How many Wi-Fi networks has your smartphone, laptop, or IoT device connected to over its lifetime? If your device is more than a few months old, the number could be surprisingly high. By default, devices typically store Wi-Fi access points and automatically attempt to rejoin them – even when they are not in range of the access point. As a result, they continuously broadcast a list of the networks they’re trying to connect to. This constant “auto-join” behavior may inadvertently reveal your whereabouts, commonly visited locations, and likely your home. In the wake of the recent assassination of a major healthcare executive, executive protection and security teams need to stay technologically savvy to potential privacy leaks—any technology that can be used to discover an individual’s location becomes a serious concern.
As a result of the Edward Snowden leaks, a Canadian intelligence technique, used by the Communications Security Establishment Canada (CSEC), was exposed to the public with details reported in 2014. Leaked documents from the CSEC confirm that tracking individuals via their Wi-Fi and IP metadata is far from theoretical. By starting with a known “seed” access point (often at airports or hotels), government officials identified devices connected to hotspots and traced these devices forward and backward in time through other networks. This so-called “travel node” approach leverages big-data analytics to build detailed movement profiles, revealing not only routine routes (like daily commutes) but also one-off visits to coffee shops, internet cafés, or conference centers—demonstrating just how valuable Wi-Fi metadata can be for pinpointing a person’s location and habits.
Shielding your privacy from sophisticated nation-state intelligence operations may or may not be your primary concern regarding cyber privacy. However, the technique of tracking, fingerprinting, and identifying individuals based on Wi-Fi metadata isn’t limited to nation-state actors. Open-source tools like AiroDump-ng, AirGraph-ng, and websites such as Wigle.net can also be used by less-sophisticated adversaries to potentially locate persons of interest and their routine habits.
Before we dig in, lets better understand how MAC addresses work and why they are important.
MAC Addressing
Every device that connects to a network is assigned a unique MAC address if it doesn’t already have a permanent, manufacturer-assigned one. Depending on the device, the MAC address might be completely random, partially random, permanently set once assigned, regularly reset, or permanently assigned from the factory. The important thing to consider is that some manufacturers don’t randomize your MAC address, which makes it much easier to identify you electronically.
A MAC address is typically represented as six segments of hexadecimal values, for example: 44:38:39:FF:EF:57. The first three segments (44:38:39) often represent the Organizationally Unique Identifier (OUI) associated with the device vendor—in this example, Cumulus Networks, Inc. Several MAC address lookup websites can provide further details about the vendor based on the OUI.
This is noteworthy because the MAC address is not hidden and can be captured by anyone within range of your access point, even without connecting to your network.
Below is a screenshot showing an example MAC address and its vendor details obtained by searching the OUI on an online lookup tool.
You can already see how devices that constantly broadcast their presence might leak sensitive information, but let’s take this a step further.
Tools like AiroDump-ng allow even unsophisticated actors to sniff Wi-Fi-enabled devices whether connected or unconnected to a network. Once an actor collects data from an area of interest, it can be visualized using another tool called AirGraph-ng. Both tools are free and come pre-installed in the Kali Linux operating system—a popular OS among cybersecurity professionals, hobbyists and bad actors alike.
AiroDump-ng & AirGraph-ng
Since this blog isn’t a tutorial on how to use AiroDump-ng, let’s focus on the user-friendly output graphs from AirGraph-ng and how they fit into the broader conversation on device fingerprinting and potentially identifying a person’s routine habits. For context, the data we’ll discuss was all collected using AiroDump-ng and visualized with the AirGraph-ng tool.
In the image below, you can see several key details regarding the access points and the clients connected to them. The two green circles represents a Wi-Fi access point, along with its encryption type, the number of connected devices, the MAC address, the OUI, and the ESSID (Wi-Fi name). For each access point, you can view which clients are connected, as well as other related information about the device.
It’s also possible to monitor the access points that clients are attempting to join. As mentioned earlier, Wi-Fi devices are constantly broadcasting a list of networks they’d like to connect to. The image below illustrates this: a cluster of devices probing for connections and networks stored in their settings as “auto-join.” For privacy reasons, non-public access points have been redacted from the image.
It’s also possible to monitor the access points that clients are attempting to join. As mentioned earlier, Wi-Fi devices are constantly broadcasting a list of networks they’d like to connect to. The image below illustrates this: a cluster of devices probing for connections and networks stored in their settings as “auto-join.” For privacy reasons, non-public access points have been redacted from the image.
[wiglet.net]
In the center panel, you can see multiple matches for our query, all indicating that this access point is located on The University of Texas at Austin’s downtown campus. Although we chose a public network for our research, you can imagine the privacy implications if this method were used on private networks to build a fingerprint or track someone’s daily routine across multiple access points.
Summary
In this blog, we explored how Wi-Fi metadata can reveal a person’s commonly visited locations by first examining the significance of MAC addresses. MAC addresses—whether permanent or randomly generated—provide identifiable details, including the device vendor’s Organizationally Unique Identifier (OUI). Because they’re broadcast openly, anyone in range of a Wi-Fi access point can easily capture them.
Next, we introduced practical tools like AiroDump-ng, which can sniff Wi-Fi data, and AirGraph-ng, which visualizes the relationships between access points and connected clients. Although these tools are commonly used by cybersecurity professionals, they can also be leveraged by less-sophisticated actors to gather detailed information about nearby networks and devices. Notably, devices often broadcast networks they want to join, including non-public or previously connected networks, further underscoring the privacy risks of Wi-Fi metadata.
We then demonstrated how Wigle.net can take these broadcasted ESSIDs (Wi-Fi names) and provide a geographic location of the associated access points. Our example focused on a public network at the University of Texas at Austin’s downtown campus, illustrating how even publicly visible data can reveal specific locations. The implications grow more serious if similar methods are used against private networks to build a profile of someone’s daily movements or routine.
By being aware of how simple it is to collect and analyze Wi-Fi metadata, individuals and organizations can take proactive steps to safeguard their privacy and minimize the risk of being tracked. Ultimately, these insights emphasize the importance of cyber hygiene—a blend of technological practices (like MAC address randomization and cautious network selection) and informed awareness (knowing what data is visible and how it can be used)—to protect both personal and professional security.
Check our blog on Executive Protection and the Dark Web.
Cybersecurity might as well have its own language. There are so many acronyms, terms, sayings that cybersecurity professionals and threat actors both use that unless you are deeply knowledgeable, have experience in the security field or have a keen interest, one may not know. Understanding what these acronyms and terms mean is the first step to developing a thorough understanding of cybersecurity and in turn better protecting yourself, clients, and employees.
In this blog series, we aim to explain and simplify some of the most commonly used terms. Previously, we have covered bullet proof hosting, CVEs, APIs, and brute force attacks. In this edition, we dive into Zero-Day exploits.
Zero-Day Vulnerabilities
Zero-day vulnerabilities are software flaws that remain unknown to the vendor and the general IT community. Because the flaws are unknown to the public, there’s no fix available, and they become highly valuable to bad actors and nation states. With these flaws’ cybercriminals, spies, and nation-states have the unfettered opportunity to cause real damage, infiltrate networks, steal data, or cause disruption. Victims of zero-days will remain completely defenseless until the flaw is discovered and remediated.
Just last November, Microsoft released its November Patch Tuesday updates, detailing 89 security flaws. Among these were four newly revealed zero-day vulnerabilities—two of which attackers were already exploiting in the wild. For instance, one zero-day allowed malicious actors to capture password hashes. CVE-2024-43451 is described by Microsoft as a zero-day which requires very little user interaction to expose a user’s password. Single clicking or right clicking to inspect a file is enough to extract a user’s password hash.
This month’s Patch Tuesday is an example of how frequent, common, and severe zero-days are today. But many go unnoticed for months or years before they are patched and remediated. This leaves bad actors ample time to take advantage of holes within networks, gather sensitive data, and carry out cybercrime. Far from a theoretical concern, zero-days have become a fundamental part of modern cybersecurity warfare, underscoring the need for robust defense strategies, responsible disclosure policies, and a deeper understanding of how to limit our exposure to them.
Prominent Zero-Day Attacks
The WannaCry ransomware attack in May 2017 highlights the destructive potential of a zero-day exploit falling into the wrong hands. It leveraged “EternalBlue,” a powerful vulnerability initially developed by the NSA. After this zero-day exploit leaked to the public, malicious actors bundled it into WannaCry, creating a worm-like ransomware that spread to defenseless victims. Within a single day, it infected over 200,000 computers across more than 150 countries, disrupting critical operations at major organizations like FedEx and Honda, and paralyzing parts of the UK’s National Health Service. Luckily, a security researcher discovered a “kill switch” in the code that stopped the virus from infecting more victims. Many victims, running outdated and unpatched Windows systems had to decide whether to pay the ransom or suffer a major loss in data and revenue. WannaCry’s success demonstrated how a stolen zero-day exploit can trigger a global cyber crisis.
The WannaCry case raised concerns among cyber security professionals and Microsoft, who pointed out the US government was hoarding and secretly cataloging dangerous zero-day exploits that the company could have patched, had they been informed of the security flaws.
In late September 2023, Apple issued emergency patches addressing three zero-day vulnerabilities (CVE-2023-41992, CVE-2023-41991, and CVE-2023-41993) in iPhones and iPads. Researchers at Citizen Lab and Google’s Threat Analysis Group say these flaws could allow attackers to bypass signature validation, elevate privileges, and achieve remote code execution. Citizen Lab’s research linked these zero-days to an exploit chain used by Cytrox’s Predator spyware. The spyware was used against at least one high-profile target, a former Egyptian parliament member who had plans to run for president.
Stuxnet represents one of the most sophisticated uses of zero-day vulnerabilities in a real-world (not just theoretical). Discovered in 2010, this worm targeted Iran’s nuclear enrichment facilities by secretly infiltrating their systems. Once inside, Stuxnet exploited multiple zero-day Windows flaws to gain control of industrial control systems. By manipulating the speed of uranium-enriching centrifuges, the malicious code was able to physically degrade the centrifuges, causing the Iranian nuclear program to suffer constant failure. Its complexity and reliance on unpatched vulnerabilities made it a groundbreaking cyberweapon. Stuxnet’s impact extended far beyond Iran, this watershed moment in cyber security put a spotlight on the capabilities cyber weapons could have in cold and hot wars.
Bug Bounty Programs and Zero-Day Brokers
In today’s cyber-driven economy, a niche market has emerged around zero-day vulnerabilities. Recognizing the value of discovering these previously unknown flaws, many organizations now offer financial incentives to researchers who report them responsibly. These are known as “responsible disclosure” or “Bug Bounty Programs”. The amount of the reward often scales with the seriousness of the vulnerability. By inviting a global network of skilled researchers to examine their websites and infrastructure, companies can more quickly identify and fix security gaps. This approach isn’t limited to private enterprises, either; the U.S. government, including the Department of Defense and various other federal agencies, has also embraced bug bounty programs to bolster their cybersecurity defenses.
Zero-day brokers also offer substantial payouts for undiscovered security weaknesses, typically far exceeding a bug bounty. These brokers could be legitimate companies, or an underground network of cyber criminals. Either way, they have no interest in reporting the software flaw to the vendor. Instead, brokers profit by selling these unpatched vulnerabilities to well-funded entities, often government agencies, seeking to compromise targets undetected. To maintain secrecy, researchers who find these bugs must sign strict non-disclosure agreements, agreeing not to alert anyone while the broker seeks the highest bidder. In some cases, brokers may merge multiple zero-days into a single, powerful cyber weapon. This approach led Israeli-based Pegasus to dominate the mobile spyware market, as the company packaged a suite of zero-day exploits into spyware advanced enough to attract government entities throughout the world.
Industry Response and Defense
Mitigating zero-day attacks is challenging because these security gaps are unknown until they’re uncovered. Still, companies, organizations, and individual consumers can take measures to reduce their susceptibility. As a consumer, one of the most effective steps you can take is to install software updates as soon as they’re released. While zero-day vulnerabilities are initially unknown, once identified and patched, they no longer pose the same threat. Keeping your software current helps close these security gaps. For example, victims of the WannaCry ransomware had a month to apply Microsoft’s available patch for the EternalBlue zero-day, which would have protected their systems from the attack.
