’m just telling you that I’d love to see your name on the list. And just trying to encourage people to apply, it really does make a difference. It can make a big difference. 

The other two things I will say, we did really, really well, as I used to put it, as an organization that represents the United States. I would love our organization to be representative of the United States. But, you know, we’re in digital tech, so we have to also deal with demographics in the US. What percentage of college graduates with technical degrees are, you know, various demographics? And we were very careful not to measure and hire by any of those demographics because you can’t in government. It’s not lawful. But I wanted to make sure that the pipeline had a really rich representation. And so, honestly giving applicants the opportunity in the interviews, in the recruiting fairs, and all of that to actually see that diversity in action, to see a group of recruiters who look like America, that actually made a difference. There’s a psychology in that where people walk into a room, it’s a job fair, and you come to a table and you’ve got say five or six people, and you look across the five or six people and you’re like, oh, I do kind of fit here. Right? That has an impact.  

The other thing I will say though, because I’ve always had a bit of a difficult relationship with what we used to call agency resource groups, the groups representing the interests of certain demographics. And lots of large organizations have these. So maybe it may be based on a gender issue or race or something else. And at the same time, I always felt, like I said before, I wanted to open the door behind me and bring people. And so I had many opportunities to serve, as what we used to call, executive champion for these organizations. People would ask me, would you please serve as executive champion for this resource group? And I did. I served as an executive champion for three particular resource groups. I had the same conversation each time, which was that, you know, I’d love to, but I just have two requests. First is that whatever programming you offer, you know, if it’s a seminar or it’s a webinar or if it’s a job, it’s a career fair, whatever it is, it needs to be open to everyone in the organization and needs to uplift everyone.  

And then two is, I will never say or do or tolerate, in any session, somebody suggesting that people in this group are victims in any way. I just don’t think that’s productive. And I said, if that’s okay with you, then I’m all in. I’ll do everything I can. And it was. So, and I know that may sound a little tough, but just growing up in CIA early in my career, of course there were women’s groups, it didn’t have the positive impact that I would have hoped and I was glad to see over the years that changed and it was really about providing resources and uplifting everyone. So I’ve always had this slightly, not difficult, but nuanced relationship with those efforts. And for me, what worked best was to try to uplift everyone, ensure that the programming was for everyone and to avoid falling into a pit where discussions were around how, all the different ways that I’m a victim as a woman. 

Alison: That resonates with me too, because I feel like I’m oftentimes the only female in the room when we have external meetings. The other day I looked around and it was seven guys and me. And I always, I always want the opportunity to be in that room, but I 100% want to be in that room because I’m qualified, not just because I am the token female. 

Jennifer: I had lots of unique experiences like that. Most of my career, I was the only woman in the room and one of my last assignments as a chief of station was in a country with a military junta so everyone was a general. They were all men. And in the 75 years that the CIA had a presence there, there had never been a woman in the role. And so it was just a fun experience for me. I just took it as my own challenge to convince them through my own actions and professionalism that, hey, guess what? A woman can do this. And by the way, when I leave, you’re gonna think that I’m better than any of them were. That was my goal.  

Alison: Any final thoughts, closing remarks, tying back to Women’s Equality Day or words of wisdom or even a fun story? Because I know you’re full of them.  

