Author: DarkOwl Content Team

July 24, 2025

Cybersecurity might as well have its own language. There are so many acronyms, terms, sayings that cybersecurity professionals and threat actors both use that unless you are deeply knowledgeable, have experience in the security field or have a keen interest, one may not know. Understanding what these acronyms and terms mean is the first step to developing a thorough understanding of cybersecurity and in turn better protecting yourself, clients, and employees. 

In this blog series, we aim to explain and simplify some of the most commonly used terms. Previously, we have covered bullet proof hosting, CVEs, APIs, brute force attacks, zero-day exploits, doxing, and data harvesting. In this edition, we dive into indicators of compromise. 

Indicators of Compromise (IoC) 101 

Indicators of Compromise (IoCs) are pieces of forensic data or artifacts found on a network or operating system that, with high confidence, indicate a potential intrusion, breach, or malicious activity has already occurred. Think of them as the “digital fingerprints” or “clues” left behind by an attacker and help security be able to determine if an attack has taken place. 

Indicators of compromise help security professionals in several ways. They are essential for detecting both ongoing and past cyberattacks, even if the initial breach went unnoticed. Once an IoC is identified, it serves as a guide for incident response teams, helping them understand the full scope, nature, and methods of the attack. This understanding allows them to effectively contain the threat, eradicate the malicious presence, and recover compromised systems. Furthermore, by analyzing IoCs from previous incidents, organizations can proactively strengthen their defenses, updating security tools such as firewalls, intrusion detection systems, and antivirus software to prevent similar attacks in the future. Finally, sharing IoCs within the cybersecurity community is important to help other organizations defend against the same evolving threats, fostering a stronger collective defense across the digital landscape and keep up to date with the latest TTPs (tactics, techniques and procedures) of threat actors. 

It’s important to distinguish IoCs from Indicators of Attack (IoAs). While IoCs tell you that a compromise has already happened, IoAs focus on the behaviors and tactics that suggest an attack is currently in progress or about to occur. Both are crucial for a comprehensive cybersecurity strategy. We will dive into IoAs in an upcoming blog. 

IoCs in the Wild 

Crowdstrike IoC list 

Data purported to be from CrowdStrike was posted on BreachForum, a hacking forum, on July 28, 2024. According to the post, UsDoD claims to have the entire IoC (Indicator of Compromise) list from Crowdstrike but only released the first 100,000 records. Data exposed includes indicators, types of malware, actors, reports, kill chains, published dates, latest updates, and labels. Read more. 

CISA and FBI: Ghost ransomware breached orgs in 70 countries 

On February 19 this year, the Cybersecurity & Infrastructure Agency (CISA), Federal Bureau of Investigation (FBI), and Multi-State Information Sharing and Analysis Center (MS-ISAC) released a joint advisory detailing indicators of compromise (IOCs) and tactics, techniques, and procedures (TTPs) associated with Ghost (Cring) Ransomware. Since 2021, threat actors utilizing Ghost ransomware have targeted organizations in more than 70 countries. Victims have included organizations in a variety of sectors, including critical infrastructure, education, and healthcare.

SolarWinds 

As was seen during the SolarWinds hack, monitoring the darknet for malicious discussions enables organizations to understand when and if they’re a target, and prepare accordingly. In the case of SolarWinds, we have evidence that they have been a target by hackers for a number of years. A few searches in DarkOwl Vision’s database of darknet content reveal glaring potential indicators of compromise that, when taken seriously, could have been leveraged by their customers as a cue to safeguard themselves against what ultimately resulted in the devastating hack that transpired this year. 

DarkOwl Vision has collected 98 documents from a single popular zero-day marketplace with mentions of SolarWinds-specific vulnerabilities since February 2020 (shown below). 

Tracking and Sharing IoCs 

As shared above, sharing IoCs within the cybersecurity community is vital to developing collective defenses and sharing best practices. By keeping to date with IoCs in the wild, organizations can expand their understanding of current attack vectors, speed up their own incident response, avoid analyzing threats that have already been analyzed, and improve their overall security posture. 

One way for tracking and sharing IoCs is through TIPs (Threat Intelligence Platforms). These specialized platforms are designed to collect, process, and disseminate crucial threat intelligence, including IoCs, to the wider community. To ensure efficient and interoperable sharing, IoCs are often exchanged using standardized formats and protocols. For instance, STIX (Structured Threat Information eXchange) provides a common language for representing and sharing cyber threat intelligence, encompassing not only IoCs but also threat actors and their tactics. The TAXII (Trusted Automated eXchange of Intelligence Information) protocol then facilitates the secure transmission of this STIX-formatted data between different organizations or security platforms. 

Beyond specialized platforms, many cybersecurity vendors, research organizations, and government agencies provide Threat Intelligence Feeds. These feeds deliver real-time or near real-time updates of IoCs directly to an organization’s security tools. Information Sharing and Analysis Centers (ISACs) and Information Sharing and Analysis Organizations (ISAOs) play a critical role as well. These sector-specific or cross-sector organizations create trusted environments for their members to share sensitive threat information, including IoCs, and collaborate on defense strategies. For example, there are dedicated ISACs for sectors like finance, energy, and healthcare. Governments also contribute significantly; many have Government Initiatives to facilitate threat intelligence sharing, such as CISA’s Automated Indicator Sharing (AIS) in the United States, which provides federal agencies and partners with machine-readable cyber threat indicators. 

