Author: DarkOwl Content Team

January 07, 2025

Thanks to our analyst and content teams, DarkOwl published over 115 pieces of content last year, another new record for the team. DarkOwl strives to provide value in every piece written, highlighting new darknet marketplaces and actors, trends observed across the darknet and adjacent platforms, exploring the role the darknet has in current events, and highlighting how DarkOwl’s product suite can benefit any security posture. Below you can find 10 of the top pieces published in 2024.

Don’t forget to subscribe to our blog at the bottom of this page to be notified as new blogs are published.

1. The Rise and Fall of Breach Forum… For Now?​

In May, the popular data sharing dark web forum, BreachForums was seized by Law Enforcement. At the time of writing one of the clearnet mirrors was still up and pointing to a new Telegram channel promising to be back soon. 

By 23 May, BreachForums was back with a new onion address, the administrators ShinyHunters announced the new site on Telegram. Initially only those who had previously had an account were able to enter. Whereas its predecessor had many open areas the new site required users to login before any information could be shared. However, a few days later registration was opened. 

Many in the community have speculated that this new site is a honeypot from Law Enforcement and are avoiding it. However, ShinyHunters have been posting large leaks from well know organizations such as Ticketmaster which some have speculated is to increase interest in the site again. Read blog here.

2. 😈 The Dark Side of Emojis: ☠️ Exploring Emoji Use in Illicit and Underground Activities 😈 

Did you know that there are 3,664 emojis available in the United States alone? Emojis, the small digital icons used to express emotions, ideas, or objects, continue to be an integral part of modern digital communication. And while their innocuous appearance is often benign, there continues to be a growing body of evidence that bellies a darker side. A darker side that supports illicit and underground activities. Criminals continue to exploit emojis to communicate covertly, conducting illegal transactions and targeting innocent victims all while evading law enforcement and text-based detection systems.  

To celebrate World Emoji Day, this blog highlights some of the emojis used in illicit and underground activities. We will dive into how emojis are evading law enforcement and text-based detection systems. This is by no means an exhaustive list of contributing factors but merely an analysis of common overlapping gaps. Full blog here.

3. StarFraud Chat – Telegram Channel Analysis using AI

In the digital age, understanding user behavior and engagement within online communities is crucial for any OSINT or dark web investigator. Increasingly, Telegram channels have been used by threat actors to communicate, sell illicit goods, share disinformation, and generally communicate among other activities. Monitoring of these channels is important to track the activities of these groups and mitigate any threats they may pose to individuals and/or organizations.  

However, the amount of data that can be included in these channels can be very large in volume. DarkOwl, therefore, wanted to establish if AI (artificial intelligence) could be used to analyze the data included in a specific channel and what could be discerned from that data. Read blog here.

4. Site Spotlight: Doxbin

The site Doxbin is a paste site which allows users to post information in text format about other individuals, usually containing personal identifiable information (PII). Information is posted for a range of alleged reasons, which are usually provided in the title of the dox and can contain extensive information about individuals. Although this site is currently hosted on the clearnet and maintains an official Telegram channel, the site originally operated as an .onion site and is still used by dark web affiliated individuals. 

In this blog, we explore the history of the site, who is behind it and the impact that it can have on the victims of a dox, as well as alleged recent activity related to the reported owner. Read more.

5. Darknet Marketplace Snapshot Series: Dark Empire Market 

Darknet marketplaces (DNMs) are synonymous with where on the dark web users can buy and sell illicit goods.  

Traditional DNMs are defined as dark or deep web sites where numerous (often hundreds) vendors can sell various types of products ranging from drugs, digital goods, leaked databases, counterfeit documents, credit cards, etc.

As we continue our Darknet Marketplace snapshot series we will review Dark Empire Market, one of the most popular marketplaces available on the darknet today. Check it out.

6. Threat Actor Spotlight: SCATTERED SPIDER

In the digital age there are many groups of threat actors that operate in the cyber realm targeting different industries, countries and have different motivations. It is important to monitor these groups in order to identify who they are likely to target, what methods they are using and how they are operating. In this blog, we explore one such group known as SCATTERED SPIDER (SS) by security researchers. Read more.

7. Actor Spotlight: ShinyHunters

For fans of Pokémon, the name ShinyHunters refers to a practice of seeking out, capturing and collecting shiny Pokémon. However, on the dark web the term has a much more nefarious meaning.  

ShinyHunters is a cybercriminal group known for their high-profile data breaches and relentless pursuit of sensitive information, and has carved out a reputation as one of the most prolific and dangerous actors in the cybercrime arena.  

In this blog, we will take a deeper dive into their activities and their association with the dark web forum BreachForums. Read blog here.

8.  Darknet Marketplace Snapshot Series: Ares Market

Dark web marketplaces are synonymous with the dark web where users can buy and sell illicit goods. It began with Farm Market, followed by the more prolific Silk Road. Ever since Silk Road was taken down by law enforcement, different markets have jostled for supremacy. As such, dark web markets are perhaps one of the more recognized things to appear on the dark web and they operate just like surface web marketplaces with reviews, escrow services and reputations.  

However, in recent years law enforcement have become more and more successful at shutting down these marketplaces, meaning that the vendors have to move to new areas. There have also been a number of exit scams from marketplaces with the admins closing down the site and taking the funds in escrow. 

Originally established in 2021, Ares Market is a well-known marketplace that offers a variety of products, from illicit substances and pharmaceutical substances to digital fraud products ranging from credit card fraud, cryptocurrency fraud, malware source code as well as a robust variety of counterfeit products like currency and IDs. Learn more.