Organizations also need to be proactive if they want to decrease the likelihood of zero-day exploits affecting their networks and infrastructure. Since it’s impossible to write code that’s entirely immune to hidden vulnerabilities, embracing robust security measures is essential. Regular participation in bug bounty programs, comprehensive penetration testing, thorough code reviews, and responsible disclosure practices can all lower the risk of being compromised by simpler cyber-attacks and code flaws.
Curious how DarkOwl can help your organization? Contact us!
The founder and CEO of Telegram, Pavel Durov, was arrested on August 24, 2024, at Paris-Le Bourget Airport. French authorities detained him as part of an investigation into Telegram’s alleged insufficient moderation of illegal activities on its platform, including child exploitation and drug trafficking. Following his arrest, Durov was indicted on multiple charges on August 28, 2024. He was placed under judicial supervision, prohibited from leaving France, and required to post bail of €5 million. As of February 2025, Durov remains under judicial supervision in France, awaiting further legal proceedings where he must appear at a police station twice a week. Should he be found guilty the most serious charge complicity in the administration of an online platform to enable organized crime and illicit transactions carries a maximum penalty of 10 years’ imprisonment, and a €500,000 ($521,000) fine.
In response to their CEO’s arrest Telegram announced plans to enhance its moderation policies and has expressed a willingness to cooperate more closely with law enforcement. They have been seeking to ensure that they are co-operating with authorities while claiming to continue to prioritize users’ privacy.
In this blog, we will explore what changes Telegram have said they have made, what effect DarkOwl analysts are seeing in response to these changes and what impact we expect to see in the future.
What have Telegram Said?
In September 2024 Telegram announced, via Durov’s account, that they would be changing their terms of service in order to deter criminals from using the messaging platform. It was reported that Telegram would provide details of IP addresses and phone numbers to law enforcement and government agencies if they were provided with proper legal requests.
Figure 1: Announcement on Durov’s TG channel regarding changes to terms of service
As well as agreeing to comply with valid legal requests to share user information, they also announced that they would be changing how the global search feature works to make it more difficult for users to find certain channels and bots. They claimed that the global search feature had previously made it too easy for illicit channels to be discovered.
Telegram had made some changes in the past, despite claiming to be a platform that respects privacy and freedom of speech above all things, they did remove 78 ISIS channels in response to the Terrorist attack in Paris in 2015. They had also taken some action for the platform to be in reinstated in Brazil after it was banned for lack of cooperation with government agencies. However, these changes appeared to have more impact.
What Reaction have these Changes Had?
DarkOwl analysts immediately observed reactions to the arrest of Durov, but there have also been reactions to the announcements to the changes in the terms of use and the fact that they have agreed to work with law enforcement.
Not only were users talking about what had been announced by the platform, they were also appealing to them directly to ask them not to remove (ban) their channel as they were not breaking any of the terms or conditions.
Figure 3: Source: DarkOwl Vision
They were following the rules….
Figure 4: Source: DarkOwl Vision
However, Telegram was not clear about what type of content they considered to be illicit and or contravenes their terms of service.
Some other users and or groups took the decision that they would move away from Telegram and move to other platforms which they believed were more secure or more accepting of their views.
Figure 5: Source: DarkOwl Vision
Figure 6: Source: DarkOwl Vision
Others stated that they would not leave the platform, but they would continue to operate on multiple other platforms, presumably with the hope that any channels which may be removed would not stop them from being able to spread their message.
Figure 7: Source: DarkOwl Vision
While some prepared for when they thought their account would be banned.
Figure 8: Source: Telegram
What Action is Telegram Taking?
DarkOwl analysts have observed that, when using the global search fewer results are being returned which related to generic terms which relate to illicit activity. This is different behavior than the global search previously had. However, if you know which specific channel you want to find in most cases it will still appear, but not all.
Figure 9: No results returned from global search
DarkOwl analysts have observed that a number of channels which were used to share illicit material have been removed by Telegram. A variety of reasons have been provided by the platform for which they channels have been removed. They have also provided details of the specific jurisdiction that the channel broke the laws of.
Figure 10: Source: Telegram
They have also removed channels and or messages that they claim have contravened copyright laws, which indicates ha they are not just removing illicit channels but those that are contravening other types of laws.
Figure 11: Source: Telegram
One area in which Telegram have always claimed to take action is in the area of Terrorism, particularly the group ISIS. As mentioned about, since 2015 Telegram have claimed that they remove content relating to the terrorist group. However, channels continue to “pop up.”
Figure 12: Source: Telegram
Some Telegram users have taken the matter into their own hands, with groups like ISIS Watch reporting how many channels they have identified related to terrorist content and how many of them have been removed.
Figure 13: ISIS Watch Telegram Channel
Reviewing their posts from February 2023 and February 2025, it is clear that the number of channels that have been banned from the platform has increased massively. Although it cannot be confirmed, this does seem to be in correlation with the new terms of service that Telegram introduced in 2024. However, it is also possible the number of channels relating to Terrorism activity has also increased massively in the intervening time as the popularity of Telegram has grown.
Figure 14: ISIS Watch post from February 2023
Figure 15: ISIS Watch post from February 2025
What is the Future?
While DarkOwl have observed channels being removed or banned by Telegram and users talking about moving to other platforms we have not observed and actual migration away from the use of Telegram to date.
Telegram is unlike other messaging apps in that it operates more like a social media platform, allowing users to chat with strangers and share views across a wide audience. Many other messaging apps do not allow for this kind of activity, making them less attractive to Telegram users.
While telegram does seem to be making a concerted effort to make it more difficult for user to find illicit channels, if users are already in these communities, they will likely be provided with invite links to new or existing groups. Meaning that the company has only made it more difficult for outsiders to fine this information.
And while channels are being removed, there is nothing that stops users from creating new channels which share the same information. Therefore, the company are inadvertently entering a game of Wack-o-mole which is unlikely to change. It is yet to be seen if their willingness to work with law enforcement will be a deterrent to criminal actors using the site – for those outside of wester jurisdictions it is unlikely.
DarkOwl will continue to monitor this evolving situation.
Our analyst team shares a few articles each week in our email newsletter which goes every Thursday. Make sure to register! This blog highlights those articles in order of what was the most popular in our newsletter – what our readers found the most intriguing. Stay tuned for a recap every month. We hope sharing these resources and news articles emphasizes the importance of cybersecurity and sheds light on the latest in threat intelligence.
In a February 11 press release, the U.K. government—along with the U.S. and Australia—announced the imposition of new sanctions targeting the Russian cyber entity “Zservers.” A day after the announcement of sanctions, Dutch Police dismantled Zservers/XHost and seized 127 associated servers. As noted in the U.K.’s press release, the Russia-based bulletproof hosting (BPH) services provider was a “key component of the Russian cybercrime supply chain” and was responsible for “facilitating crippling ransomware attacks globally.” Zservers notably provided “essential attack infrastructure” for the notorious LockBit ransomware gang. Read full article.
2. Russian military hackers deploy malicious Windows activators in Ukraine – Bleeping Computer
The Russian hacker group Sandworm (also known as “Seashell Blizzard”) has been observed targeting Windows users in Ukraine with malicious Windows activators. The cyber-espionage group—which has been linked to Military Unit 74455 of the GRU—has specifically deployed trojanized Microsoft Key Management Service (KMS) activators, fake Windows updates, and DarkCrystal RAT malware via a BACKORDER loader. It is believed that the attacks began in late 2023 and aim to “collect sensitive information from infected computers and send it to attacker-controlled servers.” Article here.
3. Meta Confirms Zero-Click WhatsApp Spyware Attack Targeting 90 Journalists, Activists – The Hacker News
Meta has confirmed that WhatsApp users have been targeted in a global spyware campaign. The campaign involved the use of spyware developed by the Israeli company Paragon Solutions, which has since received a cease and desist letter from Meta following the incident. Nearly 100 WhatsApp users were impacted by the campaign, most of whom were journalists or “other members of civil society.” As noted by The Guardian, WhatsApp shared that it had “’high confidence’ that the 90 users in question had been targeted and ‘possibly compromised.” Read more here.
4. Winnti APT41 Targets Japanese Firms in RevivalStone Cyber Espionage Campaign – The Hacker News
Researchers at the Japanese cybersecurity firm LAC have identified a new cyberespionage campaign dubbed “RevivalStone” targeting Japanese companies. The activity has been tied to the China-linked advanced persistent threat (APT) group Winnti (also known as APT41). The campaign took place in March 2024 and specifically targeted companies in the manufacturing, materials, and energy sectors. According to the researchers, the campaign uses an updated version of Winnti malware with new capabilities. Read here.
5. E.U. Sanctions Three GRU Officers For Cyberattacks Against Estonia – The Hacker News
On January 27, the Council of the European Union announced the sanctioning of three GRU officers for their role in cyberattacks against Estonia’s government in 2020. As noted in the Council’s press release, the three Russian nationals—Nikolay Korchagin, Vitaly Shevchenko, and Yuriy Denisov—gained “unauthorized access to classified information and sensitive data stored within several government ministries […] leading to the theft of thousands of confidential documents.” Learn more.
6. Spain arrests suspected hacker of US and Spanish military agencies – Bleeping Computer
Spain’s Guardia Civil and Policía Nacional have arrested “Natohub,” a notorious 18-year-old hacker in Alicante who allegedly conducted more than 40 cyberattacks against Spanish and international organizations, “including the Guardia Civil, the Ministry of Defense, NATO, the US Army, and various universities.” According to the Policía Nacional’s official press release, the suspect utilized three different pseudonyms while targeting international government organizations and accessed databases containing personal information belonging to employees and clients, as well as internal documents. Read full article.
7. North Korean Hackers Exploit PowerShell Trick to Hijack Devices in New Cyberattack – The Hacker News
The North Korean hacker group Kimusky (also known as Velvet Chollima and Emerald Sleet) has been observed using a new tactic which involves tricking its targets into “running PowerShell as an administrator and then pasting and running code provided by the threat actor.” As noted by the Microsoft Threat Intelligence team, the threat actor masquerades as a South Korean government official and attempts to build rapport with the victim before ultimately sending a spear phishing email. Read full article.
8. CISA and FBI: Ghost ransomware breached orgs in 70 countries – Bleeping Computer
On February 19, the Cybersecurity & Infrastructure Agency (CISA), Federal Bureau of Investigation (FBI), and Multi-State Information Sharing and Analysis Center (MS-ISAC) released a joint advisory detailing indicators of compromise (IOCs) and tactics, techniques, and procedures (TTPs) associated with Ghost (Cring) Ransomware. Since 2021, threat actors utilizing Ghost ransomware have targeted organizations in more than 70 countries. Victims have included organizations in a variety of sectors, including critical infrastructure, education, and healthcare. Learn more.
Make sure to register for our weekly newsletter to get access to what our analysts are reading on a weekly basis.
DarkOwl participated in ISS World Middle East & Africa in Dubai, UAE earlier this February. ISS World Middle East & Africa is a conference where cybersecurity technology providers exhibit to the global law enforcement and intelligence community. ISS describes itself as “the world’s largest gathering of Regional Law Enforcement, Intelligence and Homeland Security Analysts, Telecoms as well as Financial Crime Investigators responsible for Cyber Crime Investigation, Electronic Surveillance and Intelligence Gathering.”
DarkOwl has attended ISS for the last 10 years as it is an effective medium to help reinforce and grow our international presence.
ISS World takes pride in focusing on education and training covering the areas of law enforcement, public safety, and government and private sector intelligence communities. The first full day of ISS events are dedicated to training and in-depth sessions. Talks throughout the event cover topics ranging from geolocation, exploiting and circumnavigating masking tech, advanced techniques in tracing suspects, open-source tools, artificial intelligence, and more.
ISS conferences are held in various cities across the world every year like Dubai, Kuala Lumpur, Prague, Singapore, and more. ISS Dubai has consistently provided valuable opportunities to engage with law enforcement, government agencies, and commercial partners across the GCC and MENA regions.
Key Takeaways:
✅ Industry Presence: Noticeably smaller than other ISS events, but this conference is closed to the public in part because of the strong representation from regional government agencies usually affiliated with law enforcement and intelligence. ✅ Market Trends: We noted 12+ sessions devoted to the subject of OSINT and/or Darknet on the first day of the conference, alone. OSINT vendors more generally had a strong presence, from Epieos and OSINT Industries, to Cyabra and Cognyte. ✅ Strategic Partnerships: Productive discussions with potential OEM partners for whom Darknet data has become essential for end user investigators, globally. Alongside existing data partners like TRG Solutions, Maltego, Innefu and IPS, there was strong interest from key regional system integrators and government AI innovators. ✅ Speaking Session Success: Our session drew a large audience that asked several questions. The crowd was nearly 50% Emirati, but also representation from other regional agencies like the Kingdom of Jordan.
