Author: DarkOwl Content Team

June 23, 2025

In a major blow to the online drug trade, law enforcement agencies across Europe and the U.S. have taken down Archetyp Market, one of the most active and profitable dark web drug markets of the past five years. 

Launched in 2020, Archetyp wasn’t just another black market, it was the market. With over ~600,000 users and ~3,200 vendors, the platform facilitated transactions involving cocaine, meth, MDMA, and other narcotics. By its final days, it had moved an estimated $~250–290 million in illicit goods, making it a titan among darknet marketplaces. 

But Its End Came Swiftly

From June 11–13, 2025, Operation Deep Sentinel, led by Germany’s BKA and supported by Europol, Eurojust, Homeland Security Investigation (HSI) and law enforcement from five other countries, executed a coordinated takedown. Servers were seized in the Netherlands, digital assets frozen, and the suspected site administrator, a 30-year-old German, was arrested in Barcelona. In addition, authorities confiscated millions in cryptocurrency, luxury vehicles, phones, and drugs in sweeping raids. 

A curious twist: law enforcement published an animated video at operation-deepsentinel.com, loosely depicting the takedown. Many speculate the video served less as documentation and more as a taunt to the dark web community. 

Confusion swirled on dark web forums when the site went offline under the guise of “maintenance” a classic precursor to an exit scam. Then came an even stranger development. 

Before any official press release, a post appeared on the dark web forum Dread, allegedly from Archetyp’s administrator. It claimed the site was down, the admin had been arrested, and he had already been released. Users were quick to point out the implausibility of the story—especially the idea that a darknet market admin could be arrested, released  and back on the dark web within 24 hours.

This raised an intriguing question…

Did law enforcement impersonate the admin and post on Dread? 

Adding to the mystery, both the Dread post and the animated video referenced a “Deadpool” a pool on when Archetyp would go down. Was this an inside joke among investigators? A psychological tactic to sow distrust? 

What’s Next? 

Based on chatter in vendor “proof-of-life” posts, Abacus and Drughub are emerging as the likely successors to Archetyp. This is based off site mentions. Abacus, while notoriously difficult to access due to aggressive CAPTCHA and account requirements, is seeing a surge in mentions. 

Only time will tell which market takes the title. 

Despite massive seizures of drugs, crypto, phones, and vehicles, the takedown is a setback, not a solution. Darknet operators are nimble and decentralized already whispering across Telegram, Signal, and encrypted forums. 

Still, for a brief moment, the shadows flickered. 
And one of the internet’s most notorious drug market is down. 

---

Stay up to date. Follow Us on LinkedIn.

June 18, 2025

ISS Europe 2025 Recap

For over a decade, ISS World has served as the primary nexus where cutting-edge cybersecurity technology meets real-world law enforcement needs. 

The conference bills itself as “the world’s largest gathering of Regional Law Enforcement, Intelligence and Homeland Security Analysts, Telecoms as well as Financial Crime Investigators responsible for Cyber Crime Investigation, Electronic Surveillance and Intelligence Gathering”—and it delivered. 

DarkOwl has attended ISS for the last 10 years. It has become an effective medium for reinforcing (and growing) Darknet intelligence inside government bodies. 

What sets ISS apart isn’t just the vendor floor. The first day is entirely dedicated to hands-on training and deep-dive technical sessions. These aren’t theoretical presentations—they’re practical workshops covering the techniques used in active investigations. 

2025’s Sessions

Advanced Geolocation Techniques: New methods for pinpointing suspect locations when traditional GPS data isn’t available. 

Circumventing Masking Technologies: Practical approaches to dealing with VPNs, Tor, and other anonymization tools (on which suspects increasingly rely). 

Tracing Methodologies: Advanced techniques for following digital breadcrumbs across multiple platforms and jurisdictions. 

AI-Enhanced Investigations: How artificial intelligence is changing digital forensics and evidence analysis. 

The European conference brought together law enforcement agencies, government intelligence units, and commercial technology partners from across the continent and beyond. These connections prove invaluable as cases inevitably cross European borders, or require specialized technical expertise of international bodies like EUROPOL. 