9. ISIS Activity on Messaging Apps

The Islamic extremist group formerly known as ISIS (Islamic State of Iraq and Al-Sham) or IS (Islamic State), a designated terrorist group, came to prominence in 2014, formed from al-Qaeda linked groups, declared itself a caliphate and occupied territory in Iraq and Syria. IS is a transnational Islamic extremist movement that now has more widespread support today in parts of Africa and Asia than at the time of its formation in 2014. The group has been responsible for and inspired terrorist attacks throughout the world, killing and injuring thousands. In this blog, DarkOwl analysts review recent terrorist attacks from IS and the groups activity on Telegram and Rocket.Chat. Full blog here.

10. Gaming and the Darknet

In celebration of National Video Game Day on July 8^th, this blog examines the intersection between gaming and darknet communities, notably instances of criminal activity targeting gamers or carried out by gamers themselves. This blog will highlight the prevalence of hacking in gaming communities—stolen accounts, pirated games, leaked data, etc.—as well as the infiltration of violent extremist ideologies into certain gaming communities. Read blog here.

2024, That’s a Wrap!

Thank you to everyone who reads, shares and interacts with our content! Anything you would like to see more of, let us know by writing us at [email protected]. Can’t wait to see what 2025 brings! Don’t forget to subscribe to our newsletter below to get the latest research delivered straight to your inbox every Thursday.

January 02, 2025

Our analyst team shares a few articles each week in our email newsletter which goes every Thursday. Make sure to register! This blog highlights those articles in order of what was the most popular in our newsletter – what our readers found the most intriguing. Stay tuned for a recap every month. We hope sharing these resources and news articles emphasizes the importance of cybersecurity and sheds light on the latest in threat intelligence.

1. Over 1,000 arrested in massive ‘Serengeti’ anti-cybercrime operation – Bleeping Computer

Between September 2 and October 31, 2024, an INTERPOL-led operation dubbed Serengeti resulted in the arrest of 1,006 suspects and the takedown of 134,089 malicious infrastructures and networks in 19 African countries. The joint INTERPOL and AFRIPOL operation specifically targeted criminals behind “ransomware, business email compromise (BEC), digital extortion and online scams.” Read full article.

2. FBI Busts Rydox Marketplace with 7,600 PII Sales, Cryptocurrency Worth $225K Seized – The Hacker News

In a December 12 press release, the U.S. Department of Justice (DOJ) announced the seizure of Rydox, an illicit, online marketplace known for selling “stolen personal information, access devices, and other tools for carrying out cybercrime and fraud.” The press release also revealed the arrest of three Kosovo nations for serving as Rydox’s administrators. Two of the administrators were arrested in Kosovo while the third was arrested in Albania. Article here.

6. Romania’s election systems targeted in over 85,000 cyberattacks – Bleeping Computer

On December 4, Romania’s top security council declassified reports from its intelligence agencies which revealed an extensive influence operation carried out by Russia against the Romanian presidential election. According to the agencies’ findings, Romania’s election infrastructure was the target of over 85,000 cyber attacks. Furthermore, in the weeks leading up to the first round of the presidential election, intelligence agencies identified 25,000 TikTok accounts supporting Călin Georgescu, a far-right candidate who has “vowed to end all Romanian aid to neighboring Ukraine.” Read full article.

7. AI-Powered Fake News Campaign Targets Western Support for Ukraine and U.S. Elections – The Hacker News

A 26 November report from Recorded Future’s Insikt Group revealed an additional influence operation carried out by a Russia-based entity in an effort to influence public opinion regarding the ongoing Russia-Ukraine war. The campaign—dubbed “Operation Undercut”—was executed by the Social Design Agency (SDA), which the United States sanctioned in March, 2024, for “providing services to the government of Russia in connection with a foreign influence campaign.” Operation Undercut has been observed targeting audiences in the United States, Ukraine, and Europe. Read full article.

8. FBI spots HiatusRAT malware attacks targeting web cameras, DVRs – Bleeping Computer

In a December 16 Private Industry Notification (PIN), the Federal Bureau of Investigation (FBI) warned of HiatusRAT actors targeting Chinese-branded web cameras and DVRs. HiatusRAT—a Remote Access Trojan (RAT) used by threat actors to remotely gain control of a device—has focused on targeting devices waiting for security patches. This malicious activity was observed in March 2024, when the threat actors carried out a scanning campaign targeting Internet of Things (IoT) devices in several countries, including the U.S. Learn more.

---

Make sure to register for our weekly newsletter to get access to what our analysts are reading on a weekly basis.

December 30, 2024

As 2024 comes to a close, our content and marketing teams are taking a moment to reflect on the exciting events, trends, and changes the DarkOwl team experienced throughout the year. We’re eagerly looking ahead to a successful and prosperous 2025 and extend our best wishes to all our customers, partners, and readers! Thank you for your support over the past year—your engagement, readership, and willingness to share our content means the world to us.

We hope you continue to find the topics we explore valuable, enlightening, and engaging. One final marketing reminder for the year: be sure to sign up for our weekly newsletter to stay updated on the latest insights from our research and content teams!

DarkOwl Around the World

Trade Shows and Events

DarkOwl made the rounds this year traveling all over the world for trade shows and speaking sessions and we are so glad to be able to see our customers, partners, and prospects face to face. In 2024, the team attended several events all around the world from San Francisco, Las Vegas, Tampa, Omaha, Dubai, Riyadh, Singapore, Lille, Nuremberg, and more. Thank you to everyone who sat down with DarkOwl along the way. We hope to see even more you on the road in 2025. Check out where we will be in 2025 and request time to meet here.