Jennifer: Oh, no, I don’t want to bore people with more stories. I just think for anyone who’s considering cybersecurity, if we want to go back to that in particular, I just think it’s a fantastic time, right? Because A, there’s such a need, and B, there’s so many different pathways to cybersecurity. And yes, there’s a more traditional one where I’m going to go to university, I’m going to get a degree in a relevant field, and then I’m going to study and get a certification. That’s great. Fantastic. And that’s today the typical way, and it’s a really wonderful one. I also know people who’ve come through many other different paths. So one of my friends who’s quite well known in cybersecurity circles has her own company. She came up through the intelligence world, working on insider threat issues and then built her own company and built her own skills. And I’m sort of in a perpetual state of self-education on all of these issues and I try my best. My sweet spot is sort of cyber security for the C-suite, so not the deeply technical piece, but really thinking about the strategy and the rest of it. But there’s so much out there, there’s so much opportunity. I would suggest for anyone who’s really interested, I guarantee wherever you are today, you can map a path. And it can be through self-study, it can be through online certifications, it can be through a traditional education process, it could be on the job training, it could be lots of different things. And maybe if I’m thinking about the future and building a really successful cybersecurity career for the future, somebody is eager to do that, I would invest a little extra time to develop some level of data fluency, to really start thinking about what is coming, it’s already here in some respects, but what’s coming is really that confluence of data science and cybersecurity, where the two are gonna have to be working hand in hand. And the people who will have the superpowers in the not-differentiated future and who’ll be leading in this field are gonna be those who understand data, AI, and cybersecurity. That’s the sweet spot, I think, for the future where women, men, anyone can really carve out an exciting and successful career.

---

Follow us on LinkedIn to keep up with us!

August 21, 2025

As families, students and teachers prepare for the new school season, we wanted to take some time to cover one of the toughest battles for parents today: keeping their kids safe on the internet. The internet can be a dangerous place. It connects us with millions of people from all walks of life—and unfortunately, some of those people have bad intentions.

The National Center for Missing & Exploited Children (NCMEC) reported a 197% increase in reported CyberTips—totaling 36.2 million reports—and a staggering 1,325% increase in AI-generated CSAM (child sexual abuse material) cases. These numbers are only expected to rise.

So, what is being done about it? While there are law enforcement task forces like Internet Crimes Against Children (ICAC) and new laws being passed to prevent CSAM, it’s simply not enough.

So, What’s the Answer?

It’s simple: Education and communication, not just for children, but for us as parents too. Fortunately, there are great online resources that can help us educate both ourselves and our children.

One of my favorite resources is NetSmartz, a program by NCMEC. It provides interactive games, videos, and resources for children of all ages to learn about online dangers. It also offers helpful materials for parents to guide their conversations.

Mistakes Will Happen!

Even with all the education in the world, kids will make mistakes online. Just look at adults—many still fall victim to online fraud, which is now a billion-dollar industry. We can’t expect our kids to be perfect either; mistakes are how we learn best as humans.

The goal of education isn’t to prevent every mistake it’s to teach kids how to recognize warning signs and know what to do before a mistake becomes too serious. It’s also about creating an open line of communication with a trusted adult.

As my father always said:

“Son, I’ve never made a mistake in my life—because I’ve learned from all of them. That makes them learning experiences.”

Expect mistakes. The goal is to make sure they’re small and that every mistake becomes a learning experience.

My Favorite Resource from NetSmartz

One of the most valuable tools from NetSmartz is a guide called “Protecting Your Kids Online 2.0.” It presents a simple, three-step approach: Connect, Learn, Engage.

1. Connect

This first step is all about setting clear ground rules and having honest conversations about them. These rules might include limits on screen time, restrictions on certain apps or websites, or guidelines about online behavior. The key is to ensure everyone understands what’s expected.

This phase also involves researching devices, apps, and games before purchase. Ask questions like:

• Does this game or app allow in-game chat or direct messaging?
• Can users send images, videos, or share their location?

While monitoring tools may seem like an easy solution, they aren’t foolproof. Kids determined to bypass controls often can. Instead, focus on teaching them about risks, warning signs, and what to do if something goes wrong.

2. Learn

This step falls mainly on parents. You need to learn about the platforms your kids are using whether it’s a video game or a social media site. Understand how strangers can contact them and review the platform’s privacy settings.

Start teaching kids about:

• Sexual conversations, roleplay, and grooming behaviors
• The importance of never sharing personal information like their school, sports team, or favorite hangouts
• Recognizing red flags such as:
  • Unsolicited inappropriate images or videos
  • Promises of gifts or free items
  • Strangers pretending to be younger
  • Threats or extortion tactics (“I’ll tell your parents/school!”)