Live Demonstration of DarkOwl Vision: Darknet Intelligence Discovery and Collection
In addition to networking and promoting DarkOwl at the booth, Lindsay Whyte was able to give a live presentation to attendees demonstrating DarkOwl Vision: Darknet Intelligence Discovery and Collection. Vision UI is the industry leading platform for analysts to simply, safely, and comprehensively search the largest commercially available source of darknet data. The goal of this session was to further educate the international intelligence community on how threat actors on the darknet are evolving in their use of new tools and methodologies.
Due to the layer of anonymity it provides, the darknet is often a hub for illegal activity. However, investigating crime on the darknet and deep web poses technical challenges, including the fact that darknet sites are continually coming on and offline with pages vanishing from one minute to the next.
The technology DarkOwl leverages to scrape and index hidden digital undergrounds are key to the mission of obtaining proactive situational awareness for protection of the nation’s security initiatives.
DarkOwl Vision provides a user-friendly interface with powerful querying capabilities to search, monitor, and create alerts for critical information. DarkOwl Vision has been used to support local and federal police investigations, as well as work done in intelligence/fusion centers and federal agencies to uncover human trafficking, opioid selling, terrorism, security issues, and other illegal activity, making it the perfect tool for this audience.
After 10 years of participating in ISS Dubai, DarkOwl will continue to attend since these events reinforce our position as the “go-to” darknet search & monitoring solution in the MENA region.
In 2024 threat actors continued to be extremely active. Major cyber-attacks occurred across multiple industries and ransomware attacks increased year over year. These attacks had huge financial and reputational implications for all those targeted. However internationally, law enforcement continued to fight back against cyber actors making several high profile and important arrests.
In this blog we explore some of the more notable law enforcement activities and arrests.
Operation CRONOS
Led by the UK’s National Crime Agency (NCA), this international operation targeted the LockBit ransomware cartel. The operation dismantled key infrastructure and exposed the identity of the group’s leader, Dmitry Yuryevich Khoroshev, undermining the gang’s operations. The groups’ Dark Web site was taken offline for a period of time. Highlighting a new technique by law enforcement the NCA “hijacked” the leak site in order to update on the actions of Op CRONOS.
Figure 1: LockBit leak site taken by NCA
Rui-Siang Lin (aka “Pharoah”)
In May 2024, Rui-Siang Lin was arrested at JFK Airport for operating “Incognito Market,” a dark web narcotics marketplace that facilitated over $100 million in illegal drug sales worldwide. The Taiwanese national went by the alias “Pharoah” on the dark web drug site. According to the indictment as “the leader of Incognito market — Lin supervised all of its operations, including its employees, vendors, and customers, and had ultimate decision-making authority over every aspect of the multimillion-dollar operation.”
In a strange twist to the story, it emerged that LIN had actually trained law enforcement officers in St Lucia on cybercrime and cryptocurrency on the dark web which had been organized by the Taiwanese embassy.
Snowflake Data Breach
In June 2024 at least 100 Snowflake customers were affected by a Cyber-attack. Threat actors used exposed credentials to log in to Snowflake portals and target their customers for data exfiltration. They then sold this information on the dark web for financial gain. High profile targets included Ticketmaster, AT&T and Santander.
In November 2024 Canadian authorities arrested Alexander Connor Moucka accused of compromising multiple Snowflake cloud storage accounts and the behest of US law enforcement. Additionally, the U.S. charged John Binns in connection with these breaches, highlighting the international collaboration in combating cyber threats.
Figure 3: Ticketmaster data advertised on the DW
Tenzin Orgil
In May 2024, Tenzin Orgil was sentenced to 168 months in federal prison for participating in a drug trafficking enterprise that included the sale of methamphetamine and fentanyl on the dark web, as well as the manufacture of ecstasy and methamphetamine in clandestine laboratories. Orgil had operated on several dark web markets under several aliases selling the drugs he produced in underground laboratories. The Orange County resident pled guilty to the charges in 2023.
A prominent figure in the ransomware community, Mikail Pavlovich Matveev was arrested in Russia for his involvement in cybercrimes against Russian entities. This arrest signaled a potential shift in Russia’s stance toward domestic cybercriminals.
According to the FBI MATVEEV is linked to several ransomware variants, including LockBit, Hive and Babuk. He had previously been charged by the US government for computer crimes in 2022 but remained in Russia.
He has allegedly conducted significant attacks against both United States and worldwide businesses, including critical infrastructure. Matveev was identified as one of the alleged developers/administrators behind the Babuk ransomware variant. Matveev has been charged with multiple LockBit attacks which included a police department located within New Jersey. He has also been charged with multiple Babuk attacks including the attack against the Washington D.C. Metropolitan Police Department. In addition, Matveev has been charged with Hive-related counts of conspiracy and intentional damage to a protected computer, including an attack against a New Jersey-based company.
Scattered Spider Group
Following high-profile attacks on companies like Okta, MGM, and Caesars by a group known as Scattered Spider, authorities arrested several members of the group.
The individuals, including Ahmed Hossam Eldin Elbadawy, Noah Michael Urban, Evans Onyeaka Osiebo, Joel Martin Evans, and Tyler Robert Buchanan, faced charges related to wire fraud and identity theft. Officials said the suspects’ illegal activity spanned from September 2021 and April 2023.
Scattered Spider are a loosely affiliated group of young individuals assessed to be based in the US and UK who have conducted multiple cyber and ransomware attacks. They are known to conduct sophisticated phishing attacks and social engineering attacks on call centers in order to gain access. They are also affiliated to several ransomware groups. According to security researchers, “The group has been blamed for unusually aggressive cybercrime sprees, targeting major multinational companies as well as individual cryptocurrency investors.”
Operation Endgame
Europol coordinated an extensive operation against botnets, leading to multiple arrests and the seizure of hundreds of servers. The crackdown targeted platforms facilitating ransomware deployment, significantly disrupting the cybercrime ecosystem.
According to Europol, between 27 and 29 May 2024 Operation Endgame targeted droppers including, IcedID, SystemBC, Pikabot, Smokeloader, Bumblebee and Trickbot. The agency focused on arresting high value individuals, taking down infrastructure and tracking and seizing cryptocurrency payments. The operation consisted of input from several different countries as well as private companies highlighting the need for coordinated efforts to stop these cyber activities which have no borders.
Conclusion
Although law enforcement has been very successful in targeting a number of high-profile threat actor and criminal groups in 2024, many groups continue to operate in slightly different forms. The nature of criminal cyber operations means that they are very difficult to combat. Actors are spread throughout the globe, usually in countries which will not cooperate with US and European law enforcement agencies. However, it is important that law enforcement continue to send a message that these activities can be combatted and there are consequences to these actions.
As we move into 2025, we expect law enforcement activities to continue to combat the increase in ransomware attacks and disrupt markets and other areas where criminals operate. However, the pardon of Silk Road owner Ross Ulbricht by President Trump appears to send a message that leniency will be shown to some of those who profit from criminal activities.
Executives are increasingly targeted by activists of all types, posing significant threats to them personally and risks to their organizations. Many of these attacks can be detected or even predicted by monitoring exposure of the executives in the darknet, including leaked and stolen PII, credentials, chatter around the executives, and in some cases direct threats.
Despite utilizing various security tools, many organizations lack a dedicated executive protection service to monitor and alert on potential threats or negative chatter targeting executives. Addressing this challenge might seem complex, but the stakes have never been higher.
In this webinar, attendees learned how to effectively baseline, monitor, and alert on organizational and executive threats using Dark Owl’s Vision platform. Discover practical steps to safeguard your executives and your organization against these evolving threats.
NOTE: Some content has been edited for length and clarity.
Kathy: Today’s webinar will be held as a fireside chat with Mark Turnage, DarkOwl’s CEO as our moderator. Before we begin, we’d like to give each company a moment to introduce themselves.
Brandon, would you like to tell us a little about Ascent Solutions?
Brandon: Absolutely. So, if you’ve never heard of us before, we are Ascent Solutions. We’re an award-winning Microsoft Solutions partner that specializes in the Microsoft security stack. We offer a wide range of cybersecurity services to include advisory, professional services, as well as managed services, including Cyber Threat Intelligence, Security Operations Center, and Threat and Vulnerability Management as a service, just to name a few.
Kathy: Mark, would you like to tell us about DarkOwl and then start our chat?
Mark: I’d love to. My name is Mark Turnage. I’m the CEO of DarkOwl and Co-founder of DarkOwl. DarkOwl is a company that was established for the sole purpose of monitoring the darknet and what we call darknet adjacent networks for criminal activity and underground activity on behalf of our clients. We monitor over tens of thousands of sites a day and they include everything from the traditional TOR network all the way to Telegram channels where threat actors are now, are now active. Our product is, our data is available via a number of different ways, UI, APIs, data transfers, and we number many of the world’s largest cybersecurity companies as our customers.
It’s a pleasure to be here today with Brandon, and I’m going to just let Erin introduce herself really quickly, and let’s start with questions.
Erin: Hi, everybody, I’m Erin. I’m the Director of Intelligence and Collections at DarkOwl, so responsible for the data that we collect as well as doing investigations on behalf of our customers.
Mark: Great, let me go ahead and start. I’m going to direct this question first at Brandon and then at Erin. Can you give us the basics of executive protection? What is it and why is it important?
Brandon: Well at Ascent Solutions we offer what we call digital executive protection monitoring and alerting services that succinctly tie in with our team’s approach to continuous threat exposure management. Our approach to executive protection is actually rather simple. We provide enhanced monitoring of the dark web that specifically focuses on key executives and organizational leadership, so alerts that we recognize that alerts specifically pertaining to these individuals and key personnel could require a more tailored and of course timely approach with additional requirements actions activities and engagement beyond just the regular security team.
Mark: Great. Thank you. And Erin. Why is it important to monitor specifically, executives’ data online?
Erin: Executives tend to be the most visible people in any company. So, their information is out there, they’re doing things like webinars, they’re putting press releases out, et cetera. And so that makes them more of a target to individuals. And I think historically we’ve thought about physical threats and that’s still a concern obviously in terms of people being targeted, but more and more we’re seeing with cyber threat actors is that they’re using the information that they can obtain in the digital realm in order to target those quite visible people. And they can do this in a number of ways and this is why it’s important to monitor digital activities from different perspectives because there’s information that can be leaked about executives which can lead to information that threat actors can use and they can get their credentials and get access things that way. But there’s also a social engineering aspect to this, you know, if people are putting a lot of information out there on social media about their movements, about their hobbies, about how they operate, that makes it a lot easier for threat actors to impersonate them or use them to target members of the company. And we see that a lot with phishing attacks. So, I think it’s really important to understand, especially for executives, but probably for all employees and individuals, you know, what information is out there about you and what steps can you take to protect your digital footprint.
Mark: And I’m gonna go off script here, so I’m gonna cause our hostess Kathy to have a heart attack.
You know, I have heard through the years and have seen it, we’ve seen a little bit of it ourselves that oftentimes not only are executives the most visible members of a company, but also, they’re the least cautious. It’s the C -suite. Have you guys found that to be the case in some cases? I don’t want you to bad mouth your clients or our clients, but do you find that to be the case?
Brandon: I’d say it depends on the executive when it comes to that, but I’d say that there’s some consistency with that, Mark.
Erin: Yeah, I would say anecdotally, that does seem to happen. But I feel like maybe it makes bigger splash when it’s the C -suite that’s messed up. But you know, people, I think as well, like it could be, you know, a generational thing as well. C -suite tend to be older. They tend to be less tech savvy. They tend to not think about social engineering attacks or how the information that they’re providing could be used. But then in the same vein, younger people put way too much information on social media, in my opinion, so it’s a balance.
Mark: Sure. I mean, I’ve been subject to phishing attacks myself. Some of them quite sophisticated. And all of them, all of the most sophisticated ones tried to take advantage of the fact that I was the CEO. They had a message or a sender that I would pay attention to. They were quite sophisticated.