Employee Fun and Events

The team not only traveled the globe for client meetings and conferences but also had plenty of fun back at DarkOwl’s headquarters in Denver, CO! With an increasingly remote-friendly workforce and a focus on attracting top talent, ensuring that everyone at DarkOwl remains connected has never been more important.

2 years ago, we adopted an owl! This year we renewed that adoption again! He jumped early from his Michigan nest in 2015 and fractured his right wing in two places and was on the ground for about a week next to a barn before he was picked up by the landowners and brought to a rehabilitation center. He was sent to the Raptor Education Foundation in Denver in August, 2016 where he now lives. You can learn more about him on his dedicated adoption page. 

We love our #Pets!

Gotta show some pet love as well from our Pets Slack Channel (the best channel).😻

Yearly reminder: DarkOwl analysts and their pets recommend you never use your pet’s name in any password combination as it is a popular term for threat actors using brute force attacks.

New Product Enhancements

At DarkOwl, we prioritize learning from our customers to ensure our products consistently deliver value. We are dedicated to enhancing our dark web data solutions with features tailored to the needs of analysts and threat intelligence teams. Here are some highlights from this year.

DarkOwl Purchases Certain Assets of Skurio Ltd.

In April, DarkOwl LLC announced that it has purchased certain assets of Skurio Ltd from the Administrators Keenan CF Ltd, effective March 22, 2024. These assets include certain customer information, source code, and other commercial material.

DarkOwl Revolutionizes Forum Data Analysis with Enhanced Structuring

DarkOwl announced a groundbreaking upgrade to its platform, empowering users with unparalleled insights into darknet forums. The new forum structuring feature represented a significant leap forward in data analysis, streamlining the user experience and enhancing the ability to extract actionable intelligence.

This evolution toward a more sophisticated approach allowed users to navigate darknet discussions like never before. DarkOwl enabled clients to reconstruct conversations in chronological order accurately and effortlessly, improved search capabilities, and streamlined navigation—empowering clients to uncover critical insights with ease.

Access to forum data, encompassing discussions on topics such as leaks, hacking, fraud, and more, in a structured format proved vital for organizations aiming to fortify their cybersecurity defenses and stay ahead of emerging threats. Additionally, forum usernames and enhanced user search capabilities facilitated deeper social and threat actor analysis. Clients could track threat actors’ activities across multiple threads and investigate all their communications within a particular forum. This advancement enhanced analysts’ ability to connect disparate pieces of information and identify emerging trends or patterns effectively.

Figures 1 and 2 (left to right): Previous view of a thread versus new enhanced view

Direct to Darknet

The team released “Direct to Darknet” within Vision UI in partnership with Authentic8, a leading provider of cloud-based secure browsing solutions. This feature allows users to further investigate Vision UI search results on forums, marketplaces, and other Onion sites. This can be helpful for an investigation to view the original website, view images or advertisements that may be on the sites, take a screenshot for reporting, and more. By combining DarkOwl’s comprehensive darknet database and monitoring capabilities with Authentic8’s Silo cloud browser, which is known for its secure browsing environment, organizations will gain unprecedented visibility and protection against cyber threats surfacing on the darknet.

Website Mentions

One of our most requested features from clients went live earlier this year! Website Mentions is a feature extraction in our dataset, which provides more inclusive searching and monitoring for domain results. This helps you surface more results when you search—such as results with subdomains as well as domains within URLs. 

Site Context for Forums

Site Context is information from the DarkOwl analyst team that gives additional enrichment about search results. This includes the Site Name and any aliases, and may include relevant dates or other information. Where available, options to pivot to Actor Explore, or to pivot to search associated Telegram channels will be present.

Jennifer Ewbank Joins DarkOwl Board of Directors

In August, Jennifer Ewbank, former Deputy Director of the CIA for Digital Innovation and founder of Andaman Strategic Advisors, joined the DarkOwl Board of Directors.

Ewbank brings decades of experience spanning technological innovation, operating expertise, geopolitical risk management, strategic global engagements and public-private partnerships.  As Deputy Director of the CIA for Digital Innovation, Ewbank guided what was a start-up inside the organization to a fully operational global team. Ewbank also led her global workforce in developing a competitive digital strategy, realigning projects to mission partners’ top priorities, and promoting integrated technical development across organizational boundaries. She also named the CIA’s first Director for AI and sponsored an ambitious AI strategy to achieve competitive advantage over global adversaries.

We are thrilled to have her on the team!

Clients Seeing Increased Demand for Dark Web OSINT

We understand how incredibly challenging it is to maintain insight into everything the threat actors have insight into. This year, we put an emphasis on leveraging our company’s expertise in darknet technology to gather the data that allows our clients and their customers to stay ahead of potential threats.

Newly announced partnerships include: 

---

Don’t miss any updates from DarkOwl in 2025 and get weekly content delivered to your inbox every Thursday.

December 19, 2024

This year’s Black Friday online shopping set a new record, with a total of $10.8 billion in sales. Meanwhile, according to Forbes, holiday shopping sales are expected to exceed $260 billion this year. With much shopping left to be done before the holidays, it is vital that buyers be cognizant of the types of holiday-related fraud often observed during this season. In light of the FBI’s recent warning to consumers regarding holiday fraud, this blog examines some of the most frequently observed holiday scams as well as recommendations for how to best defend oneself in the face of increased cybercriminal activity.   