Mistakes will happen. But if kids know the red flags, they’ll be more likely to stop before something serious happens and, ideally, they’ll feel comfortable telling a trusted adult

3. Engage

The final step is engagement, which means having ongoing, open conversations about online safety.

Personally, I aim for a monthly chat with my kids. I ask if they’ve noticed anything suspicious, remind them about online red flags, and reinforce that they can always come to me if something feels wrong.

Another great way to engage? Play their favorite games with them! Challenge them to a duel it’s fun and also lets you learn more about the platform they’re using. This helps build trust and shows you care about their interests, making it easier for them to open up.

Lastly, be prepared for how you’ll respond if your child comes to you with a mistake. While every family disciplines differently, I encourage you to focus more on communication than punishment. The goal isn’t just to “punish” it’s to encourage honesty and prevent more serious problems down the line.

How to Report It

When an online incident happens, here’s what to do:

1. Report it to the platform or app where the issue occurred.
   • Don’t delete anything, until you have made your report or took screenshots.
2. Submit a CyberTip to NCMEC (https://report.cybertip.org/).
   • Anyone can file a report, anonymously or with contact info.
     • You can upload screenshots or files.
     • NCMEC reviews every tip and forwards it to the appropriate provider and law enforcement, if necessary.
3. Involve law enforcement, if the situation is serious.

Before reporting, review the incident carefully. Is it simply an inappropriate conversation, or something more severe? Don’t delete messages or evidence; you’ll need to provide this information to investigators.

Once reported, sit down with your child. Make sure they understand what happened, talk through next steps, and explain any consequences clearly, again, balancing discipline with communication.

Summary

Education, for both parents and kid, is the only way to prevent online crimes against children. We can’t shield kids from technology entirely, so we must teach them how to navigate it responsibly.

Resources like NetSmartz offer incredible tools for both parents and children. And remember there are thousands of law enforcement officers and volunteers working every day to make the internet safer.

Don’t be afraid to have these conversations. Your kids will make mistakes, but mistakes are often our greatest teachers. The key is to catch red flags early and turn every misstep into a learning opportunity.

Lastly, if you’re able, consider donating to the National Center for Missing & Exploited Children. Their work is crucial in keeping our kids safe online.

---

Check out our webinar, “Online Targeting of Minors & Child Extortion.”

August 20, 2025

In the ever-evolving realm of cybersecurity—where the dark web lingers just beneath the surface—DEF CON continues to shine as a gathering point for innovation, collaboration, and curiosity. Each August, Las Vegas transforms into a hub for hackers, security experts, policy makers, and tech enthusiasts. DEF CON is more than a conference; it’s a living laboratory of ideas and challenges where attendees can immerse themselves in the cutting edge of technology, explore the boundaries of security, and engage with a global community that thrives on solving the toughest digital puzzles. 

Embracing the New Look 

Last year, our analysts noted DEF CON’s evolving look and feel—a new location, emerging villages, and community-driven initiatives. DEF CON 33 leaned into those changes with an expanded NextGen Village, growing from 150 young participants in 2024 to over 200 in 2025. Many challenges designed for ages 8–18 ran short, as enthusiastic participants quickly cracked puzzles and riddles. When non-technical parents couldn’t help, seasoned attendees stepped in to guide the next generation of hackers. 
 
DarkOwl representatives even assisted one young challenger in conducting an OSINT investigation to locate a ‘mysterious’ individual needed to earn scavenger points—fitting, since OSINT is one of the many services DarkOwl provides. The rep, a longtime subscriber to DarkNet Diaries, brought real-world investigative expertise to the challenge. 
 
Another community gaining traction is the Noob Community, connecting newcomers to experienced hackers through Capture the Flag competitions and skill-building events. DEF CON 33 also introduced DEF CON Academy, a new initiative by Arizona State University that creates hands-on opportunities for learning and practicing cybersecurity skills in a collaborative environment. 