Finally, the broader Security Research and Open-Source Communities are invaluable contributors. Independent security researchers, ethical hackers, and open-source projects frequently discover and publish IoCs through various channels like blogs, online forums, GitHub repositories, and specialized websites. 

Product Highlight: Entity API 

Entity API enables the identification and contextualization of specific entities—such as email addresses, IP addresses, and domains—within DarkOwl’s darknet data. This tool is invaluable for incident responders and threat hunters seeking to correlate Indicators of Compromise (IOCs) and assess potential threats.  

Investigators can gather IOCs from dark web sources and link them to threat actors or campaigns. This helps in profiling the activities, tactics, and techniques of adversaries, enabling proactive threat hunting and vulnerability assessments. 

One of the most prevalent use cases for insight into DarkOwl’s data is the recent persistent rise in cybercriminal activity as a whole, and specifically ransomware activity, which largely presents itself in the dark web. The global dark web intelligence market size is expected to raise at a CAGR rate of 22.3% by 2028, to the total of $1.3 billion. 

Other recent reporting from Kaspersky maintains that the most common attack vector for all ransomware attacks continues to be via account takeover utilizing stolen or brute forced credentials. Entity API will empower threat intelligence teams with the tools to determine when such account information has been compromised, and take remediation steps accordingly.  

Monitor Cryptocurrency Mentions Using Entity API 

With Entity API, users have access highly-targeted, structured information from the largest commercially available collection of darknet and deep web sources. This includes Tor, I2P, Zeronet, Data Breaches, encrypted chats, IRC, and authenticated forums. Users can search for a crypto address that DarkOwl has captured from darknet sources including illegal marketplaces and vendor forums to detect wallets with problematic activity. Cryptocurrency address endpoints allow users to see if specific cryptocurrency addresses have been exposed.  

Cryptocurrency types include: 

• Bitcoin 
• Ethereum 
• Monero 
• zCash 
• Litecoin 
• Dash 

Figure 2: Request to see all instances of a specific cryptocurrency address appearing on the darknet (or other underground networks). Sample responses pictured above. 

---

For those in charge of monitoring for critical information regarding their business or their customers, having access to DarkOwl’s darknet data means access to near real-time data from exclusive dark web sources including authenticated forums and emerging chat networks. Contact us to learn more. 

July 22, 2025

In an increasingly volatile cyber security landscape, no organization is safe from cyber attacks. One group of organizations which has been increasingly targeted by ransomware groups and other threat actors is UK councils which are the local level of government in the UK.  

In this blog we will explore what UK councils are and how they have been subjected to cyber attacks in recent times.  

What are UK Councils? 

Councils, which are also known as local authorities are the local level of government in the UK. They are responsible for delivering public services, which can range from social care and schools to roads and transport, trash collection and recycling, housing and planning permission as well as the management of parks, recreational areas and libraries. They are responsible for large swathes of local life in the UK, and all residents pay a council tax in order to receive and maintain services.  

Councils are run by locally elected officials, who are responsible for making decisions on budgets, policies and the services that are provided. Often councils will have a lead, often the mayor who is either directly elected by local residents or selected from the councilors. There will also be non-political officers, or civil servants, that will run day to day operations.  

There are also different types of councils depending on where they are located and the communities that they support.  In England these form a tier system:  

• Two-tier system (mainly in shire counties like Kent or Hampshire): 
  • County Councils 
    • Handle large-scale services like education, social care, and transport. 
  • District/Borough Councils 
    • Handle local services like housing, waste collection, and planning. 

• Single-tier system (in cities and urban areas): 
  • Unitary Authorities 
    • Handle all services. 
  • Metropolitan Boroughs 
    • Do everything in large urban areas (e.g., Manchester, Birmingham). 
  • London Boroughs 
    • Each borough (like Camden or Croydon) has its own council. 
  • Greater London Authority (GLA) 
    • Oversees strategic issues like transport (TfL), policing, and planning. 

UK councils face a wide range of cybersecurity threats due to the large volumes of sensitive data they manage (e.g. social services, housing, benefits, and education). 

Cyber Security Threats 

There are multiple types of cyber threats that can affect local councils, here we summarize some of the common attacks we have seen conducted.  

Ransomware Attacks 

Ransomware attacks happen when a threat group obtains access to a network and encrypts the data demanding a ransom to return the information to the owner. More and more these attacks also include the theft of data and making this available on Dark web sites. This can have very serious ramifications for councils given the services that they support. It can stop them being able to carry out these services as well as exposing sensitive personal information.  

Figure 1: InterLock Ransomware group share data from West Lothian Council 

Data Breaches 

A data breach can occur in many ways but ultimately is when sensitive or protected data is made publicly available when it should not be. Councils can fall victim to this either through bad security practices or because they are victim of a hacking attack.  

Recently the Oxford City Council reported that attackers had been able to access PII data through a breach of some of their legacy systems. The information targeted largely related to individuals who had worked on local elections, including ballot counters and poll station workers.

Distributed Denial of Service (DDoS) Attacks 

A Denial-of-Service attack is when a website or service is overloaded, making the services unavailable. This can lead to council websites, where many local residents will access services and obtain support can be unavailable. Recently hacktivist groups which are associated with countries involved in conflict such as Russia, Ukraine, Palestine, Iran and Israel have been known to conduct these DDoS attacks. In some cases, they have successfully targeted council websites.  