Common Holiday Scams 

Online Shopping Scams 

Online shopping-related scams remain some of the most prevalent during the holiday season, as previously highlighted in DarkOwl’s Black Friday Scams blog. Among these, so-called “non-delivery” scams are especially common, and involve criminals offering deals—often via phishing emails or fake online advertisements—to attract consumers. The advertised items tend to be highly coveted goods, such as electronics or designer products, and are listed at a suspiciously low price. As the name “non-delivery” implies, the items are purchased but never received. The FBI’s Internet Crime Complaint Center (IC3) revealed in a 2023 report that non-delivery and non-payment scams (when goods are shipped by sellers but payment is never received) cost victims more than $309 million that year.  

In a recent report from EclecticIQ, analysts identified a phishing campaign targeting online shoppers in Europe and the U.S. for Black Friday. EclecticIQ assesses with high confidence that the campaign was likely carried out by a Chinese threat actor which the firm dubbed “SilkSpecter.” The report lists several identified phishing domains, including one posing as the American company The North Face. DarkOwl analysts located an additional fake North Face domain featuring the keyword “Christmas,” instead of “Black Friday.” As can be seen in the screenshots included below, the fake website uses a simplistic font that does not match that of the legitimate North Face website. Moreover, the website’s listings appear to be limited entirely to deals, all of which feature up to an 80% discount. The significant discount in and of itself stands out as a red flag, particularly when paired with promises of “free gifts” if buyers meet a baseline purchase amount. Additionally, most items appear to be in low stock, a detail meant to pressure buyers into purchasing the item as quickly as possible while supplies last. Finally, in the “contact us” section, the fake website lists an email that does not appear anywhere on the official North Face website. Unlike genuine customer service emails, the one included on the scam website does not use a North Face domain or any associated keywords.  

Figure 3: Illegitimate Listing   

Figure 4: Illegitimate Listing  Featuring “Free Gifts” 

Figure 5: Fake Customer Service Email 

Holiday Getaway Scams 

Similar to fake shopping websites mimicking legitimate businesses, scammers may also attempt to attract individuals to fake travel websites. In these instances, the scammers’ goals are the same: obtain victims’ personal information, including full names, social security numbers, and credit card numbers. Illegitimate travel-related websites may advertise non-existent getaways, flights, and accommodations.  

Phishing/Smishing 

Phishing emails, which aim to deceive victims into sharing personal information or installing malware, increase significantly during the holiday season. In an effort to mislead targets, senders often spoof a legitimate business and convey a sense of urgency. Claims of a failed package delivery or a delay in delivery are particularly common, especially during the holiday season when there is a greater urgency to receive packages on time. These fraudulent messages will often encourage the receiver to click a link to track/change a delivery or to update the payment method. Smishing—phishing via text message—has seen a notable rise over the past few years, particularly since 2020, and continues to persist. This method of delivery combined with the use of AI to fabricate convincing messages free of spelling errors has rendered the phishing threat landscape even more complex and difficult to navigate.   

Fraudulent Charity Scams 

In addition to shopping-related scams, the FBI has warned of charity scams being carried out during the holiday season. These scams are characterized by scammers creating fake charities or imitating legitimate charities to solicit donations through “phone calls, emails, crowdfunding platforms, and social media.” As highlighted by Forbes, these scams often prey on sympathy by appealing to victims emotionally. Moreover, as is often the case with phishing emails and texts, fake charity scams may also be characterized by a sense of urgency to pressure victims into donating.  

Gift Card Scams 

The IRS has notably warned of an increase in gift card scams in which scammers impersonate a legitimate company or government official to request gift cards. The agency has warned that scammers may send requests via email or call its victims to demand payment. In some instances, the fraudsters may even impersonate a colleague or acquaintance to request the purchase of a gift card and to subsequently share the card information.  

The FBI has also warned of gift card “draining,” another form of gift card fraud in which criminals steal the number and security code from a gift card in a store and re-seal the card for future purchase by an unknowing victim. 

Recommendations 

• Do not click on any suspicious links received via email or text, or located online. Phishing emails and texts often include links which, when clicked, may prompt the receiver to enter personal information or can even download malware on the device.  

• Do not respond to any suspicious texts or emails; doing so may prompt further phishing and smishing messages.  

• Verify websites, as scammers may spoof legitimate businesses and advertise fake deals. Before making any purchases, inspect the website’s URL to ensure that it is legitimate and has an “https” address, indicating that the site is secure. Fake shopping websites may also include grammatical errors and low-quality images.  

• Do not pay with pre-paid gift cards when prompted by sellers. Scammers often request payment via gift card to steal the card’s funds. Using a credit card instead can allow consumers to dispute charges and recover funds, if needed. 

• Inspect gift cards in stores; do not purchase the card if the packaging appears to have been tampered with.  

• Research advertised charities through trusted sources to avoid being scammed by fake charities.  

Ultimately, while holiday scams may be on the rise, there are steps individuals can take to safeguard themselves against these threats. It is also encouraged that suspicious websites, (fake shopping sites, fake charities, etc.), phishing emails, and phishing texts be reported to the Federal Trade Commission (FTC) and the FBI’s Internet Crime Complaint Center (IC3). Additional information can support these agencies’ investigations into reports of fraud and help prevent further scams.  

---

Never miss a thing from the DarkOwl team. Subscribe to email.

December 17, 2024

DarkOwl was delighted to attend the Black Hat Middle East & Africa (Black Hat MEA) conference in November. As the region’s tactical and strategic threat intelligence demands continue to grow rapidly, we take a close look at the reasons behind the sector’s buoyancy and what the success of the conference means for the Gulf’s cyber sector. 