Brandon: Yeah, I would love to add to this one too big time. Multiple vendors throughout 2024 identified that threat actors are increasingly targeting executives basically to get a foothold into their organization causing reputational damage or just picking an insidious activity. This is also actually quite consistent with what we’ve mentioned about what we’ve seen in our SOC and we have to keep in mind that executives often have access to the organization’s most critical business functions that threat actors can have used to gain the foothold. We don’t exactly, to Erin’s point, make it very hard either. We feature our executives, in some cases, we feature the contact information, direct contact information for these folks and stuff out there as well. So, putting it all together, we basically roll out a red carpet for these folks to attack our most senior folks.
Erin: I think it’s what you have to think about the senior folks being impersonated as well. So, you know, employees are much more likely to respond to a phishing email if they think that it’s coming directly from an executive. And, you know, with things like AI now, you can generate an executive’s voice. If an executive is out there doing a lot of press webinars, their voices on the internet, you can impersonate that and use that against their employees. So there’s aspects of it as well.
Mark: We’re gonna come onto that. And the question I had for you, Brandon, was what is it about now? What’s different about now that makes monitoring this type of data more important than ever?
Brandon: Well, I think threat actors are getting more creative every day. And we’re seeing them attack and exploit things that are often on the periphery, especially since throughout 2024, we watched a lot of different vendors, third party vendors and stuff that have access into different environments get hit and whatnot. So, I do think that most of the time, when we get dark web monitoring and learning services, it’s specifically monitoring your email domain. But we need to open up the aperture on that, in my opinion, we need to be monitoring the organizational and any mentions of the organization, obviously email domains and credentials. But specifically with executives, sometimes a lot of these executives’ link some of their non-business email addresses or contact information to their business email contact information as well. So, with that, we got to be mindful of threat actors exploiting these fringe and these periphery things and stuff to get access. Their goal remains the same, causes much damage, get access, sell access, etc. We’ve got to be cognizant of that.
Mark: And Erin, what’s different about the dark web as opposed to more social media sites? Give us some sense of that difference.
Erin: Yeah, I think people on the dark web have a bit more of a sense of they can do whatever they want. So, you know, we see things like doxing, where threat actors will just provide information about individuals, and it will basically be a dossier of that individual, all the information that they can find about them. We don’t tend to see that shared as much on things like social media. And also, just the sheer breadth of kind of leak and stolen data and Stealer Logs is something that we’re seeing, a huge surge in and the dark web is where they buy and sell that information.
And I think everyone needs to be cognizant of this. You can be as careful as you want about your digital data and your footprint, but you don’t have any control over the third parties that you’re putting your information into. And if they get breached, your information is out there. So you can be pretty savvy, you can have limited social media profiles, you can have all the privacy settings, etc. But if you have my fitness power, my fitness power gets leaked, your information is out there. So that’s on the dark web. So, I think it’s very important to be aware of that.
And then kind of moving to some of the dark web adjacent sites that we monitor as well, things like Telegram and Discord. We see a lot of individuals talking about targeting or talking about accessing particular companies or just geopolitical events that their lives and you know are hitting on organizations and companies so I think just monitoring that rhetoric as well, stepping slightly away from specific executive protection but just kind of general organizational protection and reputational risk there are a lot of individuals out there that you know making anti-Semitic comments making violent comments you know making threats against executives and against organizations. And I will say social media has probably changed slightly in the last year or so where some people feel that they can do that on that open web as much as they can on the dark web, but it’s certainly something we’ve seen in the dark web, you know, over the last few years increasing.
Mark: And Brandon, give us some examples of some of the threats and risks that you guys have found and maybe talk about a unique case that you’ve you’ve come across.
Brandon: I think most commonly we see stolen credentials, data breaches ransomware posts, threat actors discussing sharing proofs of concepts or just the sale of weaponized exploit code targeting specifically vulnerabilities amongst many other different nefarious things. So, we got a couple of I think the most consistent one that we see, I would say more than often is, you know, we, our customers ask us, well, why, why are my executives, my leadership the most phished? Well, it’s like, well, look at your website, man, you got the contact information right up there. And, or, it’s something as like, your boss keeps signing up for all these random newsletters that continue to get hit, you know, with his business email, which is why he’s on X amount of different data of different data breaches. That’s the most common, the most consistent. But I think the most bizarre case that we ever had to respond to, we had a customer that had just moved organizations and went to an organization that recently got hit by a threat actor. And he had called us in to give him a hand and some assistance. Specifically, my part was to monitor the dark web, kind of get a good idea of what their presence really looked like on the dark web as well, which was very important for him, obviously. So built a couple of different cases, a couple of different cases, specifically watching for organizational mentions, email domains, or just anything and all things related to the victim company. And sure enough, the threat actor wanted to gloat about his ill -begotten gains, and he threw up a post detailing exactly what he had stolen from the company at that point took that handed it over to the team that was investigating the situation and it kind of gave them a better idea of where this threat actor could have been. So, continuing to monitor updating as needed you know especially the posts and stuff as the thread grew on there and I guess the threat actor made some enemies of his own kind, and they decided to dox him.
Mark: Oh my god.
Brandon: After they doxed him, they basically put it out there like this is who he is, thisis where he lives, this is his home address, this is where his parents work, here’s all his socials, these are all his data repositories, this is where he stores his data. And they basically stripped this threat actor, all this anonymity and then immediately I turn that over to the team and I would like to believe they finally adjudicated him. I haven’t seen a post from him since. So, it could be that, well, let’s hope.
Mark: That’s very, very interesting. Erin, give us a sense of what trends you’re seeing in terms of threats in the current environment.
Erin: Yeah, I just want to jump onto what Brandon was saying there. I always find it really interesting, like I think we focus very much on, “let’s protect our executives and our organizations,” or it’s absolutely we should be doing but I love the fact that the data that we have in leaks and from doxing and stealer logs helps us to attribute who is actually doing this so we can kind of use what they’re using against us back against them and it really helps to know kind of why someone’s doing something and what their motivation is because it allows you to assess the threat you know a lot better you know there’s a difference between armchair trolls that are just making threats because they’ve got nothing better to do and someone that is going to follow through on that threat. So, I think it’s really interesting to have that motivation.
In terms of trends, we’re just seeing a huge mass of data, it’s just growing and growing. We’re not seeing that diminishing in any way in terms of data leaks. I think stealer logs, they’re not new, but they definitely seem more prominent in this sector in terms of people being able to use those, the amount of credentials that are stolen and how people can use that to access things. I think we’ve definitely as well seen a lot more sophisticated social engineering, I think particularly some threat actor groups in terms of targeting call centers and targeting help desks of organizations as well as the executives and CEOs, and being pretty convincing based on the information that they’re able to find on both the dark web and the surface web to put that out there. Brandon’s already mentioned phishing as well, you know, not a new trend, but phishing is not going anywhere. I think as long as your email address is out there, it’s a technique that works. I mean, you look at things like colonial pipeline that was, you know, really basic phishing and lead to credential attack that, you know, led to the shutdown of the colonial pipeline. So, I think those are the things that we continue to see and that we have to continue to mitigate against.
And then I guess the other thing that I’ve kind of already touched on that we see in terms of threats being made against executives or organizations, I feel like anecdotally, people are less concerned about the threats that they’re making there. They’re not trying to obfuscate who they are as much as they used to. I think people feel a little bit braver about what they can and can’t say. And you know, part of that’s people on the internet, they’re sitting behind a screen, you know, they think they’re untouchable. But also, I think it’s just kind of the way things are developing geopolitically, people have a sense that they can do things and take action. And I think, you know, we’d be remiss in an executive protection webinar not to talk about the United Health Care assassination. You know, that individual, as far as we know from reports, obviously, I wasn’t involved in that investigation in any way, didn’t have a huge amount of rhetoric online, you know, thinking about doing that. But I think it really just highlights, you know, when people have pain points, and they’re talking about those pain points, you need to kind of pay attention to them. And that the digital world and the digital things that people are talking about and the exposure that people have, you know, he had to know that that executive was going to that hotel at that time, and that was probably from his digital footprint. And so there can be real world, you know, real world impacts outside of, you know, hacking and, you know, network things that I think it’s important to be aware of as well.
Mark: And can I ask you both a question when you’re monitoring an executive take me as an example you’re monitoring Mark Turnage. How often do you pay attention to Mark Turnage’s is spouse or partner and family. Have you seen that as an attack vector by threat actors?
Erin: I would say it’s definitely an attack vector. Again, executives will get education through their security, through their SOC, whoever telling them what they shouldn’t do and they can improve that. Whereas kids might post where they’re going on holiday and things like that, and it can make them more vulnerable. What I would say about that, though, is that it’s really up to the organization and the executive whether they want to extend the monitoring that wide. A lot of people for very legitimate reasons don’t want to share the more personal side of their information, their family, their personal emails, etc. I would caution against that because, you know, you need to look at things in the whole when it’s looking at this. But yeah, that does tend to be an issue is the privacy concerns around that.
Brandon: Yeah, I grouped that with the periphery as well.
Mark: We’ve seen one or two cases where the social, as Erin said, the social media posts of children were a primary attack vector because they could follow an executive’s family around. And as Erin said, it’s a choice for the executives and the organization to make.
Give me a sense, Brandon, what practical steps can be taken to baseline an organization and then monitor it? And how have you used DarkOwl to monitor and alert to these threats?
Brandon: Yeah, absolutely. Well, one thing I learned after 20 years in the Marine Corp., is collection planning is key for any different type of operation. So, what we do for Digital Executive Protection Monitoring and Learning Services, we have a whole menu of different things that we offer our different customers and stuff who wish to subscribe to this. So, it’s up to them. From there, we pump that stuff into DarkOwl to specifically monitor for those different things. And the great thing about DarkOwl is you’re able to build a case and stuff where it’s gonna go out and fetch whatever frequency that you want it to. This is the information that you ask it to go look for on various different things. If I wanna specifically look in extremist forums or just other threat actor-based forums, I can have it look specifically for these different things and stuff there. Or if I just wanna focus on email domains or email addresses or all that in these different forums, like – Yeah, absolutely, I’m gonna go do that. Most consistently, as far as our basic package goes, what we do is we monitor the organization, organizational email domain, and the names and the business email addresses, and in some cases, personal email addresses that are joined to the network environment of the different executives, and we build a case around that. So anytime something does pop up, it’s I get a notification and then we handle it accordingly.
Mark: So great. And and those can be in relatively real time, you know, within a minute of a post being posted.
Brandon: Yup.
Mark: Erin, give me a sense of what mitigations companies can take to protect their executives. I mean, it sounds like there’s this Wild West world where data is being spilled out there or doxed out there, you know, what kind of company or an organization really do to mitigate the risk to their executives and to the organization itself?
Erin: Yeah, so I think one is doing this kind of monitoring and being able to baseline what is already out there because there’s no way that there isn’t something out there to begin with. So, you want to have that and you want to be able to see for any changes. But basic steps that organizations can take is giving people cybersecurity training on phishing attempts and what to look out for, giving people advice on what they shouldn’t share on social media and how they should set their privacy settings, etc. I think having a really strong password policy leaks are going to happen, but if you’re not using the same password on every account, it really reduces the risk that it has to your overall footprint. I think using things like password managers can really help with that.
And then I think being cognizant of what data is out there, you know, there are ways to remove some of that data, not on the dark web, unfortunately. So if your data is on the dark web, your data is out there. But there are a lot of kind of data brokers and other organizations that will hoover information up from public records and from social media and you can legally ask for that information to be removed. So that’s something that you should probably look at doing as well.
And I think just being generally vigilant, making sure that your employees are trained and know what to look out for, but also know what they should and shouldn’t do. Like, don’t post too much information on social media. Don’t mix your personal and your business email addresses on accounts like don’t use your business account for your hotel bookings and things like that because that’s the way that threat actors can you know piece together your life and do those kind of doxes that Brandon was talking about. So, I think it’s just having good cyber hygiene and having good education to try and mitigate and reduce the risks as much as possible. I think everyone needs to be aware that you can’t remove the risk. You know, there’s steps you can take. We can do this monitoring. We can be looking out for that. We can be as vigilant as possible. That we can’t protect all third parties where we’ve put our data. And so, you just need to be very vigilant for these types of attacks.
Mark: And you must get this question all the time, Brandon. What do we do about this? Can I take darknet data off the darknet? Can I take my data?
Brandon: No.
Mark: You must get this asked this all the time by your clients.