Figure 2: Proof of DDOS against London Borough of Harrow from Palestinian affiliated hacktivist group 

Real World Incident:  

• Perpetrator: Hacktivist group NoName057(16). 
• Targets: Multiple local councils including Blackburn with Darwen, Exeter, and Arun District Council. 
• Impact: Temporary website outages and service disruptions; attacks were politically motivated in response to the UK’s support for Ukraine 

Misconfigured Systems and Insider Threats 

Misconfiguration of systems can lead to public access to sensitive data due to poor configuration of databases or file-sharing platforms. When systems are not configured properly it may be possible for individuals who should not have access to this data. Similarly, an insider threat is where unintentional staff errors or malicious actors (disgruntled employees) can leak or share sensitive information or accesses.  

Supply Chain Attacks 

A supply chain attack is when an organization is targeted because of their position in the supply chain to another organization. This is usually because the targeted organization has less security and is an easier target – but can lead to information and data from other organizations in the chain being exposed.  

Real World Incident:  

• Incident: Cyberattack on Locata, a housing service provider. 
• Impact: Disruption of housing services for Manchester, Salford, and Bolton councils; users received phishing emails attempting to harvest personal information 

Phishing & Spear Phishing 

Phishing attacks are when emails or other communications are sent to an individual in order to gain information. They can either “trick” individuals into sharing information they shouldn’t usually by posing as someone in the organization or containing malicious links which people inadvertently click on allowing hackers to gain access to networks.  

Council members and staff are often targeted in these types of attacks. In February 2025 Hammersmith and Fulham Council reported that they face around 20,000 attempted cyber-attacks a day, and that the majority of these consist of phishing attempts. 

Conclusion 

Local authorities have become a popular target for cyber criminals in recent years, thanks to the large amount of valuable personal data they hold, often-outdated IT systems, and comparatively poor cybersecurity budgets. Councils need to take more proactive measures to combat the increasing threat. Some of the actions that can be taken: 

• Adopting advanced threat detection systems and regular security assessments. 
• Conducting cybersecurity awareness programs for staff to prevent phishing and other social engineering attacks. 
• Developing and regularly updating incident response plans to swiftly address breaches. 
• Working closely with national bodies to share intelligence and best practices. The NCSC is the point of contact for cyber incidents in the UK. 

---

Curious to learn more? Contact us.

July 08, 2025

Cybersecurity might as well have its own language. There are so many acronyms, terms, sayings that cybersecurity professionals and threat actors both use that unless you are deeply knowledgeable, have experience in the security field or have a keen interest, one may not know. Understanding what these acronyms and terms mean is the first step to developing a thorough understanding of cybersecurity and in turn better protecting yourself, clients, and employees.

In this blog series, we aim to explain and simplify some of the most commonly used terms. Previously, we have covered bullet proof hosting, CVEs, APIs, brute force attacks, zero-day exploits, and doxing. In this edition, we dive into data harvesting.

Data Harvesting 101

Data harvesting refers to the automated collection of data from digital sources, such as websites, apps, APIs, databases, or public records, with the goal of drawing inferences. It’s often accomplished using tools like web scrapers, crawlers, or specialized software. There are legitimate reasons for data harvesting as well as nefarious purposes. We will dive into both.

The What and How

Data harvested without consent sourced from data breaches, phishing scams or malware – like personal information, login credentials, credit card numbers, location data, social data (such as likes, posts and connections), behavioral data (such as browsing history and habits), or medical records.

Data harvesting is carried out through various methods, each with different levels of transparency and legality. One of the most common tools is cookies and trackers, which are embedded in websites to monitor user behavior, such as browsing patterns, clicks, and time spent on pages. APIs and scrapers are also widely used to systematically extract data from online platforms, often automating the collection of vast amounts of information in a short time. Apps and connected devices can harvest data through user-granted permissions—or sometimes through hidden scripts—gathering information like contacts, location, and device usage. More maliciously, phishing campaigns and malware can deceive users into giving up sensitive information or infect their systems to extract data covertly, posing significant security and privacy risks.

Legitimate Reasons for Data Harvesting

• Marketing and Advertising: Businesses use it to understand consumer behavior, market trends, competitor pricing, and product performance. Companies use this harvested data to build detailed consumer profiles and deliver targeted ads. By understanding your interests, habits, and demographics, advertisers can increase the chances of clicks and sales.
• Lead Generation: Collecting contact information for sales and marketing outreach.
• Research: Academics and researchers use it to gather data for studies in various fields, such as social science, economics, and healthcare. AI Training is another upcoming field – large datasets are fed into AI models for training. This includes data scraped from the web (like text, images, or behavior patterns) to build chatbots, recommendation engines, and facial recognition systems.
• Content Aggregation: Collecting content from multiple sources to create news aggregators or comparison websites.
• Improving User Experience: Understanding user preferences and behavior to enhance websites and applications. Organizations analyze the data to uncover trends, improve services, forecast demand, or enhance customer experience. For example, a retailer might use browsing and purchase data to optimize inventory or personalize recommendations.
• Data Brokerage: Data brokers collect and aggregate data from many sources, then sell it to third parties—like marketers, insurers, employers, or political campaigns.

Nefarious Reasons for Data Harvesting

• Identity Theft and Fraud: Harvesting personal information (names, addresses, email, payment details) to commit identity theft or fraudulent activities.
• Spam: Collecting email addresses for mass unsolicited emails.
• Intellectual Property Theft: Scraping proprietary content, product designs, or strategic plans from competitors.
• Data Breaches: If harvested data is not adequately secured, it can be vulnerable to breaches, exposing sensitive information.