Lindsay Whyte, Regional Director and Richard Hancock, Darknet Intelligence Analyst represented the DarkOwl team. Black Hat MEA, describes themselves as a leading cybersecurity conference and exhibition held in Riyadh, KSA. The event brings together cybersecurity professionals, cutting-edge technologies, solution providers, and decision-makers from around the world, condensing several months of networking into just three days.

Background 

Saudi Arabia is investing heavily in its cybersecurity industry as part of economic diversification and the Vision 2030 initiative. The Kingdom is funding the cybersecurity sector through several key approaches: 

• Government spending: The Saudi government allocated 2.3 billion Saudi Riyals (SAR) ($600 million) to cybersecurity in 2023 

• Market growth: The cybersecurity market in Saudi Arabia is valued at 13.3 billion ($3.5 billion) SAR. The cybersecurity sector’s total contribution to Saudi Arabia’s GDP is estimated to represent 0.81% of non-oil GDPin 2024. 

• Strategic collaborations: The National Cybersecurity Authority (NCA) is stimulating the market by encouraging innovation and supporting technology transfer. 

• Cloud security investment: 60% of Saudi enterprises are planning to increase their cloud security budget by an average of 35% in the next year. 

Increased funding in the country fosters a robust cybersecurity ecosystem, attract both local and international investments, and position Saudi Arabia as a leader in the global cybersecurity field. No wonder a Black Hat conference one hour drive into the desert attracted 10,000s of visitors! 

Theme: Collaboration 

Collaboration around tactical threat intelligence was a major theme at Black Hat MEA. 

This was encapsulated by Brett Winterford from Okta, who remarked that OpenID’s Shared Signals Framework is an encouraging step towards inter-organisational data sharing. The Shared Signal Framework (SSF) provides a secure and privacy-preserving way for organisations to share information via events. It uses a standard format for representing these events and a secure transport mechanism for sharing them. This makes it easy for organisations to integrate SSF into their existing security infrastructure and to share signals with a wide range of partners. 

Likewise, Ben Collier from Google Cloud spoke of the ‘Sectoral SOC’ model – and SOC of SOCs sitting directly above numerous sub-SOCs (be they in the same umbrella organisation, or not) responsible for threat actor analysis, EDR and creating guidance and recommendations to regulators as a single face. 

Theme: AI 

When trends towards centrally managed intelligence (as outlined above) combines with growing cloud adoption, the opportunities for effective AI use cases become apparent.  

Jennifer Ewbank, former Deputy Director of Innovation at the CIA, talked to the benefits of AI, and the possibility of AGI (‘Artificial General Intelligence’ in which machines develop near-consciousness). Kevin Jones, CISO at Bayer, spoke to the benefits of ‘SecLM’ and applying AI to data, provided robust data security, as a critical condition to seeing tangible benefits at scale. 

Theme: Threat Actors  

A central theme of Marina Fulwood’s presentation (in capacity of Head of Threat Intelligence at Unilever), was the need for proactive threat intelligence. Especially in an age of industry- and country- level exposures to Nation State actors, Ransomware groups and financially motivated Initial Access Brokers (IABs).  

As clearly illustrated by the exhibition hall at Blackhat MEA, the threat intelligence market in the Middle East is growing rapidly.  

The region has seen a significant rise in targeted cyber-attacks, particularly against critical infrastructure such as oil and gas industries. The average cost per data breach in the Middle East is $8.07 million, second only to the USA globally. Ongoing conflicts and rivalries in the region have led to an increase in state-sponsored cyber threats, additionally. 

The Evolving Darknet 

With unification and centralisation comes demands for Dark Web monitoring. Dark Web data is crucial for Security Operations Centers (SOCs): 

• Early threat detection: Dark Web intelligence allows SOCs to identify potential risks and data breaches sooner, enabling faster mitigation of threats. 

• By monitoring Dark Web activities, SOCs gain valuable insights into emerging threats, cybercriminal strategies, and tactics, techniques, and procedures (TTPs) employed by threat actors. 

• Access to Dark Web data helps SOCs understand the scope of cyber threats affecting their organization, leading to more effective incident response (IR) strategies. 

• General risk mitigation: By providing ‘atmospheric’ early warnings, SOCs extend the value of the investment to x-functional teams like StratComms, PR and the C-Suite. 

Innovation Cuts Both Ways 

Just as organisations increase their visibility over OSINT sources and dark web marketplaces as part of a maturing Threat Intelligence adoption, so too do threat actors constantly evolve their behaviour to keep private (below). 

As Threat Intelligence experts like DarkOwl index new sources of threat actor chatter, so must these actors find new ways to communicate and advertise with the widest possible reach.  

With Saudi Arabia’s 2022 Financial Sector Cyber Threat Intelligence Principles containing specific reference to Dark Web monitoring (Principle 5), we anticipate growth in Darknet intelligence and demands in a region growing in geopolitical and economic significance. 

See you at BlackHat MEA in 2025! 

---

Interested in meeting with the DarkOwl team? See where we are around the world the rest of the year here.

December 12, 2024

The recent act of targeted violence in New York against Brian Thompson, a health insurance company CEO, unfortunately highlights the need to proactively monitor the dark web and other sources for threats to high level executives.  

Individuals with grievances which can lead to targeted violence, often show signs of leakage which means attacks can be prevented. Furthermore any exposure executives may have online, including any details about their movements could be used for real world targeting. The suspected perpetrator stated he was able to conduct the attack with “basic social engineering.” The more information that threat actors can find out about an individual the more likely they are to be able to successfully target them. 