Brandon: All the time. Adding to what Erin said, I think enacting a continuous monitoring of your executives on the dark web and integrate custom alerting into your SIM to identify and respond to potential security threats. I think that’s awesome, which is why we bring that into our continuous threat exposure management, modest operandi here at Ascent Solutions. We bring this all in together. And I think it’s important having the sufficient processes in place and stuff to monitor for these specific things. DarkOwl enables a lot of that. And there’s a lot of science that goes after that when these things happen, which is why I’m just very graceful to have such an awesome SOC team that I’m a part of.
Mark: And we haven’t talked about this. Let me ask this question. How deep in an organization is it? Have you monitored for executive protection below the C-suite level, senior management as well, or do you tend to focus on just the C-suite?
Brandon: I think it depends on the organization and where they have determined their most critical business functions are. So, although this person is a mid-level part of the organization, this person is in charge of all these different industrial control system equipment here, and they have a public-facing presence that interfaces with the OT environment and the IOT environment. So yeah, that’s definitely a high-valued individual. It depends on the organization to answer your question, but yes.
Mark: Yeah, I was thinking about system administrators, for example, they’re not as sweet, but they’re very, very important people and in organization.
Erin: Yeah, I think it can depend on the role. Again, it depends on the organization, their size and their appetite for this kind of thing. But there are certain roles that you definitely need to kind of be aware of. But I think it’s also, I think to Brandon’s point, what public exposure those individuals have, the bigger footprint that they have out there, the more likely they are to become a target. So, you might be someone that has a really important role, but you’re very discreet and kept quite quiet and not publicly listed on the website or anything like that. And that’s not to say you shouldn’t want to say for them, but it’s probably less risky.
Brandon: Correct.
Mark: I’ve never heard of a company like ours or yours doing this, Brandon, but you might want to do a social media audit of all the employees to see who has the most social media exposure. Because I mean…
Erin: There’s a direct correlation with that, right? Like, so Mark, you were talking earlier about how you get phished all the time. And I know other people in our company have received those phishing emails. I never get them. And my hypothesis is, because I’m not on LinkedIn. So, you know, you can make yourself less of a target by protecting your digital footprint in certain ways. I know anecdotally of a case going back to what you were saying of family members and like checking social media and things. They had an executive who was pretty careful and pretty secure, but their wife had uploaded a review that included locational information. So, you know, it’s what people put out there.
Mark: Yeah. I have seen CISOs, system administrators, and other cybersecurity professionals very active on social media, which is an interesting tension given their roles. We’ve talked a little bit about use cases, but if you guys could both finish with sort of – one of the most unique cases that you’ve seen using the tool, that’d be, I think it’d be informative for our listeners here.
Brandon: I think the one that we specifically talked about with the other company with the threat actor getting doxed, like that was the absolute most unique case that I’ve ever seen. You know, and that’s definitely in the Hall of Fame for as far as DarkOwl for the win moments for our company.
Erin: I’m trying to think I don’t know that I can think of something that’s particularly unique. But I mean, we definitely see impersonations of executives on telegram and other areas, threats being made, a lot of memes being used for that kind of activity. And then I just think that the doxing thing is such an interesting area of data set that we collect from. I’ve seen everything from executives to FBI agents having their information released. And once that information is out there, there’s very little that you can do about that, but you need to know that it’s out there. So having that monitoring capability to know what of your information is out there and how you can be vulnerable. But as I said, I think turning that back, the threat actors do this themselves to each other. And so, it’s very helpful. I mean, there’s a lot of threat actors out there that are involved in things like swatting, they’ll swat executives and other famous people’s homes or schools or universities. And they make a kind of a game out of that. But because they’re interacting with each other, they, you know, they anger each other and that causes their information to be doxed, which helps us as an investigator to find out who is doing this. And as I said, that important part of motivation, which I think some security people, they just wanna stop an incident, they just wanna stop data being stolen. But I think it’s always really important to look at that motivation piece as well.
Mark: And Brandon and Erin, do you see any trends and threats to executives that are sort of based on geopolitical events. Something happens geopolitically or politically here in the US or something like this shooting, this tragic shooting of the United Health Care CEO. Do you see risks go up or chatter go up or does it tend to be fairly flat line throughout?
Brandon: From a geopolitical perspective, absolutely. We got to go back in time for this one a bit. But when Russia was getting sanctioned a lot by a lot of different commercial vendors and stuff, that kind of set off a red flag for a lot of the Russian-based e-crime actors and stuff to start going after and specifically targeting these companies because of the Russia-Ukrainian war and stuff. So that really prompted a lot of these folks and stuff to start going after them. So yeah, it really depends. It really depends on the situation, you know, and what the and what the atmospherics are surrounding that situation as well.
Erin: Yeah, I mean, we’ve definitely seen, I think the most recent one off the top of my head that I can think of is the Israel Hamas conflict. That definitely caused a lot of individuals that were Jewish to be targeted, and Palestinians to be targeted, so you definitely see those trends in relation to big geopolitical events, and I think that’s something that executives and organizations need to be aware of as well as posturing around these types of events. I would say with the main trend I’ve seen with the United Health Care incident was executives are more concerned. they’re taking more of a proactive approach to maybe looking at their footprint. And I think a lot of people were very surprised by the response to that from a lot of individuals on social media, on things like Telegram, where there wasn’t a lot of disgust at what the alleged assassin had done, and more concern about, you know, we don’t like these executives. There was one individual on social media who produced a deck of cards with different CEOs’ faces on them as targets. So there’s definitely that kind of rhetoric, whether that leads to actual threats or it’s just people talking. You know, it’s hard to say, and that’s again why that motivation point is important. But yeah, I think there’s definitely trends and activities that happen that have an impact on all of this kind of thing.
Brandon: It’s never a dull day in the life of a threat intelligence manager in a cyber security.
Check our blog on Executive Protection and the Darknet. Read Here
Hottolink, a leading provider of data-driven digital marketing, and DarkOwl, a leading provider of darknet intelligence and insights, are pleased to announce that Hottolink has become an authorized reseller of DarkOwl’s industry-leading dark web intelligence products. This partnership enhances Hottolink’s ability to deliver advanced cybersecurity and threat intelligence solutions to businesses and organizations in Japan.
DarkOwl is the industry’s leading provider of darknet data, offering the largest commercially available database of darknet content in the world. Through this partnership, Hottolink will offer DarkOwl’s powerful suite of products, enabling customers to monitor, analyze, and mitigate cyber threats originating from the dark web.
“We are delighted to announce our partnership with DarkOwl, a globally renowned company, as an authorized reseller. This agreement allows us to bring DarkOwl’s cutting-edge dark web analysis tools to the Japanese market.,” shares Shuhei Suzuki, Executive Officer and COO of Hottolink, and continues, “With the increasing number of data breaches caused by cyberattacks in recent years, the importance of dark web analysis for enterprises and government institutions has grown significantly. Through this partnership, we aim to support Japanese companies and organizations in quickly identifying and responding to the exposure of their confidential information.”
CEO and Co-founder of DarkOwl, Mark Turnage agrees, “As cyber threats continue to evolve, organizations need real-time access to actionable insights from the dark web to protect their data, assets, and reputation. This collaboration will help our mission of being able to empower more organizations globally with cutting-edge tools to enhance their security posture.”
The availability of DarkOwl’s products through Hottolink will help organizations across industries proactively address cyber risks.
About Hottolink As the core company of the Hotto Link Group, operating in Japan and the United States, we specialize in data-driven digital marketing with a focus on earned media. Through social media marketing, we empower companies to boost sales and enhance their brand value.
With access to global social big data, we develop our services and products across three layers: data, product, and service. By leveraging this data, we analyze brand awareness levels, identify word-of-mouth triggers, and track information dissemination patterns for both your company and its competitors. This enables us to provide comprehensive support for your social media marketing challenges, from strategy development to implementation. Our data-driven methodology ensures actionable insights and measurable results, empowering your company to achieve its marketing goals effectively. For more information, contact Hottolink.
About DarkOwl DarkOwl is the industry’s leading provider of darknet data. We offer the world’s largest commercially available database of information collected from the darknet. Using machine learning and human analysts, we automatically, continuously, and anonymously collect and index darknet, deep web, and high-risk surface net data. Our platform collects and stores data in near real-time, allowing darknet sites that frequently change location and availability to be queried in a safe and secure manner without having to access the darknet itself. Customers are able to turn this data into a powerful tool to identify risk at scale and drive better decision making. For more information, contact DarkOwl.
Valentine’s Day is a great time to celebrate love whether you are in a relationship or single. However, there can be a darker side to Valentine’s Day – while many celebrate romance, others target those wanting to feel loved or special by someone.
The FBI defined romance scams (pig butchering) as when a “criminal uses a fake online identity to gain a victim’s affection and trust. The scammer then uses the illusion of a romantic or close relationship to manipulate and/or steal from the victim.”
The FTC (Federal Trade Commission) explained that romance “scammers create fake profiles on dating sites and apps or contact you through popular social media sites like Instagram or Facebook. The scammers strike up a relationship with you to build up trust, sometimes talking or chatting several times a day. Then, they make up a story and ask for money.”
Romance scammers are no different than other scammers – they quickly gain rapport with their targets before taking full advantage of them. It is not uncommon for romance scammers to be well versed in other types of fraud like check fraud. According to the FTC, there are specific tactics these scammers employee to quickly gain rapport with their targets. It is key for the scammer to manipulate their target by giving the victim the impression they have a genuine connection.
In this blog, we will examine not only how romance scams and pig butchering are often mentioned across the darknet, but we will also look at various types of data scammers look for to identify their targets.
How do Cyber Criminals find their Targets?
Adult Website SEO Traffic
One method romance scammers use to identify victims is targeting adult website Search Engine Optimization (SEO) traffic leads and databases. The following popular XSS thread was originally published in 2020 but was still receiving replies as recent as January 2025. The thread highlights how romance scammers utilize adult website SEO traffic to find potential targets when the user claimed, “there is over 3000+ people in my network that are active and above the age of 20.”:
OnlyFans is allegedly another effective site to target for identifying new potential victims. The following user on the popular hacking forum, Black Hat World, advised other scammers to connect with other fraudsters on sites like SEOClerk and Juicy Ads where users sell access to OnlyFans traffic.
While the above examples demonstrate fraudsters exchanging information with each other, it is also common to see tutorials for sale on darknet marketplaces. The below screenshot shows a listing of a tutorial of how to monetize adult website SEO traffic. This was listed on TorZon Marketplace on January 20, 2025:
Scammers will also sell services related to targeting adult SEO traffic. The following post from the now defunct Cracked.io shows a user advertising their SEO traffic service for $300 USD a day. The users provided an explanation of one methodology of how to monetize adult website SEO traffic for romance scams alleging that Reddit is a good place to start your scam:
Romance scams are commonly discussed on popular hacking forums like XSS, BreachForums, and Exploit. An XSS post, from January 8, 2025, posted in both Russian and English displays a user looking to collaborate with other cyber criminals who are experienced with Romance Scams, stating “I am currently seeking reliable and experienced individuals who are actively working in this field [romance scams]. I have access to several clients and opportunities that could be mutually beneficial for collaboration.”:
A user on the popular hacking forum, CryptBB, alleged an effective way to become a fraudsters is pig butchering scams because it involves methods like crypto swifting. Crypto-swifting generally refers to the use of cryptocurrencies for cross-border money transfers, inspired by the SWIFT (Society for Worldwide Interbank Financial Telecommunication) system, which is widely used by traditional banks to send secure international financial transactions. The idea is to use cryptocurrencies and blockchain to enable real-time, low-cost, and secure global transactions without relying on central banks or legacy systems.
How are Romance Scams Mentioned on Telegram?
Romance Scams are often advertised as one of several fraud services by cybercriminals on Telegram channels. The following screenshot was taken from a popular Telegram Fraud Marketplace.
Another example that highlights romance scams services came from a credit card fraud Telegram market. This user also advertised various services, including PII associated with various dating sites that social engineers can leverage for Romance Scams:
What is E-Whoring and How Does it Relate to Romance Scams?