Harvested data is often sold on darknet marketplaces. Once the data is harvested by “harvesters,” they often will dump this data on the darknet and provide it for sale across different marketplaces, often with the idea of financial gain. Collected data could be used for blackmail, doxing or stalking. Data collected by political extremists or activist groups may use the data for targeted attacks and campaigns.

To the left we see an example of a combolist (a list of email addresses and password combinations that may be used in a brute force attempt or credential stuffing operations to gain unauthorized access to servers and services) that was leaked and posted on a darknet site. Databases from data harvesting will often include usernames and passwords, fullz (full identity profiles), financial records or health records. These are all often highly confidential or sensitive and can cause a lot of harm and headache when posted without consent.

Anonymity Encourages Abuse

The darknet is a layer of the internet that was designed specifically for anonymity. It is more difficult to access than the surface web, and is accessible with only via special tools and software – specifically browsers and other protocols. You cannot access the darknet by simply typing a dark web address into your web browser. There are also darknet-adjacent networks, such as instant messaging platforms like Telegram, the deep web, some high-risk surface websites. Because of the anonymous nature of the darknet, data harvesters are able to go undetected, monetize data without revealing their identity and collaborate with others on the darknet.

Doxing Example

The darknet site, Doxbin, facilitates doxing by allowing users to upload text-based content related to individuals. The site claims to restrict content that is spam, child explicit material (CSAM), or violates the hosting country’s jurisdictional laws. However, in practice, there is minimal moderation, and information is often shared with the intent to target individuals.

The exposure of PII on Doxbin can lead to severe consequences for victims, including harassment, identity theft, and threats to personal safety. Victims may also be subjected to harassment through prank calls, spam emails, and cyberbullying on social media.

DarkOwl’s Use of Data Harvesting

DarkOwl data harvesting involves collecting information from the darknet, deep web, and high-risk surface web to provide intelligence to their customers. This data is used to identify threat actors, monitor cyber breaches, analyze darknet trends, and more. DarkOwl’s data collection process includes automated AI and manual analysis, with the goal of delivering high-quality, relevant, and timely intelligence. 

What DarkOwl Collects

• Darknet Data: The darknet is a layer of the Internet that cannot be accessed by traditional browsers and often requires specialized technology (proxies) – as well as a certain level of technical sophistication – to access. While the darknet is comprised of various darknets, Tor (or The Onion Router) is by far the most common. In addition to Tor, DarkOwl also scrapes content from peer-to-peer networks like I2P and Zeronet.
• Deep Web Data: The deep web is technically part of the surface web and can be best described as any content with a surface web that is not indexed or searchable via traditional search engines. This includes surface web paste sites and websites that we discovered via authenticated means, e.g. websites with a surface-level that require user registration and/or a login to access meaningful information from the site. DarkOwl has hundreds of ‘deep web’ sites including marketplaces and forums, from which a mixture of authenticated and manual crawlers obtain information.
• High-Risk Surface Web: Surface web content consists of anything on the “regular” internet that is public facing with a surface web top-level domain (TLD) and could be organically crawled/scraped by Google. This includes the landing pages and/or preview content for forums that DarkOwl also has curated deep web access to (i.e., registrations and authentication).
• Chat Platforms: Chat platforms are any website (be it on the deep web or darknet), app, or service that’s primary purpose is for instant messaging. This includes message exchanges between individual users or groups of users who interact in topic based channels and groups. Some chats are collected from Tor services that are enabled with real-time anonymous chat features, others from specialized instant messaging or proprietary protocols like IRC andTelegram.
• Breach Content: Data breaches are aggregate data files of information obtained without the owners’ consent. This can consist of commercial data leaks by threat actors (TAs) either after discovery of a non-secured database or misconfigured server, or by targeted malicious cybersecurity incident (direct breach). Such leaks include internal sensitive email records, usernames and passwords, personally identifiable information (PII), financial records, and more. Data breaches are often sold for profit on the darknet, although they are sometimes posted and leveraged by criminal actors for means other than financial gain or in the fallout of cyber warfare between nation-state sponsored cyber powers and hacktivists.
• Other Sources: DarkOwl also has limited documents in its Vision database collected from misconfigured FTP and alternative DNS servers, as well as open public S3 buckets. Collection from these sources is less real-time and intentional as the other data sources described above.

How DarkOwl Collects Data

• Automated AI: Automated tools and AI-powered engines to collect and process data in near real-time. 
• Manual Analysis: Human analysts augment automated collection, ensuring the quality and relevance of the data.  

How DarkOwl Processes and Structures Data

• Unstructured Data: DarkOwl collects data in its original, raw-text format. 
• Data Cleaning and Storage: Collected data is processed, cleaned, and stored in a secure environment. 
• Entity Extraction: DarkOwl identifies and extracts entities like email addresses, Social Security numbers, and cryptocurrencies. 
• Metadata and Context: Included metadata and source content provide context and allow users to quickly identify important data. 

Why DarkOwl’s Data is Valuable:

• Threat Intelligence: DarkOwl’s data can help organizations identify and understand emerging threats, including cyber breaches, ransomware attacks, and fraud. 
• OSINT Investigations: Darknet data is a vital part of OSINT (open-source intelligence) investigations to gather insights into specific individuals or groups, including their usernames, aliases, and online activity. 
• Digital Risk Assessment: DarkOwl’s data can help organizations assess their digital risk posture and identify vulnerabilities by seeing what information concerning them is available on the darknet.