As instances of data breaches, identity theft, ransomware attacks, and other illicit activities on the dark web continue to increase, it is vital that executive protection efforts adapt to the evolving cybersecurity landscape. Gone are the days of purely physical security-focused executive protection; a comprehensive approach to risk mitigation must now account for the continued rise in cyber threats. This blog provides an overview of the potential impacts of data leaks and breaches on executive security and examines the importance of monitoring for violent rhetoric and reputational damage on the dark web.  

Data Leaks and Breaches

One of the primary threats posed to executives on the dark web are data leaks and breaches. As highlighted in DarkOwl’s “Navigating the Dark Waters of Leaks and Breaches” blog, data leaks are the “unintentional or accidental release or exposure of information,” often due to human error or faulty software. Data breaches, in contrast, are the result of a cyber attack carried out with the intention of accessing, stealing, or manipulating data. Breaches and leaks can be found across the dark web, particularly on hacking forums such as BreachForums. Data breaches continue to be on the rise, with some of the most damaging breaches this year including more than 1 billion stolen records. The persistent increase in breaches over the past few years—data breaches in the U.S. rose by 78% in 2023 compared to 2022—can be accounted for, in part, by the emergence of new ransomware gangs and the evolution of ransomware attacks.  

Given the expansive nature of many of these leaks and breaches—such as the recent 2024 National Public Data leak, which affected millions of customers—there is a possibility that executives may be impacted. The exposed data can include a variety of personally identifiable information (PII), including:

• Full name
• Job title
• Employment history
• Home address
• Phone number
• Social Security number (SSN)
• Driver’s license number
• Passport number
• Professional email address
• Personal email address
• Credit card number
• Medical records
• Social media handles/account information
• Passwords
• Cookies

Monitoring data leaks and breaches can allow for the mitigation of threats and malicious activity directed at executives. Indeed, exposed PII can be used by threat actors for a variety of illicit activities, particularly:

• Identity theft: exposed names, Social Security numbers, credit card information, and bank account numbers can be used to carry out various types of identity theft, including financial, Social Security, and medical identity theft. The identities can be used to gain benefits and commit fraud.
• Physical threats: the exposure of home addresses can turn a cyber threat into a physical security threat, as threat actors may use the information to engage in stalking, harassment, or violence. Identifying exposed PII can allow for steps to be taken preemptively to secure the executive’s home, whether through surveillance or the installation of additional security devices.
• Cyber attacks: exposed information can be used by threat actors to carry out social engineering operations such as phishing attacks. Personal and professional emails exposed in leaks and breaches can be used to more convincingly impersonate executives when sending fraudulent emails requesting access to sensitive data.
• Espionage: leaked executives’ passwords can provide threat actors with the opportunity to engage in corporate and personal espionage by gaining access to emails and internal systems. This type of unauthorized access can allow threat actors to not only steal confidential documents, but also to blackmail and extort executives.
• Doxing: PII exposed in leaks or breaches can be acquired by threat actors and used to carry out doxings—a form of cyberbullying that involves sharing an individual’s personal information. In extreme scenarios, doxings can result in death threats against the doxed individual. The dissemination of this information—specifically home addresses—may also result in instances of swatting, the act of placing hoax phone calls to emergency services to prompt the response of a Special Weapons and Tactics (SWAT) team.

Figure 1: Example: Data Leak Credit Card Exposure

Figure 2: Example: Doxing and Swatting Threat  

Threats and Reputational Damage

In addition to monitoring for data leaks and breaches for executive exposure that could result in identity theft, physical threats, targeted cyber attacks, and doxing, a comprehensive executive protection plan should also account for negative chatter on the dark web. Threatening, negative rhetoric directed at organizations and its executives is often seen across social media platforms and imageboards on the surface web, particularly on sites such as 4chan and X (formerly Twitter). Threatening language, however, can also be observed across the deep and dark web, particularly on the dark web-adjacent messaging app Telegram. In some instances, this can include death threats.

Conducting searches for violent rhetoric directed at executives on the dark web using threat detection tools can provide analysts with a more holistic understanding of the dark web threat landscape, and can allow for the identification of threat actors before they are able to carry out attacks. Monitoring the dark web and dark web-adjacent sites can also reveal instances of individuals impersonating executives by using their names or profile pictures. While this type of impersonation isn’t always directly harmful (particularly if the spoofer is posting in channels with few followers), it does have the potential to cause reputational damage depending on the type of content the individual is sharing and the extent of their reach.

Conclusion

The sheer amount of PII exposed in leaks and breaches across the dark web highlights the significance of incorporating dark web monitoring into executive protection plans. In addition to a high probability of exposure given the frequency and scale of leaks—many of which impact millions of individuals—a holistic executive protection plan can also benefit from the monitoring of dark-web adjacent platforms such as Telegram for possible threats or instances of reputation damage. Ultimately, the possibility of threatening rhetoric directed at executives as well as exposure in leaks reflects a need for executive protection to adapt to a continuously evolving threat landscape.

---

Curious how DarkOwl can help? Contact us.

December 11, 2024

As we celebrate National App Day, it’s essential to take a moment to appreciate the remarkable impact that applications have on our daily lives. From enhancing productivity to providing entertainment, apps have revolutionized the way we interact with the digital world. However, as a company operating in the darker corners of the internet, we also want to bring to light the complexities and challenges that come with this technology, especially concerning privacy and security. 

The Ubiquity of Apps 

According to Statista, as of 2023, there were over 2.9 million apps available on the Google Play Store and around 1.6 million on the Apple App Store. These applications serve various purposes—from social networking and online banking to gaming and health monitoring. As the digital landscape evolves, so do the expectations of users. There is now a greater demand for more from apps in terms of functionality and security. 