No Surprise: AI Took Center Stage 

The AI Village was, unsurprisingly, one of the busiest at DEF CON 33. Attendees waited up to two hours to explore deepfake implications, attend talks on large language model integrations, and learn about securing AI systems. AI wasn’t confined to one space—across the event, multiple villages tackled AI topics, from the risks of using shared AI libraries across secure and public-facing applications to the potential for those same tools to be exploited. 
 
One of the most anticipated AI-related features was the AIxCC (AI Cyber Challenge), a two-year DARPA and ARPA-H competition aimed at developing AI systems capable of autonomously securing critical code. With $29.5 million in total prizes, including $7 million earmarked for small businesses in the initial phase, the challenge united top AI companies, open-source communities, and security researchers to address urgent cybersecurity concerns—especially those impacting critical infrastructure and open-source software. 
 
From transportation to healthcare, these systems run the backbone of daily life, making their security paramount. The AIxCC semifinals at DEF CON 32 featured a simulated town with hackable infrastructure. For the finals at DEF CON 33, massive infographics showcased real-time results, illustrating vulnerabilities, mitigation strategies, and the winning teams’ approaches. It was an awe-inspiring demonstration of the power of collaborative, AI-driven security innovation. 

A DarkNet Perspective – 2025 Insights for DarkOwl 

Each year, DEF CON provides an unparalleled opportunity to bridge emerging cybersecurity trends with the realities of the darknet. DEF CON 33 continued this tradition, offering fresh insights directly applicable to DarkOwl’s darknet intelligence mission. 

Relevance to DarkNet Professionals 

DEF CON 33 underscored that darknet actors are far from the stereotypical lone hackers in basements. Many are highly organized, professionalized networks that continuously evolve their tactics. Increasingly, these groups are harnessing social engineering techniques—not just in phishing emails or scams, but in elaborate trust-building exercises within forums, encrypted channels, and darknet markets. For investigators, understanding these human-driven exploits is just as vital as analyzing technical vulnerabilities. 

AI is also reshaping this landscape. On the one hand, darknet actors are experimenting with generative AI to craft more convincing lures, automate disinformation campaigns, and even generate malicious code snippets. On the other hand, DEF CON highlighted how defenders can leverage AI for anomaly detection, threat actor profiling, and rapid analysis of vast data sets. This duality makes AI both a challenge and an opportunity for professionals working in darknet intelligence. 

The crossover between digital and physical security—illustrated through lock-picking and physical security villages—remains equally critical. Social engineering often bridges the gap between online deception and real-world intrusion, showing that the human element remains the most persistent vulnerability in cybersecurity. 

Conclusion 

As DEF CON 33 draws to a close, the takeaways for DarkOwl are actionable and immediate. From AI-driven detection to next-generation crawling tools, the conference has provided the strategies and innovations necessary to refine our capabilities. In an environment where information dominance determines security, DEF CON remains an essential guidepost—transforming the dark web from a chaotic risk landscape into a source of actionable intelligence. 

---

DarkOwl will be at several conferences the rest of the year – meet up with us!

August 14, 2025

Esports has evolved from late-night gaming sessions to sold-out arenas, multi-million dollar prize pools, and sponsorships from global brands. But behind the glitz and glamour lies a growing problem: the esports industry is increasingly under threat from cyber-attacks to cheating scandals and even personal safety risks. 

This isn’t just about players losing matches or teams missing out on prize money. These threats strike at the very integrity of competitive gaming and pose real dangers to people, organizations, and brands alike. 

Esports: A New Cyber Battlefield 

Esports platforms, streamers, and tournaments have become prime targets for cyberattacks. The reasons are simple: high visibility, massive online audiences, and often, poorly secured infrastructure. 

A report from Control Risks explains that “the sheer popularity of esports, combined with lax security protocols in some areas, makes them an ideal target for DDoS attacks, credential theft, and extortion.” In fact, the report states that over 37% of all DDoS attacks are directed at online gaming and esports platforms. 