How to Protect Yourself

1. Use privacy browsers and ad blockers
2. Regularly clear cookies and cache
3. Limit app permissions
4. Use strong, unique passwords and do not repeat password use
5. Use a password manager
6. Enable 2 factor authentication
7. Be cautious of phishing attempts

---

Curious to learn more? Contact us.

July 01, 2025

Our analyst team shares a few articles each week in our email newsletter which goes every Thursday. Make sure to register! This blog highlights those articles in order of what was the most popular in our newsletter – what our readers found the most intriguing. Stay tuned for a recap every month. We hope sharing these resources and news articles emphasizes the importance of cybersecurity and sheds light on the latest in threat intelligence.

1. Police arrests 20 suspects for distributing child sexual abuse content – Bleeping Computer

In a June 6 press release, INTERPOL announced the arrest of 20 suspects involved in the production and distribution of child sexual abuse material (CSAM). The international operation was led by the Spanish National Police, which initiated the investigation in late 2024 when it discovered several instant messaging groups dedicated to the circulation of CSAM. Seven of the identified suspects were arrested by Spanish authorities, 10 were arrested across seven Latin American countries, and “the remaining suspects were arrested elsewhere in Europe and the United States.” Read full article.

2. Police seizes Archetyp Market drug marketplace, arrests admin- Bleeping Computer

In a June 16 press release, Europol announced the disruption of the infamous darknet marketplace Archetyp Market in an international operation dubbed “Operation Deep Sentinel.” According to the statement, Germany, the Netherlands, Romania, Spain, and Sweden participated in a series of coordinated actions between June 11 and 13 “targeting the platform’s administrator, moderators, key vendors, and technical infrastructure.” The site’s suspected administrator—a 30-year-old German national—was also arrested in Barcelona. Article here.

3. FIN6 hackers pose as job seekers to backdoor recruiters’ devices – Bleeping Computer

Researchers have identified social engineering attacks carried out by the hacking group FIN6 (also known as Skeleton Spider) targeting recruiters by posing as job seekers. In 2019, the cybercrime group initially known for financial fraud expanded its operations to include ransomware attacks. Since then, the group has increasingly focused on social engineering campaigns. Its most recent campaigns have been used to deliver the JavaScript-based backdoor “more eggs,” which “facilitates credential theft, system access, and follow-on attacks, including ransomware deployment.” Read more here.

4. Russian hackers bypass Gmail MFA using stolen app passwords – Bleeping Computer

Researchers at Google Threat Intelligence Group (GTIG) have observed a suspected Russian state-sponsored threat actor impersonating U.S. Department of State officials. From April through June 2025, the threat actor has targeted “prominent academics and critics of Russia, often using extensive rapport building and tailored lures to convince the target to set up application specific passwords (ASPs).” After setting up the ASPs, the victims were instructed to share the ASP passcodes, thereby providing the threat actors with access to their emails. Read here.

6. Hackers switch to targeting U.S. insurance companies – Bleeping Computer

Researchers at Google Threat Intelligence Group (GTIG) have warned of hackers targeting insurance companies based in the U.S. GTIG is aware of multiple breaches impacting American companies “which bear all the hallmarks of Scattered Spider activity.” As highlighted by BleepingComputer, Scattered Spider is known for its sector-by-sector focus; the recent targeting of insurance companies signals that “the insurance industry should be on high alert.” Prior to the recent insurance industry breaches, Scattered Spider was observed targeting retail organizations in both the U.K. and U.S. Read full article.

7. Iranian man pleads guilty in US to 2019 Baltimore ransomware attack – Reuters

An Iranian national pled guilty to participating in a ransomware attack using the Robinhood variant between 2019 and 2024. Sina Gholinejad, 37, was arrested in January 2025 at Raleigh-Durham International Airport. In a statement the DOJ stated that one of the attacks against Baltimore city “cost the city more than $19 million from damage to computer networks and disruptions to city services including the processing of property taxes, water bills, parking citations and other revenue-generating functions lasting many months. Read full article.

8. BidenCash carding market domains seized in international operation – Bleeping Computer

On June 04, the U.S. Department of Justice (DOJ) announced the seizure of “approximately 145 darknet and traditional internet domains, and cryptocurrency funds associated with the BidenCash marketplace.” As highlighted by BleepingComputer, the domains were seized as part of an operation led by the United States Secret Service (USSS) and the Federal Bureau of Investigation (FBI), with support from the Dutch National Police. The marketplace’s domain currently redirects to a U.S. law enforcement-controlled server. Learn more.

---

Make sure to register for our weekly newsletter to get access to what our analysts are reading on a weekly basis.

Updated June 22

On June 22 DHS released a National Terrorism Advisory System Bulletin highlighting the possible threat to the United States as a result of the ongoing conflict in Iran and the US missile attacks on key nuclear sites in Iran.

The bulletin highlighted the following risk:

Iran retaliated with an attack against a US airbase in Qatar, which was condemned by Qatar and reportedly intercepted. No US casualties were reported but it highlights increasing tensions in the region and active targeting by Iran of US assets.

DarkOwl continues to monitor the dark web and particularly Telegram in order to see what the reaction has been from hacktivist groups.