According to a recent University of Cambridge study, “eWhoring is the term used by offenders to refer to a social engineering technique where they imitate partners in virtual sexual encounters, asking victims for money in exchange for pictures, videos or even sexual-related conversations (also known as sexting). Packs of multiple images and videos of the people being imitated are traded on underground forums. This material is used as the bait to entice victims into paying for online encounters. Underground forums serve as a place for the interchange of knowledge and new techniques to improve the benefits obtained from this illicit business”
Cyber criminals take great pride in proving themselves by sharing their knowledge, tips and tricks with others to build up their reputation and standing out within the threat actor community. DarkOwl analysts observed many sharing, some for free and some for sale, guides and ebooks covering how to get involved in e-whoring and romance scams.
DarkOwl analyst discovered recent comments on a post on the popular hacking forum, BreachForums, where a user advertised a large e-whore database allegedly containing over 637 GB.
E-whoring packs are also commonly sold across darknet markets, forums, and cybercrime related Telegram channels and Discord servers. The following post from the notable carding fraud forum, Craxpro, advertised a leaked database for an OnlyFans model:
E-whoring packs and databases are the most common, however, we also discovered an e-whoring bot being sold on Craxpro for 10,000 USD per month:
We also identified Telegram users selling access to e-whoring mentorship services. The below user advertised e-whoring mentorship service for 350 USD and accepts LTC, BTC, ETH, PPl, and Wise.
Conclusion
Romance scams, how they identify their targets, and e-whoring a will remain popular topics across the darknet as long as this form of fraud remains profitable, effective, and efficient form. One of the examples claimed that romance scams are the gateway to becoming an experienced fraudster that dabbles in its various forms. We also observed a large supply of users selling this fraud knowledge and a large demand of eager “newb” fraudsters willing to pay for this knowledge.
Darknet actors will continue to innovate as long as it remains profitable. As with conducting any activity on the internet, it is always important to remain vigilant to scams, whether that be romance scams or not.
DarkOwl wanted to share a few steps recommended by the FBI in order to protect yourself again romance scams.
Protect Yourself
Be careful what you post and make public online. Scammers can use details shared on social media and dating sites to better understand and target you.
Research the person’s photo and profile using online searches to see if the image, name, or details have been used elsewhere.
Go slowly and ask lots of questions.
Beware if the individual seems too perfect or quickly asks you to leave a dating service or social media site to communicate directly.
Beware if the individual attempts to isolate you from friends and family or requests inappropriate photos or financial information that could later be used to extort you.
Beware if the individual promises to meet in person but then always comes up with an excuse because he or she can’t. If you haven’t met the person after a few months, for whatever reason, you have good reason to be suspicious.
Never send money to anyone you have only communicated with online or by phone.
We wish all our readers a very happy and safe Valentine’s Day!
In this webinar, analysts demonstrated how to investigate and pivot on front company infrastructure, using Falkor and DarkOwl dark web data, to analyze and enumerate possible front companies and their employees.
Highlights:
Adversaries of the West are using front companies to obfuscate/hide their malign activities against the West
Sanctions and notable indictments from recent months
Enriching information using both Falkor and DarkOwl platforms
Investigating personnel, infrastructure, and other evidence linked to front companies
NOTE: Some content has been edited for length and clarity.
Ari: It’s a pleasure to be here with you. My name is Ari. I am an OSINT analyst here at Falkor responsible for integrating various tools like DarkOwl into Falkor, also general sales engineering, training, handling, any sort of client affairs that come up. You also may know me due to my blog, memeticwarfare, where I write about influence operations and investigating them, and a number of other ventures that I happen to be involved in. I’m very happy to be here with you today alongside with Steph, and we’ll let her introduce herself shortly as we show how you can utilize dark web and deep web data from DarkOwl in Falkor to investigate, in my opinion, very interesting Russian influence activity globally to uncover new front organizations from a few data points.
Steph, you wanna introduce yourself?
Steph: Absolutely, yeah. I second that this is going to be really interesting. I’m so excited to dive into it. So, hey everyone, I’m Steph Shample. I work here at DarkOwl. I used DarkOwl’s data before I became an employee, so I’ve got tool perspectives, very similar to Ari. I think once you’re an analyst, you just can’t get out of being pulled into everything. So, I also help with client training, use cases for how you might employ DarkOwl intelligence in your other day-to-day operations or your separate intelligence operations. And we’re going to get more into our company specifics as well. So, Ari, back to you.
Ari: So, Falkor is an interesting product. In my opinion, it’s kind of leading the next generation of what analysts are going to be using going forward. It’s an API forward analyst operating system, where in addition to carrying out all of your link analysis data visualization, querying of various tools or so on, you can connect all of your internal data sets, be they files, databases, any other REST APIs you happen t have, all into one place. And then, of course, to use OSINT sources like DarkOwl or whatever else you happen to have into Falkor to utilize all of it simultaneously and seamlessly.
There’s also, of course, a full collaboration suite, task management, management, case management, all those additional add-ons that you need to run a case effectively. We have built in AI capabilities, including an analyst investigative chatbot, digital profiling, real-time monitoring, and much, much more in what I may say is probably the most aesthetically pleasing dark mode first, analyst platform out there, which anybody here who works in this space knows just how important that is. I’ll let Steph introduce DarkOwl.
Steph: Yeah, thanks. I’ll take it for DarkOwl. So, we’ve been around for about 12 or 13 years, DarkOwl. We are the world’s leading provider in Darkint intelligence. We cover, of course, the dark and deep web. We also cover what we consider dark web adjacent platforms that is places like Telegram channels, Discord servers, and, of course, IRC chat. We consider them dark web adjacent because you’re gonna see now, especially since Telegram has entered the fold and become more popular in GEO political events, influence operations, and cybersecurity. It’s also cross-referencing, and actors are using both their onion platforms, their markets, their forums, to advertise on Telegram and vice versa, thus maximizing the potential for financial return or notoriety in their operations.
So, the image that’s on your screen here is of course we covered Tor, that’s the browser that you would download and use to access the dark web. We also have I2P and ZeroNet. We are definitely on discussion boards as more people share tactics techniques and procedures or TTPs, underground criminal forms and markets have touched on pretty self-explanatory. And then of course those chat platforms that I’ve referenced how they go back and forth.
Ari, real quick. Do you want me to go into the dark web and how it works now? Or do you want to save that?
Ari: No, absolutely. Absolutely. Let’s lay the foundation for sure.
Steph: Let’s lay it. I like it. So, Ari and I did want to be very clear, you know, for those who aren’t in this space, what is the dark web? What is the deep web? Everyone’s got their own definition. You’ll see all kinds of chatter and people contributing to that conversation. But let’s just keep it very simple. So, the surface web, you download a browser, right? Your choice, Chrome, Firefox, Brave, whatever that is. Very easy. Everything that you’re accessing, if you’re searching on there for recipes or how to, you know, sew or whatever that looks like, it’s attributable. You can find that information, several clicks, couple buttons, you’re good to go. It’s attributable, right? Every IP address and every website is mapped. They relate to one another. All activity is generally able to be observed. Where is this website hosted? Is it a Google domain, an Amazon domain or something else?
Whereas the dark web is meant and was built to be obfuscated. It is built to be more anonymous. It has more privacy features. So, you need special equipment to download it. When you access a .onion URL, you cannot put that .onion URL into, say, a Google or any kind of other browser. You’ve got to put it in Tor or there are a couple of other browsers. Some people work with tails as well. It is not indexed, so you really can’t search a lot on the dark web for recipes or any kind of thing. You have to know what you’re looking for and where that type of material is hosted. So, if you need something, say, if you had a ransomware incident, if you’re in this space, you’ve got to know how to access the ransomware blogs where they host them. If there’s an initial access broker that’s selling access to your company on the dark web, you’ve got to know maybe their name, how to get ahold of them, what market or forum they operate on. And again, it’s built for privacy, right? It is not going to easily give up information such as locations, IP addresses in Tor, you have three of them, you have a beginning IP address, a middle and an end, they change every approximately 10 minutes. It’s meant to be obfuscated. It is designed to be anonymous. So that’s our high level. What is the dark web? How do we access it? What are we doing? We welcome further questions on that if you’d like to put it in the chat or contact either one of us. No problem.
All right, Ari I’ll kick it back to you unless you have a question.
Ari: No, no, there’s just so much more to go with this stuff. I just say, again, everyone wants to know about how dark web URL resolution works, let us know later. But yeah, but alongside the dark web data, I think the most important thing that we’re going to bring up is the use of that in the conjunction with deep web data, Telegram in particular, but also other sources as well as they come up, right? And that’s, I think in my opinion, the real added value of what tools like dark, DarkOwl and other tools that provide similar data sources do that you can really have essentially all three layers in one setup.
So, with no further ado, let’s discuss the case that we’re going to be looking at today. The case that we’re going to be looking at today is the Center for Geopolitical Expertise. Now, you may have heard of this. They were sanctioned, I believe, about two months ago, maybe a bit less by the US Treasury Department. Here’s the statement. If you want, you can see that over here.
And we have the Moscow-based CGE, or Center for Geopolitical Expertise, founded by the OVAC -designated Alexander Dugan, and we’ll discuss briefly perhaps later on. And then, of course, the main person running a whole operation, Valery Mikhaylovich Korovin, and other relevant CGE personnel. So, we’re going to see how we can essentially investigate this organization, the CGE, by the way, as a side note, Russian front organizations love utilizing terms like geopolitical, whatever, and expertise and that sort of stuff, just a cultural thing that happened to really enjoy doing, and you’ll see that repeat itself in this space quite a bit. To see what we can essentially find out on this given organization, utilizing deep and dark web data, and then how we can expand upon that to find other signs of new front organizations and just better understand their general activity. So, we’ll cover not only dark web data, but also some investigative tips that you can utilize when investigating front activity on your own, and then we’ll conclude with a Q&A.
So, the most recent case that we have of the CGE was apparently, or they’re alleged I should say, and though it’s becoming increasingly well-founded in terms of the research, right? Was there organized election interference inside of the ongoing election interference, I would say, inside of the current German elections? They’ve also been quite active in Ukraine. They’ve ran probably the single most successful operation inside of the US called CopyCop, that was published on by Recorded Future. Great report, highly recommend, that you read it. And they utilize locals and other individuals to set up these AI -generated domains, targeting whether election or given country they happen to be targeting.
Here we have an example from News Guard over here of a various number of German language domains used to target Germans.
Now there hasn’t been much coverage of Corovan individually beyond the Gnida project. By the way, a great substack that I recommend that you follow. If you’re interested in tracking Russian influence operations internationally, they do a lot of great stuff. They’ve been the only ones to publish anything in depth on Korovin individually. There have been a few mentions here and there, but nothing really in depth. So, let’s see what else we can find on them. There we go. So, just to recap where we are so far and how we’re going to start our investigation, which by the way, I find to be often one of the most difficult places for analysts, especially new analysts, you know, to have it right when they get going, is where to even begin with looking into such sprawling types of activity.
We have the sanctions announced on this given group, and there have been past reporting on them from other individuals also as well. And we have the number one person of interest of POI, Valerie Korovin, and of course information on him published by the U.S. Department of Treasury, including the Russian tax ID over here, which is like their social security number, date of birth, general area, and of course, the registration information of the CGE also as well. I built a very humble little graph over here in Falkor’s link analysis, showing you essentially how these things work, how Korovin over here is essentially an agent of the GRU, right, he’s their liaison for the actual activity that the GRU, which is Russian military intelligence wants to carry out internationally. We have the awards for justice from the US government announcement over here, his affiliation with American John Mark Dougan, another activity, the Eurasia Organization, and other key individuals that we’ll get into in a little bit.
Just a quick word about Dougan if you haven’t heard of him. Dougan is the founder of the CGE and is a fascinating figure who we can dedicate multiple awareness to just for himself. But in short, he is a Russian far-right political polemicist with a very unique political philosophy and how the world works and how things should be, at the very least, founded on multi-polarism, meaning the world not being unipolar centered around the United States, and essentially Russian borderline fascism, if not fascism itself in many ways. So he’s a sanctioned individual known for his very, very, very extreme views. Now, thanks to Gnita, we also know about Natalia Makeeva, who is the senior official at the CGE and is the right hand of Korovin, but we can also find out more about her independently as part of our investigation. We don’t need a project just for that. So now we’re going to see how we can take these individuals and the basic data points that we have here, identify entities for investigation, further identify new relevant entities, and then keep going. Now one thing I do want to bring up and Steph do you want to enrich further astound upon this is the Russian dark will be some ecosystem in general, which is incredibly rich. So, if you have any words you want to add to that, I think that’d helpful.