These aren’t hypothetical threats. In recent years, major tournaments have been halted mid-stream due to attacks, players have been forced offline during crucial matches, and attackers have used ransomware to hold tournament servers hostage.

Cheating, Match-Fixing, and Exploiting the Game 

The competitive integrity of esports is under constant assault. Cheating isn’t limited to aimbots or wallhacks anymore. Today’s methods are more sophisticated—and more dangerous. 

A 2023 study in the International Journal of Esports notes that, “The esports ecosystem is particularly susceptible to technological manipulation, including the use of third-party software, programmable peripherals, and real-time data exploits.” 

Then there’s the issue of match-fixing and betting fraud, which can have far-reaching implications. One infamous case, the iBUYPOWER CS:GO scandal, involved players deliberately throwing a match in exchange for valuable in-game item bets. According to a summary on Wikipedia, the scandal “rocked the North American CS:GO scene and led to indefinite bans for several top players.” 

The Esports Integrity Commission (ESIC) has since reported a sharp uptick in similar investigations, especially in lower-tier tournaments where regulation is weaker. As esports gambling grows, both legally and through black-market sites, so too does the incentive to manipulate outcomes. 

“The lack of consistent regulation across regions and titles makes it difficult to maintain competitive fairness,” says one ESIC whitepaper. “Without centralized enforcement, threats like match-fixing go unchecked.” 

Personal Safety: More Than Just a Game 

Esports professionals, streamers, and even fans are increasingly becoming targets of doxing, harassment, and swatting; a dangerous trend where attackers send emergency services to someone’s home under false pretenses. 

In a recent legal analysis by Clyde & Co., the authors noted: 

“Esports professionals are now public figures, and the legal system has not yet caught up with the need to protect them from online threats that turn into real-world consequences.” 

One well-documented case involved a professional Fortnite player being swatted during a live stream, a terrifying experience for the player and his family. 

At live events, player safety is also a growing concern. As fan engagement increases, so do the risks associated with in-person appearances and meet-and-greets, especially without proper security measures. 

Toxicity and Brand Risk 

Toxic behavior in online gaming is nothing new—but in esports, where millions of dollars and high-profile sponsors are involved, it becomes a serious brand liability. 

A research paper published on arXiv highlighted the scale of the issue: 

“Toxicity in online team competition games is not only pervasive but also contagious. A single toxic player can create a ripple effect that damages team morale and community health.” 

Publishers like Riot Games and Valve have begun using AI to monitor voice chat, text logs, and gameplay behavior in real-time but there’s no foolproof solution yet. Sponsors are increasingly wary of being associated with players or teams who become the face of online toxicity. 

No Referee? The Regulatory Problem 

Unlike traditional sports, esports doesn’t have a centralized governing body. Each game has its own rules, enforcement methods, and approach to discipline. 

“This lack of standardized governance has left room for exploitation,” according to a literature review in the Journal of Gaming and Computer-Mediated Simulations. “From doping and cheating to match-fixing and harassment, the fragmented nature of esports oversight has created blind spots.” 

Some groups, like ESIC and NASEF, are trying to build frameworks for integrity and accountability, but widespread adoption remains a challenge. 

What Can Be Done? 

Solving these problems won’t be easy—but there are clear paths forward: 

• Robust cybersecurity frameworks for tournaments, servers, and team infrastructures 

• Stronger industry-wide enforcement of cheating, match-fixing, and harassment violations 

• Support for player safety, both online and in person 

• Education and awareness campaigns for fans, sponsors, and players 

• Standardized governance models modeled after traditional sports regulators 

Final Thoughts 

Esports is thrilling, fast-paced, and full of opportunity but it’s not immune to threats. Whether it’s a rigged match, a hacked server, or a swatted player, these risks have real consequences. 

As the industry continues to grow, we must ensure it grows safely. That means more transparency, better safeguards, and a willingness to tackle the hard problems head-on. 

The future of esports is bright but only if we protect it. 

---

Check out our previous blog on Gaming and the Darknet.