Reaction to US Missile Attacks

Despite the warning from DHS, DarkOwl have not observed a large increase in claims of US victims from known hacktivist groups in the wake of the US missile strikes on Iran. Although this could change.

Several of the pro Iran/Muslim groups made posts commenting on the US airstrikes in Iran, although the reaction did not appear as strong as it had been to the Israeli attacks the week before. No posts, in our collection, were identified threatening the US directly although as shown below there were some US victims. This appears to be different to how the groups reacted to previous military interventions.

Groups shared images of the tweets and messages on Truth Social made my President Trump to announce the military action. However, in this particular channel there did not appear to be any commentary on the announcement, some of the posts were translated into Arabic.

The same channel also posted information relating to a response from Iran’s Atomic Energy organization. Again, these posts were made without commentary.

Some groups appeared to target US organizations employing DDOS (Distributed Denial of Service) attacks in retaliation. Group 313 reported that it has taken down Truth Social. However, this was not corroborated, some other reports indicated that the site was down due to users trying to access up to date information. The group also shared media reports about the down time.

Another hacktivist group Keymous+ shared a number of US targets which they claimed to have targeted via DDOS. It was unclear why those specific targets had been selected.

Another group, Mr. Hamza, claimed to be targeting the US Airforce. However, they did not show any evidence of the attacks or if they were successful.

The same actor shared a further post in which they claimed that they had targeted the FBI. As part of the post, they shared the hashtag #OP_USA, which would indicate they are conducting a targeted operation against US entities.

President Trump has now stated on social media that there will be a ceasefire between Iran and Israel, channels are sharing his messages on Truth Social. At the time of writing none of the hacktivist groups appear to have reacted to the announcement. However, other channels which are predominantly used to share right wing messages are declaring that Trump has ended the war.

Updated June 20

As tensions continue to mount between Iran and Israel, with both side launching multiple missile attacks, groups on the dark net, specifically Telegram, continue to mount their own digital attacks against the opposing side.  

Last week we covered the outbreak of the war between Iran and Israel, now we review how the conflict has developed online.  

Telegram as a News Source

Telegram continues to be used by both source as a means of sharing breaking news stories. This includes areas that have been targeted by both sides. One image recently shared shows an explosion in the Haifa region of Israel.  

However there have also been multiple reports of disinformation and fake videos being shared online with reports of computer game videos and images from previous conflicts being shared and, in some cases, appearing to exaggerate the damage being inflicted.  

Organizations in Israel and Iran Targeted

Groups from both sides of the conflict have sought to target organizations and websites within their opposing country. The groups have shared information regarding their victims and the method of attack on their Telegram channels. The allegedly successful attacks are usually shared by other groups with the same outlook.  

Iranian Crypto Exchange Targeted 

The Iranian cryptocurrency exchange Nobitex was reportedly targeted by the pro-Israeli hacktivist group, Predatory Sparrow. Iran’s largest cryptocurrency exchange suffered a major hack on 18 June. With cyber security researchers reporting that $90 million was sent from Nobitex wallets to known hacker addresses. The group shared reports of the hack on their dedicated Telegram channel.  

Use of AI generated Images 

As is common with other hacktivist groups, those reporting attacks on organizations and website have been using AI generated images to publicize their posts on telegram. Although these are clearly auto generated it does highlight how this technology could be used for other means.  

Data for Sale 

As well as the DDOS attacks being promoted on Telegram, DarkOwl analysts have identified an increase of data leaks allegedly from both Israeli and Iranian organizations being shared on the dark Web. These posts are being made available for free as well as being sold and claim to contain PII relating to individuals associated with the organizations.  

Co-ordinating Groups 

A number of the groups also appear to be coordinating and conducting attacks together as well as forming alliances. The majority of these alliances had previously been created in response to the October 7 attacks although new groups have emerged. 

Mentions of Foreign Policy 

As well as sharing information about their cyber attacks, some of the groups are also discussing information about the current events and the role that the US could take in the conflict. The opinion is split along country lines.  

---

Keep up to date. Follow us on LinkedIn.

June 23, 2025

In a major blow to the online drug trade, law enforcement agencies across Europe and the U.S. have taken down Archetyp Market, one of the most active and profitable dark web drug markets of the past five years. 

Launched in 2020, Archetyp wasn’t just another black market, it was the market. With over ~600,000 users and ~3,200 vendors, the platform facilitated transactions involving cocaine, meth, MDMA, and other narcotics. By its final days, it had moved an estimated $~250–290 million in illicit goods, making it a titan among darknet marketplaces. 

But Its End Came Swiftly

From June 11–13, 2025, Operation Deep Sentinel, led by Germany’s BKA and supported by Europol, Eurojust, Homeland Security Investigation (HSI) and law enforcement from five other countries, executed a coordinated takedown. Servers were seized in the Netherlands, digital assets frozen, and the suspected site administrator, a 30-year-old German, was arrested in Barcelona. In addition, authorities confiscated millions in cryptocurrency, luxury vehicles, phones, and drugs in sweeping raids. 

A curious twist: law enforcement published an animated video at operation-deepsentinel.com, loosely depicting the takedown. Many speculate the video served less as documentation and more as a taunt to the dark web community. 

Confusion swirled on dark web forums when the site went offline under the guise of “maintenance” a classic precursor to an exit scam. Then came an even stranger development. 