Mobile applications have become a fundamental part of our lives, allowing for seamless communication, efficient organization, and quick access to information. It should be no surprise that the convenience apps offer often come at a cost: personal data security. 

The Dark Side of Apps 

While many apps prioritize user privacy and data protection, not all do. The darknet thrives on the exploitation of vulnerabilities present in applications. Users often overlook the permissions they grant to apps, sometimes unknowingly allowing access to sensitive data like location, contacts, and even camera feeds. 

A recent report from Cybersecurity Ventures predicts that cybercrime will cost the world $10.5 trillion annually by 2025. With a significant portion of these crimes linked to insecure applications, it’s crucial for users to remain vigilant about the apps they download and use. 

Privacy Concerns and App Usage 

The rise of data breaches has made headlines in recent years, with millions of users’ data exposed due to inadequate security measures. For example, the Facebook-Cambridge Analytica scandal revealed how personal data could be misused for political gain, leading to an erosion of trust among users. 

Moreover, research from the Electronic Frontier Foundation (EFF) indicates that many popular apps track users across various platforms, creating extensive profiles that can be sold or exploited. In a world where our digital footprints are continuously monitored, understanding the privacy policies of the applications we use is paramount. 

The Role of the Dark Web 

As a company that operates within the dark web, we witness firsthand how individuals seek refuge in anonymity and privacy. Many users turn to the dark web to evade surveillance and censorship, believing they can escape the prying eyes of corporations and governments. However, this area is fraught with dangers, including scams, malware, and the risk of exposure. 

The dark web is not inherently malicious; it can serve as a platform for free speech and privacy. Still, it’s essential for users to navigate this space cautiously. Educating oneself about the potential risks and the tools available for protection—such as VPNs and encrypted communication apps—can empower users to make informed decisions. 

Empowering Users on National App Day 

On this National App Day, we encourage everyone to reflect on the applications they use and the information they share. Here are a few tips to ensure a safer app experience: 

1. Review Permissions: Always check the permissions an app requests before downloading it. If an app asks for access to data it doesn’t need to function, consider looking for alternatives. 

2. Update Regularly: Keep your apps updated to ensure you have the latest security features and patches. 

3. Use Trusted Sources: Download apps only from official app stores, as these platforms typically have measures in place to reduce the risk of malware. 

4. Educate Yourself: Stay informed about the latest security trends and understand how to protect your data. 

5. Consider Alternatives: Explore privacy-focused applications that prioritize user data protection, such as Signal for messaging or DuckDuckGo for browsing. 

Conclusion 

As we celebrate the innovations and conveniences that applications bring to our lives, it’s vital to remain aware of the associated risks, especially in a world where data privacy is constantly under threat. The dark web serves as a reminder of the importance of anonymity and security, but it also highlights the need for caution and vigilance. 

On this National App Day, let’s not only appreciate the convenience of our favorite apps but also commit to using them wisely and responsibly. The digital landscape is ever-evolving, and our approach to it must evolve as well. Stay safe, stay informed, and let’s make the most of the technology at our fingertips. 

---

Don’t miss any tips and tricks from DarkOwl. Follow us on LinkedIn.

December 05, 2024

In today’s digital landscape, organizations face an ever-evolving array of cyber threats that demand increasingly sophisticated defense strategies. While traditional security measures remain essential, forward-thinking business leaders are discovering a powerful new dimension of cybersecurity: dark web intelligence. This strategic capability provides crucial early warning signals and actionable insights that can prevent costly breaches before they occur.

The dark web has emerged as the primary marketplace where cybercriminals trade stolen data, hacking tools, and illicit services. Yet what many executives view solely as a threat represents an opportunity as well. Leading organizations are turning this challenge into a strategic advantage by leveraging dark web intelligence to strengthen their security posture and protect their assets.

Value of Dark Web Intelligence

The value proposition is clear and compelling. When corporate credentials or sensitive information surface on dark web forums, organizations typically have a brief critical window before actual breach attempts begin—a crucial period for preventative action that can mean the difference between a costly breach and a thwarted attack. Recent industry reports indicate that the average cost of a data breach now exceeds $4.5 million, but organizations that effectively utilize dark web intelligence and reset compromised credentials before exploitation see dramatic reductions in breach impact and incident response costs.

Early warning through dark web monitoring also can help organizations avoid severe regulatory penalties, including potential fines under GDPR, HIPAA, and state-level laws such as the California Consumer Privacy Act. SEC regulations now also mandate prompt disclosure of material cybersecurity incidents, with potential civil penalties for non-compliance. Early detection can help organizations address potential breaches before they trigger these costly reporting requirements.

Across sectors, the applications are profound. In financial services, some institutions continuously monitor dark web channels for stolen payment card data, compromised credentials, and emerging fraud schemes. Some healthcare providers use this intelligence to detect potential HIPAA violations before they escalate into reportable breaches and to protect critical medical device credentials. And for a number of critical infrastructure operators, dark web intelligence has become crucial as ransomware groups increasingly target essential services, requiring organizations to identify and mitigate threats before they can impact operations.

Government agencies, despite their own capabilities, should look to commercial dark web intelligence as a crucial component of national security and law enforcement operations. CISA’s threat intelligence sharing programs demonstrate the value of this approach, while the FBI and Treasury Department leverage dark web intelligence in cybercrime and financial crime investigations. Yet much remains to be done to ensure our national security agencies are truly leveraging the full insights available through deep dark web research and intelligence, since most agencies lack the personnel or technical resources to collect and analyze dark web data at scale.