Steph: I’m fully in agreement with you, you know, the Russians are, of course, not the only actors, APT or cybercrime focused on the dark web. But I would say they are the most frequent. They know what they’re doing. They’ve been using the dark web in their operations probably longer than any of our other adversaries. You will see Iran, China, Belarus and pick a country if their actors are on the dark web, you know, they are using it, but Russia is the most frequent and uses it in a variety, right? From ransomware to cyber-crime, to info ops, to all kinds of influence operations, Russians are all over the dark web. We have learned the most from them. Ari, so that’s a great point.
Ari: Absolutely, and the most important point for us is that that cuts both ways, right? So there are tons of data leaks on Russia, tons. I mean, perhaps the single mostly country I’ve ever seen articulately, in terms of sheer number of leaks and data available, and that’s how we’re going to utilize this information to keep investigating. So Just from doing a name search on Korovin and Falkor with this full name, which would give them the sanctions, we get a large number of interconnected results over here. And by the way, as an aside, if you’re interested in seeing the full investigation with other information from DarkOwl and Falkor, feel free to contact us separately. We’d be happy to schedule a demo to show you more of the in-depth information on this individual case.
Just from looking up his name, we find all these various interconnected data points. We find from leaks of data available on the dark web, a Facebook profile with a UID, a leaked telegram account, leaked Gmail entities appearing in a dark web post over here, and multiple other entities belonging to this individual.
Now, I see we’re getting questions in the chat, so I’m not going to refer to that now, but we’ll save that for the end. But if you do have any questions, feel free to send.
So, one thing I do want to bring up also is that one of the results that we get here is that Korovin has an additional email at the Eurasian organization, which we mentioned over here, which is another organization tied to Dougan. Okay, so that also came up in the results. Now if we look up the Eurasia.org organization, which is by the way another Russian instrument of influence headed by Dougan and active globally, looking at who is records, here we have from WhoXY, which is a great free tool, which is a side note by the way, highly recommend it, if you need a free tool for that, or of course the full suite of domain intelligence available in Falkor. We can see that in fact the person who registered Eurasia.org was Makeeva@Eurasia .org, Natalia Makeeva, the woman mentioned earlier, and she also registered the CGE domain over here as we can see as well. So, she’s a pretty central individual then having registered the domain for CGE. And then we can also see over here a very broad overview of the leak data available from the deep web on the actual Eurasia domain. So going back to that, just by querying essentially the domain itself in Falkor, we also have the Korovin’s individual email address over here. But here we have the full swath of results. I’m sorry, I try to fit a lot in on this slide.
I know we only have so much real estate over here. But you can see the sheer wealth of data that we have on the actual domain, which is somewhere over here in the middle, right, including the large number of actual individual posts in which the domain is mentioned, but also more interestingly, perhaps a leak total of 360 email addresses in leaked records originating from the domain. Of which, we have 28 unique ones. So, Steph, I know if you have anything you want to add to that on the dark web, on DarkOwl’s data enrichment features over here in terms of profiling.
Steph: Absolutely, we are a niche DarkOwl intelligence, but one of the tools that we have to get extremely granular is this bottom right image that Ari has been highlighting. So, when Ari and I were going back and forth saying, you know, what can we do? We want to talk about front companies, but it’s intimidating, it’s overwhelming to get started. There’s a lot to follow, there’s a lot of threads to pull, there’s a lot of misdirection that can happen. But when Ari gave the domains of some of the proven front companies, and we definitely source those from indictments and treasury, as we’ve mentioned, you can put any top-level domain into our tool, and of course in Falkor now that’s also using it, and get a pullback of, okay, here are the amounts of emails exposed, that’s that 360 numbers. There are 28 unique ones, because of course there’s going to be repeat breaches, accounts in certain pieces of information with the same password or exposed in the same place. So, it’s just really important to help flesh out your top level domain research, get the patterns. You know, what password does this individual use? Is it constantly exposed on the clear web, on social media, on the dark web? So it’s a really cool feature to kind of build this out and we use it heavily in our investigation.
Ari: Absolutely, then you can get it all visualized for you nicely inside of Falkor, giving you the clustering over here of what’s actually important. You can filter, of course, by degrees and so on and move on from there. But the point that you think you’re going to remember is that every one of these data points is essentially another pivot point that we can use as part of our investigation. So as we can see that certain clusters of activity here are more central, right, or more active in terms of relations to other entities, we can then take Falkor’s, say integrations with email and phone number lookup tools or people investigation tools, or social media enrichment, and then enrich those further to further investigate the in domain. Now the next thing to keep in mind, and this is especially relevant when investigating organizations of any kind, be they companies or front companies or whatever it happens to be, the leaks don’t lie at the end of the day, right?
Firstly, having no leaks is suspicious because almost every organization has an employee who utilizes some given company data point to register for some service. It’s rare to not have that happen at all. And then when they inevitably do, as we can see here, we can see who’s more active with their company email or other company assets online to find other relevant data points really easily. We have here, we have a number of individuals, including Makeeva, who was the single most popular leaker in terms of using her email address, which also hints to us that she’s probably a pretty active individual in the given organization. So, we can use DarkOwl data for investigations, right, for pivoting, but we can also utilize it to qualitatively understand and analyze what actually occurs with this given organization.
So, we can see here that Korovin’s email address appears in a dark web post taken from an onion site that we can see over here as well, which was actually a leaked copy of the internal information policy of the Lugansk People’s Republic. So, you know, occasionally you’ll see there’s some news article about a list of leaked data, you know, exposes this or leaked, you know, government reports say that, et cetera. One of the places you can easily find that data is in fact on DarkOwl because as Steph would say, you guys are constantly indexing all of the available posted and leaked data online. And here we can see, in fact, that Korovin and Eurasia are mentioned as key bodies for promoting Russian interests in the Lugansk People’s Republic, which is one of the breakaway regions of Eastern Ukraine, currently being fought over in the war. So, it has an official role in, say, promoting Russian interests there also as well, which was not publicly available data previously. Now, we can also then look at Korovin’s Twitter account, which is easily found publicly, but also easily found via breach web data. And then inside of Falkor’s social media enrichment, we can bring back followers posts and more. So, we can see that his followers globally, of course, make sense roughly what we would expect, mostly in Europe and Eastern Europe and, of course, Western Russia, some in the Middle East and other parts of Asia, Latin America, Africa, and the US a little bit. And we can use all these also for further investigation, especially when it comes to finding new organizations globally that might be following him that could be potentially related. And then we can also utilize the Falkor link analysis to better understand clusters. We have Korovin over here; that’s the original account over here. Then here we have one other account that he shares a large number of shared followers with.
And this is of course, who else but Natalia Makeeva. So even without the needed project telling us earlier that she’s a key individual and providing the receipts as we say, which we’ll see shortly, we can also find out, of course, also ourselves utilizing open source investigation. Now, if we begin to look her up by looking up her email address also in DarkOwl, we get another kind of dark web data that we can utilize quite effectively, which are actually leaked emails from between Makeeva and an individual affiliated with the pro-Russia and Novorossiya movement based also in, of course, Donbass, the eastern part of Ukraine that’s being fought over in the war. We can see here in these individual emails which I translated into English, they were of course sent originally in Russian, that they were coordinating sending over propaganda material from Dugan, of course, into that area. Now, one of the other things that DarkOwl does that Steph might want to explain briefly is tokenizing entities, and then I’ll describe how we do that in Falkor.
Steph: Absolutely. You can see in the bottom left image; we have that highlight once Ari shared the names of the individuals that we wanted to focus on for this investigation. I just ran that through our tool, and we highlight our results. We want to make it easier for our analysts, make it visually appealing. So Makeeva, we see her domain confirmed, she’s sending emails back and forth, so there’s a couple of things. We’re going to pull out that email address so that you can further pivot on that, build off of it, find passwords, find anything that you might want to find. We got very lucky in this instance that we had contacts for these emails. So then you can also, when need be, pivot to Gubarev at NovoRussia, you can take a look at NovoRussia’s top level domain, what’s exposed, what’s out there. You can try and see if that resolves to any IP address based on what, you know, Russia, how they’re setting up their operations. So, you have a whole bunch of different pivots and different pieces of analysis to add to just Natalia Makeeva and her email address, we built out a whole other graph that is evidenced in Ari’s image on the bottom, phone numbers, contacts, patterns of life, patterns of contact, and other people she’s working with. So yes, we pull that all out in DarkOwl for pivots.
Ari: Exactly. And then we can just easily right-click on that document in Falkor to extract those tokens as entities into entities for further investigation automatically. So, if you have this email address, instead of needing to copy and paste each individual email address or phone number or username or whatever happens to be, you just right click, you have it, and then you can right click and further enrich and investigate effectively. So just to recap where we are so far, we had the original CGE organization. By looking into it, we found the Eurasia group organization also unsurprisingly affiliated with this group. And now we see pretty close ties between the leader of the Nova Rocio community over here and of course, Nathalia Makeeva, indicating there might be other ties as well that we could investigate. Beyond the original organization, there’s also evidence from, of course, Gnida as well, that Korovin and Makeeva, who we can see here, this is Korovin, and this is Italian Makeeva, are active globally beyond Eastern Europe and Russia, involved in setting up the Fundación Fidel Castro para Desarrollo de las Aracenas Frusal Cubanas, the Fidel Castro Foundation for Promoting Russian-Cuban Relations, which they utilize essentially to promote Russian interests in Latin America and the Spanish-speaking world. And here we can then utilize Telegram. So, Steph, I’ll let you then describe perhaps how DarkOwl handles Telegram and Discord and other deep web sources before I describe what we’re seeing here.
Steph: Of course, no problem. So, once again, we kind of went on the name of Valery Korovin I wanted to do a search. We know that Russia is also avid users of Telegram. We saw that activity really increase where they were sharing battle plans, pictures, strategy on Telegram after Russia invaded Ukraine. But we also saw that pop up when the Afghan government fell in 2021 in the summer. So just to let you know that Telegram is all over. We pull everything down from a Telegram channel. So, we’re going to get the metadata, we’re going to get the channel ID, because this, you know, for right now, the title of this is called Amigos de Evesiones Fides. Tomorrow, that could be literally anything else. But if you have the Telegram number, the actual channel number, you can continuously track that no matter how many name changes there are. The same is true for those usernames. So, we pull that all down. We have the metadata for your investigation to share with your clients if you’re sharing intel with someone else. And then, of course, after we have Valery Korovin one name, now we have a whole spate of other identifiers that we can pivot on. So, we’ve got a Facebook group for this group as well as Twitter. We’ve got, of course, their Telegram. We’ve got a Yahoo address. So, it’s just a lot more information that we added. And it’s the same for Discord. We pull down server IDs, we make sure that we have the information that’s never going to change, even if a user handle or the title of a server or room does change.
Ari: Absolutely. And then we can start the actual hard work of investigating, right? At the end of the day, there are very few shortcuts in life. We’ve been lucky so far with these lead emails and other things that we come across. But sometimes you gotta, you know, put the elbow grease in there and really just look at all these various entities that come through and you can do that easily in Falkor by enriching them to bring back information on the domains, on the social media profiles and more to see if they are in fact front organizations or have any other types of relations to the actual individual that you’re looking at or not. We have other sources across Telegram also as well from parts of Latin America and even Italy and other global organizations that are promoting Thurovan and these front organizations that we can then look into further also. Now we’re going to conclude the investigative portion of this with one final tip that I would like to bring up. Gnida project brought this up also as well, but anybody could figure this out, that the Fidel Castro Foundation is registered at the same physical address as a few other interesting groups. Firstly, we have the Russian House of International and Scientific and Technical Cooperation. I haven’t looked into it myself yet, but who knows? It wouldn’t be the first time they’ve utilized scientific cooperation as a front for other sorts of activity. Eurasia itself is also based in that same building over here. The Russian influence outlet Geopolitika RU, which is very well known for anybody active in the space, you should recognize that immediately, is also of course registered and based out of the same, comparatively small building in Moscow, you can look it up in Google Maps, it’s not very big. Doesn’t make sense that it’d be hosting so many large organizations. And the lesson to keep in mind here, even though the CGE is registered by the way in a different address, is that threat actors always reuse for a variety of reasons right sometimes they don’t you know can’t afford to rent to different places they want to rent they want to buy domains they want to get new office space where it happens to be but they don’t and they did utilize the same thing over and over again. So, whether or not it’s digital or physical infrastructure if it’s being reused you can use that very effectively to find potential signs of a given organization being a front or otherwise uncover hidden ties right.