Before any official press release, a post appeared on the dark web forum Dread, allegedly from Archetyp’s administrator. It claimed the site was down, the admin had been arrested, and he had already been released. Users were quick to point out the implausibility of the story—especially the idea that a darknet market admin could be arrested, released  and back on the dark web within 24 hours.

This raised an intriguing question…

Did law enforcement impersonate the admin and post on Dread? 

Adding to the mystery, both the Dread post and the animated video referenced a “Deadpool” a pool on when Archetyp would go down. Was this an inside joke among investigators? A psychological tactic to sow distrust? 

What’s Next? 

Based on chatter in vendor “proof-of-life” posts, Abacus and Drughub are emerging as the likely successors to Archetyp. This is based off site mentions. Abacus, while notoriously difficult to access due to aggressive CAPTCHA and account requirements, is seeing a surge in mentions. 

Only time will tell which market takes the title. 

Despite massive seizures of drugs, crypto, phones, and vehicles, the takedown is a setback, not a solution. Darknet operators are nimble and decentralized already whispering across Telegram, Signal, and encrypted forums. 

Still, for a brief moment, the shadows flickered. 
And one of the internet’s most notorious drug market is down. 

---

Stay up to date. Follow Us on LinkedIn.

June 18, 2025

ISS Europe 2025 Recap

For over a decade, ISS World has served as the primary nexus where cutting-edge cybersecurity technology meets real-world law enforcement needs. 

The conference bills itself as “the world’s largest gathering of Regional Law Enforcement, Intelligence and Homeland Security Analysts, Telecoms as well as Financial Crime Investigators responsible for Cyber Crime Investigation, Electronic Surveillance and Intelligence Gathering”—and it delivered. 

DarkOwl has attended ISS for the last 10 years. It has become an effective medium for reinforcing (and growing) Darknet intelligence inside government bodies. 

What sets ISS apart isn’t just the vendor floor. The first day is entirely dedicated to hands-on training and deep-dive technical sessions. These aren’t theoretical presentations—they’re practical workshops covering the techniques used in active investigations. 

2025’s Sessions

Advanced Geolocation Techniques: New methods for pinpointing suspect locations when traditional GPS data isn’t available. 

Circumventing Masking Technologies: Practical approaches to dealing with VPNs, Tor, and other anonymization tools (on which suspects increasingly rely). 

Tracing Methodologies: Advanced techniques for following digital breadcrumbs across multiple platforms and jurisdictions. 

AI-Enhanced Investigations: How artificial intelligence is changing digital forensics and evidence analysis. 

The European conference brought together law enforcement agencies, government intelligence units, and commercial technology partners from across the continent and beyond. These connections prove invaluable as cases inevitably cross European borders, or require specialized technical expertise of international bodies like EUROPOL. 

The combination of vendor demonstrations, hands-on training, and peer networking creates an environment where you can evaluate new technologies alongside the investigators who’ll actually use them. 

Key Takeaways

✅ Geopolitical Realities 

Many representatives came from nations on the border of conflict zones. Unsurprisingly, there’s appetite for creative, proactive protection and detection technology to support time- and resource-drained agencies.  

 ✅ OSINT Emphasis

Both OSINT-native and OSINT-adjacent technology was out in force this year. 16 sessions were devoted to the subject of OSINT, and 10 sessions devoted to Darknet investigations alone on the conference agenda.    

 ✅ Organised Crime Challenges 

Anti-OCG teams worldwide were seeking strategic, not tactical, answers from SOCMINT and DARKINT resources. Their challenge is fighting an almost symmetric enemy, so the traditional profiling playbook is at best ineffective and worst a waste of much needed police resources.   

✅ Crypto-Fuelled Destabilisation

There was strong representation from jurisdictions increasingly vulnerable to rapidly scaling crypto-fuelled crime in Central Asia. 

Live Demonstration of DarkOwl Vision: Darknet Intelligence for Profiling, Crypto Tracing & Market Dynamics 

DarkOwl’s speaking session in Prague looked at Darknet discovery and criminal profiling using DarkOwl Vision. 

With breach data and stealer logs the talk of the town in threat intelligence, DarkOwl emphasised the holistic value of following leads through both Dark Web fora and marketplaces, not just the contents of leaks themselves.  

For example, Lindsay (DarkOwl’s Regional Director) established the link between a Hacker Site’s Twitter account (previously breached) and their live underground administrator, complete with reputation score and real-life identity.  

Likewise, using the example of ‘Greavys’ – the pseudonym used by a crypto criminal responsible for stealing $250 million in Bitcoin last year – we unmasked a real name & physical address from an (easy) combination of Telegram UserID pivots and an age-old underground doxxing site. 

DarkOwl Vision provides a user-friendly interface with powerful querying capabilities to search, monitor, and create alerts for critical information. DarkOwl Vision is used to support local and federal police investigations, as well as work done in intelligence/fusion centers and federal agencies to uncover human trafficking, opioid selling, terrorism, crypto tracing and other illegal activity, making it the perfect tool for this audience.  

---

See you in Singapore! Meet us at an upcoming event!

June 17, 2025

Money laundering is a major concern in cybersecurity and financial crime, involving methods to hide illicit funds as legitimate. In the digital age, cryptocurrencies, dark web marketplaces, and decentralized finance has allowed money laundering tactics to evolve in complex ways. This blog explores traditional money laundering stages and how they’ve transformed on the dark web, the use of NFT art in laundering schemes, and how decentralized tools like mixers and privacy wallets facilitate modern laundering. 