Selection of Provider

The selection of a dark web intelligence provider represents an important strategic decision. There are reputable U.S.-based companies – noteworthy among them being DarkOwl – who offer these services through carefully reviewed legal and ethical frameworks. Organizations should prioritize providers with strong compliance records, ethical data collection methods, and established industry reputations. Beyond these foundational principles, it’s crucial to recognize that more comprehensive data typically yields improved insights in today’s digital threat landscape.

For maximum impact, dark web intelligence should be seamlessly integrated into existing cybersecurity and risk mitigation programs. Organizations that successfully integrate this intelligence find their threat intelligence platforms become more robust, their incident response procedures timelier, and their compliance programs more comprehensive. With an average of only about five days warning before credential exploitation attempts, security teams gain precious time to prevent rather than merely respond to threats.

Looking Ahead

Looking ahead, artificial intelligence and machine learning are revolutionizing threat detection capabilities, enabling more sophisticated analysis of dark web data and automated response protocols. However, threat actors continue to develop more sophisticated techniques, and the regulatory landscape grows increasingly complex. Organizations must stay informed about these developments to maintain effective security postures.

The reality of modern cybersecurity is clear: knowing what adversaries know about your organization isn’t merely an advantage—it’s a necessity. Forward-thinking leaders who embrace dark web intelligence position their organizations for success in an increasingly dangerous digital landscape. Whether the result is actionable intelligence or confirmation that no threats exist, the value of this visibility in today’s threat environment cannot be overstated.

---

Curious to learn more about DarkOwl? Contact us.

December 04, 2024

November 30th marked Computer Security Day, a reminder to individuals and organizations about the importance of protecting digital assets and maintaining online safety. In an era where cyber threats are increasingly sophisticated, the dark web plays a pivotal role in facilitating cybercrime. This year, let’s explore Computer Security Day through the lens of the dark web, highlighting the critical need for vigilance in a digitally interconnected world. 

Dark Web Refresher

The dark web is a part of the internet that requires specialized tools, such as TOR, to access. While it has legitimate uses, it is notorious for hosting illegal marketplaces, forums, and platforms that trade in stolen data, hacking tools, and other illicit goods. Cybercriminals leverage the dark web to: 

• Sell stolen personal information (e.g., credit card numbers, passwords, and Social Security numbers). 
• Distribute malware and ransomware. 
• Share hacking tutorials and exploit kits. 
• Launch coordinated cyber attacks against businesses and governments. 

This criminal ecosystem thrives on the vulnerabilities in computer systems, making Computer Security Day more relevant than ever. 

How the Dark Web Fuels Cybersecurity Threats 

There are many activities on the dark web which exploit computer vulnerabilities. Each of these can cause serious ramifications for organizations so it is important to monitor for these threats and ensure your systems and employees are secure. Some examples of dark web activities to be aware of on Computer Security Day and beyond.  

Data Breaches and Identity Theft 

Stolen data is a commodity on the dark web. Following a data breach, personal and financial information is often listed for sale, enabling identity theft and fraud. (All of the examples below are from DarkOwl Vision) For example: 

• Credit card details are sold for as little as $10

• Social media credentials can be bought for under $5 

Once your information is exposed on the dark web, it becomes nearly impossible to reclaim control without proactive security measures. 

Hacking Tools for Sale 

The dark web acts as a one-stop shop for cybercriminals. Tools like keyloggers, phishing kits, and zero-day exploits are readily available, lowering the barrier for entry into cybercrime. Despite some time appearing simplistic in nature, these tools and tried tested and can be very effective in allowing unsophisticated users to achieve maximum disruption.  

Ransomware as a Service (RaaS) 

Ransomware attacks, which encrypt victims’ data until a ransom is paid, are increasingly being offered as “services” on the dark web. This enables even non-technical criminals to launch devastating attacks. It is also used as a way to shame victims, posting samples of data onto Ransomware leak sites and opening organizations in the supply chain to further attacks.  

Computer Security Day: Practical Steps to Protect Yourself 

On Computer Security Day, taking proactive steps to secure your digital presence is crucial, especially given the risks posed by the dark web. Here’s how you can protect yourself and your organization: 

• Monitor the dark web for activity 
  • Monitor the dark web for your organizations assets to ensure they are not being shared without your knowledge 
  • Monitor activities of dark web actors to stay ahead of trends and activities.  

• Strengthen Your Passwords 
  • Use strong, unique passwords for every account. 
  • Enable multi-factor authentication (MFA) wherever possible. 

• Monitor Your Digital Footprint 
  • Use tools like dark web scanners to check if your data has been compromised. 
  • Regularly review online accounts for unauthorized activity. 

• Update and Patch Systems 
  • Keep your software, operating systems, and antivirus programs up to date. 
  • Apply patches to fix vulnerabilities that hackers could exploit. 

• Be Vigilant About Phishing 
  • Avoid clicking on suspicious links or downloading unknown attachments. 
  • Educate yourself on identifying phishing attempts. 

• Secure Your Network 
  • Use a virtual private network (VPN) to encrypt your internet traffic. 
  • Invest in a robust firewall to protect against unauthorized access. 

Conclusion  

Computer Security Day reminds us that cybersecurity is everyone’s responsibility. Whether you’re an individual or part of a multinational corporation, your actions can help prevent the dark web from profiting off cybercrime. This includes reporting suspicious activity, supporting ethical tech initiatives, and staying informed about emerging threats. 

While the dark web continues to challenge cybersecurity professionals, advancements in technology, collaboration between law enforcement agencies, and public awareness campaigns are critical steps toward mitigation. By taking the lessons of Computer Security Day to heart, we can create a culture of digital security that limits the power of the dark web and its associated risks. 

---

Curious about darknet data? Contact us.