Now you have to be careful about that about that also as well of course if it’s a large office building it could be feasible, they’re all based in the same building as well, right? But if you can check it out on Google Maps quite easily, see whether or not it makes sense that you have multiple large organizations in a given, you know, three-story building, right, let’s say, and then from there make your own decisions. And then we’ll conclude also over here with the Falkor geo search, which has the ability to search this area for social media data, other data points also as well, and even connect other tools also to search if you have other geo -relevant data points too. So, on that note, let’s conclude, and I’ll let Steph also, if you have anything you want to add, let me know too, feel free to barge in here. dark web data is critical for investigation of all times, of all kinds, right? Beyond just looking up leaked data, leaked creds, threat actor chat, and that sort of thing, we can utilize it for things like profiling, finding leaked geopolitical data of any sort of interest, right? Government data, that sort of thing, and we can utilize that leaked data to expose ties to additional organizations very easily. This is often like the shortcut that I mentioned that we don’t often have earlier essentially, right? The leak data giving you that actual connecting point is what you can often utilize effectively. But there are other data points that we can utilize also, as well that we can find, right? Shared physical addresses, reutilizing digital infrastructure and more are critical. And deep web data really can’t, in my opinion shouldn’t be ignored for investigations of any kind, let alone influence investigations operations as well as looking into front groups. And we can utilize them to find with the low amount of investment, let’s say, or time invested in this, international activity very, very easily. So, Steph, if you want to add to that, let me know.
And if not, we think we can move them to Q &A.
Steph: Love to, just to repeat, front organizations are tricky. They’re a little difficult to follow to get started to know where to work with. But look, Ari and I started with one organization, one top level domain, two human beings. We then got their selectors on social media, on the dark web. We found two other organizations, we had a global investigation, but we had to pivot, we had to turn around, we hit some dead ends. When we were first talking about this webinar, we were gonna maybe focus on Iran or a different kind, but Ari did an excellent job of saying, no, let’s do this, this is good, and then really made something that’s intimidating and a little difficult and complicated, simple, seamless, and you can see all the information we ended up with after starting with just three entities, an organization and two humans. So, Ari hats off to you. Thank you for demonstrating how we can use deep web and telegram and Discord data. It’s absolutely amazing. And I look forward to reading what you do in the future, because it’s awesome.
Ari: Thanks. And there’s a lot more, by the way. So, if anyone wants to see more, feel free to contact us separately, like I said. All right, the final step that I would do here for a Falkor plug before we go under the Q&A is the monitoring dashboard. And this is also, of course, relevant for DarkOwl as well. Falkor is a full monitoring suite available so you can set up dark web data over here to be monitored right set up your keywords your Boolean queries and strings whatever you happen to have you can set those up over here I set one up for mentions of Eurasian.org and other mentions as well and then you’re going to get a live feed of new onion data discord data telegram data and more coming in relevant for that sort of data also here as well we also of course have a full alert mechanism set up through some of the keywords or things you want to be triggering rules for and that sort of thing, we can do that. And we also of course support social media. So, if you want to say follow Korovin’s Twitter account or follow any other individuals’ Twitter account for your investigations, you can do that also as well. And lastly, we also support RSS feeds. So, if you want to say track the OPAC RSS feed or any other RSS feed that you happen to have, no problem, you can throw it all in here and track all of those things in one pane of glass.
Steph: Super, super kudos to Falkor. There are so many tools out there and everything is very disparate, right? We’ve got RSS feeds and Slack and all of this, but what you guys have is a dashboard where you can truly have everything in one place, and that’s essential as an analyst. We’ve got enough information to deal with, so it’s an amazing, amazing product.
Ari: I’ll send that over to the development team. We’re very happy to hear that. I think we have some time then for Q&A.
Kathy: Yes, we do, and we’ve had some questions come in. The first one is in reference to Telegram, have we got any possibilities to follow a target if a Telegram account is closed and not open?
Steph: Yeah, we absolutely do. So, you know, you can build infrastructure to try and ask for permission to enter. You can run different personas or try to get people that work in your organization into a closed or private Telegram. There are a lot of different ways to do that. Strike up a common conversation, strike up investigations, and just kind of see how you can break that door down based on observing other activities surrounding it and knowing what the types of discussion are that’s happening inside those telegram channels. It’s not a perfect science, you might get denied, but you can get into closed ones if you play your cards right. Yes. Or anything to add to that on your end?
Ari: No, I mean, that’s that, listen, that’s, you know, like I said, sometimes there aren’t any shortcuts and you gotta just, you know, Do the cold approach and hope it works out, right?
Kathy: Okay, well, staying on the topic of Telegram, when considering Telegram provides encryption and privacy features, why do threat actors still choose to communicate there instead of using more anonymous platforms like I2P , TOX, or peer-to-peer encrypted channels?
Steph: Yeah, absolutely. So, we see actors talk, I mean, I’ve been all over the web, right? I’ve been in this game for a lot of years. I’m very old and I’ve seen a lot of trends. So actors are openly stating that Telegram is safer. It is a Russia-based tool, right? It was developed by a Russian. And so, they feel that in lieu of the dark web where they have openly identified, they feel that federal agents and law enforcement’s working to try to take down criminal operations, criminal infrastructure, actors still feel that the majority of the safest tools are things like Telegram and TOX. They are definitely active on TOX. They have moved away as ransomware groups fall, as markets are shut down, think Silk Road, think Alphabet. As all of those go away, they move to what they feel is safer. I do think that probably in the next two to four years here, we’re gonna see a migration away from Telegram because you know how that goes. Once things get very popular and are used frequently, pivots for investigations change, They probably will feel that law enforcement will move there, but we see that all the time first, you know, with cryptocurrency, for instance, Bitcoin was viewed as very safe. Now they’re saying Bitcoin is a tool of the United States, you know, intelligence agencies and federal investigations is their words and chats. So, they’re moving to Zcash, Litecoin, etc, etc. They openly espouse what they feel is safe versus what isn’t. And it’s our job as investigators to follow that. So that’s probably why, that’s definitely why they’re saying what they’re saying.
Ari: I have some points that I’d like to add to that. So, there are a few things to keep in mind because the much vaunted, let’s say, encryption of Telegram really isn’t quite as good or as quality as people say. We can get into it; it’s a whole separate thing. It’s not intent encrypted by default, which is what really matters for the average user. The reason people use it, in my opinion, is that it’s a really effective town square. You wanna sell your cyber crime services online or make sure your leaks get, you know, spread and amplified and that sort of thing. It’s an amazing place to be active and the barrier to entry is super low. You don’t need a computer. If you are a thought actor within a country that doesn’t have, you know, that in which GDP is low and you want to start scamming, you don’t have a hundred bucks in your pocket, you can do that, for example, right? It’s instead of buying a computer and download Tor and have a reliable, indirect connection and do that sort of thing. Telegram is much more accessible. You can buy a burner phone, remove the camera, microphone yourself if you’re that concerned and kind of get to work. And then like you said, also step regarding TOX, move to TOX, move to any sort of end-to-end encrypted solution that’s a bit more secure for actual communications, which is a very common trend also as well. So, there’s this town square market element of it that I think is incredibly appealing. And then it also has other features that make it appealing to threat actors as well. In fact, that it’s easy to use. In fact, there’s other content on there that’s also interesting. The built -in messaging experience is really seamless. There’s a lot of other reasons to use it also as well. And I think it’sa fascinating platform, but those who know me know I also have been a bias.
Steph: Great points.
Kathy: Great. Thank you. We’ve had another question about leaks in the darknet are not too old to use with efficiency?
Steph: Absolutely not. So human beings are creatures of pattern. They reuse passwords. They reuse their data. They can’t keep track of it. We do not have enough people. Think of your coworkers. Think of maybe older family members or something, they’re not using password keepers, like 1password, key password, et cetera, et cetera. They reuse something because it’s easy. So, if something is exposed and always out there, it’s very easy to keep reusing. We have had actors who have not changed their passwords since 2010, 2011. Not all of them. Some of them do have better opsec and cybersecurity, but it’s very, very simple to glom onto one password or one account or a handle or a username that an actor uses and then keeps going with minimal changes throughout the years. It’s foolish, but they do it. So no, data that’s old is not too old to use no matter where it’s from. There’s always a potential. Anything on your end for that, Ari?
Ari: No, that’s a great explanation. I mean, it depends also on your usage, right? I mean, if you’re just trying to protect, you know, if you want like those, you have some of the lead employee password from nine years ago, it’s probably not as bad as, say, something from last year. But, you know, for investigation purposes, It’s still quite as useful for pivoting. I don’t know that in terms of other stuff. So, it depends on what you’re doing, but yeah, I completely agree with you.
Kathy: We have one more question that came in. How else can dark and deep web data be used for investigations or attribution of influence operations?
Ari: And this is, I think, a really interesting topic because people love to talk about attributing influence cyber operations online effectively and the leaked data is one of the most effective ways to do so, like by far. Looking at past Twitter scrapes and Facebook leaks and that sort of thing, people manipulate the APIs, these platforms, and then post all this account information online. There have been cases where known influence operation accounts and entities have had their personal information exposed, be that say the registration IP or their last used IP or their password or that sort of thing, that you can utilize to very effectively either further investigate or even kind of on the spot, determine whether or not it’s an authentic account or not. So that’s one of the biggest things that I’d say that we see. And there have also been multiple cases of influence operators themselves experiencing leaks, right? So recently the SDA, the company behind doppelganger had a lot of data leaked on them, hasn’t really made it much onto the dark web for a variety of reasons, right? But essentially the data is still leaked and available to certain other individuals. And that’s another way that we can expose other actual operators themselves as we saw in this investigation. So, the leak data is in many cases the only way to investigate and attribute these activity, not a nice to have. Is that anything you want to add to that?
Steph: Yeah, and as far as just other data on the dark web, people, criminals, actors, they do feel that the dark web with its flaws and its security issues is still one of the safest places online. So, they’re still very open, they’re still very transparent. They might be cautious at first, but as they carry on more operations and build bigger networks and build a name for themselves, selling data, infiltrating companies, getting infrastructure, they open up more, right? The dark web is full mostly of criminals. They have an ego. They want to talk about who they got into. They want to build themselves up. And so, every piece of information, despite what you’re looking for, what you might be working, ransomware, info ops, DDoS planning, you know, anything. There’s always a piece of intel on there. It’s just that you have to look harder to find it. But as Ari and I have mentioned, schedule a demo with us. We’d like to take you deep. We also want to show you how you can enrich open source OSIN or social media information with dark web intelligence. It works really well to enrich too. So, there’s a bunch of different lines of investigation and tactics and we’d love to go deeper with you on that.
Kathy: Great. We do have a couple of minutes, and we had one more question come in. In other countries, considering that credit card details are frequently leaked on the darknet – does DarkOwl provide access to full credit card data to licensed companies or is the data redacted for compliance and ethical reasons? Additionally, how does DarkOwl ensure that security teams using its platform do not misuse such sensitive financial information?
Steph: Let me answer that in two parts. So, we do indeed have full credit card details. Listen, at DarkOwl we are GDPR compliant, we are DOJ compliant, we do not purchase stolen data. That data is out there openly available, whether it’s a forum where it’s sold or whether it’s a pay site where it’s hosted. It is open information that anybody who downloads the tools and knows how to access can. So, we do have that. As far as part two, we indeed have checks and balances. My CTO is always eager to jump on the phone and explain. I’m not going to get into those checks and balances here. Please do schedule a call for us, but we absolutely ensure that there is no misuse of sensitive information, whether that’s financial, PII, PHI, HIP, or protected. We absolutely have that a way to get around that, and I invite you to please get with us and we will explain that further in depth on the call, for sure.
Ari: The one thing I would add, the one thing I would add on top of that is in fact where there’s a full auditing capability, right? So, inside of the actual system admin users can go and audit all the actions taken by other users in the system to see that they’re utilizing all the data and sources they have appropriately and ethically.
DarkOwl is a Denver-based company that provides the world’s largest index of darknet content and the tools to efficiently find leaked or otherwise compromised sensitive data. We shorten the timeframe to detection of compromised data on the darknet, empowering organizations to swiftly detect security gaps and mitigate damage prior to misuse of their data.