The Traditional Stages of Money Laundering 

Money laundering is the process of concealing illegally obtained money so that it appears to come from a legitimate source. Money laundering consists of three sequential stages: 

1. Placement: Introducing “dirty” money into the financial system. This might involve depositing cash into banks, or buying assets. 

2. Layering: Moving and converting funds through a series of transactions to obscure the money’s origin. Launderers create complex layers of transfers – between accounts, through shell companies, via wire transfers, or by converting into different assets. 

3. Integration: Reintroducing the cleansed money back into the economy as apparently legitimate funds. At this stage, the money may emerge as proceeds from a fake business, real estate investment, luxury asset sale, or other legitimate-seeming revenue. 

The advent of digital currencies and the dark web has added new twists to each stage. Placement now often begins with cryptocurrency instead of cash, layering can involve blockchain transactions or token swaps, and integration might occur through crypto exchanges or NFT sales. 

Evolution in the Digital Age and the Dark Web 

Hidden online marketplaces accessible via Tor and similar networks have changed how criminals earn and launder money. Dark web marketplaces enable global trade in illicit goods (drugs, stolen data, malware, etc.) paid for with cryptocurrency. This means that criminals increasingly acquire illicit funds already in digital form, like Bitcoin, rather than cash. Money laundering strategies have adapted to take advantage of new digital platforms and applications. 

Vendors and buyers use encrypted communications, and payments are almost exclusively in cryptocurrency. This digital placement of funds is immediate – for example, a ransomware group or drug vendor receives Bitcoin directly as the proceeds of crime. The challenge for criminals is to cash out or further obscure those crypto funds without revealing their identity. In response, they leverage a variety of obfuscation tactics online. 

One key evolution is the use of conversion services and intermediaries. According to Chainalysis, after illicit crypto is obtained (from hacks, darknet sales, etc.), criminals send it through “conversion services” during the layering stage – swapping coins, using DeFi protocols, gambling sites, mixers, or cross-chain bridges.  

At the same time, cryptocurrency’s transparency can aid investigators. Public blockchains allow law enforcement and blockchain analytics companies to trace flows of illicit crypto. As noted in a 2024 Chainalysis report, investigators leverage blockchain transparency to uncover illicit activity that might go undetected in cash dealings. 

NFT Art as a Laundering Vehicle 

In recent years, criminals have shown interest in non-fungible tokens (NFTs) as a new avenue for money laundering. NFTs are unique blockchain tokens often linked to digital art or collectibles. This is like traditional money laundering in the traditional art world where valuable art pieces can be bought with dirty money and later sold, making the sale look legitimate. 

While NFT-based laundering is a smaller piece of the puzzle, it is visible. Blockchain analysis by Chainalysis found that the value sent to NFT marketplaces from illicit addresses jumped significantly in late 2021, reaching about $1.4 million in Q4’2021. 

Criminals are indeed experimenting with NFTs by trading NFTs between wallets, they control (wash trading) or buying high-value NFTs with tainted crypto as they aim to obscure origins. 

Mixers, Tumblers, and Privacy Tools 

To further muddy the waters of blockchain tracing, criminals turn to cryptocurrency mixers (also called tumblers) and other  tools. Mixers are services that pool together cryptocurrency from many users and then pay it out to new random addresses, thus breaking any link between the incoming and outgoing funds. The result is that it becomes very difficult to prove which output coins are associated to which input, thereby obscuring the origin of the funds. Popular mixer implementations have included Tornado Cash (for Ethereum) and various Bitcoin tumbling services (like Blender.io, ChipMixer, Wasabi wallet’s CoinJoin feature, etc.).  

Mixers play the role of layering in the crypto laundering process. Illicit actors use mixers as “safe havens” to launder criminal proceeds, including funds from hacks, fraud, ransomware, and darknet sales. For example, after a big cryptocurrency theft or ransomware payout, the criminals will often route the BTC or ETH through one or multiple mixer services. By the time the coins exit the mixer, the hope is that investigators cannot easily follow the money, since the trail “goes cold” at the mixer’s wallet. 

Tornado Cash deserves special mention because it was an Ethereum-based mixer that gained popularity for its use by cybercriminals. Tornado Cash allowed users to deposit tokens and withdraw to a fresh address with no link. By 2022, it had become a go-to laundering tool for groups like Lazarus Group (North Korea) to launder their ransomware proceeds. The U.S. Treasury’s OFAC sanctioned Tornado Cash in August 2022. In 2023, the U.S. Department of Justice went further by indicting two alleged Tornado Cash founders. The August 2023 indictment accused them of facilitating over $1 billion in money laundering transactions through Tornado, including hundreds of millions of dollars for the Lazarus Group.  

Conclusion 

Money laundering has always been about staying one step ahead of investigators by exploiting gaps in the financial system. The dark web and cryptocurrencies introduced a new venue for launderers, where geography means little and anonymity is the default. We’ve seen how traditional stages of money laundering (placement, layering, integration) have counterparts in the crypto realm. From cash to crypto, to complex hops through mixers and tokens, then cashing out via exchanges or NFT sales. Tools like Bitcoin and Ethereum have public ledger trails, but coins like Monero offer near-total concealment but are harder to cash out. Decentralized mixers and wallets provide new ways to wash funds, even as authorities push back with sanctions and arrests. Meanwhile, novel schemes like NFT-based laundering show the creative lengths to which criminals will go. 

---

Interested in fraud prevention? Check out our use case.