The combination of vendor demonstrations, hands-on training, and peer networking creates an environment where you can evaluate new technologies alongside the investigators who’ll actually use them. 

Key Takeaways

✅ Geopolitical Realities 

Many representatives came from nations on the border of conflict zones. Unsurprisingly, there’s appetite for creative, proactive protection and detection technology to support time- and resource-drained agencies.  

 ✅ OSINT Emphasis

Both OSINT-native and OSINT-adjacent technology was out in force this year. 16 sessions were devoted to the subject of OSINT, and 10 sessions devoted to Darknet investigations alone on the conference agenda.    

 ✅ Organised Crime Challenges 

Anti-OCG teams worldwide were seeking strategic, not tactical, answers from SOCMINT and DARKINT resources. Their challenge is fighting an almost symmetric enemy, so the traditional profiling playbook is at best ineffective and worst a waste of much needed police resources.   

✅ Crypto-Fuelled Destabilisation

There was strong representation from jurisdictions increasingly vulnerable to rapidly scaling crypto-fuelled crime in Central Asia. 

Live Demonstration of DarkOwl Vision: Darknet Intelligence for Profiling, Crypto Tracing & Market Dynamics 

DarkOwl’s speaking session in Prague looked at Darknet discovery and criminal profiling using DarkOwl Vision. 

With breach data and stealer logs the talk of the town in threat intelligence, DarkOwl emphasised the holistic value of following leads through both Dark Web fora and marketplaces, not just the contents of leaks themselves.  

For example, Lindsay (DarkOwl’s Regional Director) established the link between a Hacker Site’s Twitter account (previously breached) and their live underground administrator, complete with reputation score and real-life identity.  

Likewise, using the example of ‘Greavys’ – the pseudonym used by a crypto criminal responsible for stealing $250 million in Bitcoin last year – we unmasked a real name & physical address from an (easy) combination of Telegram UserID pivots and an age-old underground doxxing site. 

DarkOwl Vision provides a user-friendly interface with powerful querying capabilities to search, monitor, and create alerts for critical information. DarkOwl Vision is used to support local and federal police investigations, as well as work done in intelligence/fusion centers and federal agencies to uncover human trafficking, opioid selling, terrorism, crypto tracing and other illegal activity, making it the perfect tool for this audience.  

---

See you in Singapore! Meet us at an upcoming event!

June 17, 2025

Money laundering is a major concern in cybersecurity and financial crime, involving methods to hide illicit funds as legitimate. In the digital age, cryptocurrencies, dark web marketplaces, and decentralized finance has allowed money laundering tactics to evolve in complex ways. This blog explores traditional money laundering stages and how they’ve transformed on the dark web, the use of NFT art in laundering schemes, and how decentralized tools like mixers and privacy wallets facilitate modern laundering. 

The Traditional Stages of Money Laundering 

Money laundering is the process of concealing illegally obtained money so that it appears to come from a legitimate source. Money laundering consists of three sequential stages: 

1. Placement: Introducing “dirty” money into the financial system. This might involve depositing cash into banks, or buying assets. 

2. Layering: Moving and converting funds through a series of transactions to obscure the money’s origin. Launderers create complex layers of transfers – between accounts, through shell companies, via wire transfers, or by converting into different assets. 

3. Integration: Reintroducing the cleansed money back into the economy as apparently legitimate funds. At this stage, the money may emerge as proceeds from a fake business, real estate investment, luxury asset sale, or other legitimate-seeming revenue. 

The advent of digital currencies and the dark web has added new twists to each stage. Placement now often begins with cryptocurrency instead of cash, layering can involve blockchain transactions or token swaps, and integration might occur through crypto exchanges or NFT sales. 

Evolution in the Digital Age and the Dark Web 

Hidden online marketplaces accessible via Tor and similar networks have changed how criminals earn and launder money. Dark web marketplaces enable global trade in illicit goods (drugs, stolen data, malware, etc.) paid for with cryptocurrency. This means that criminals increasingly acquire illicit funds already in digital form, like Bitcoin, rather than cash. Money laundering strategies have adapted to take advantage of new digital platforms and applications. 

Vendors and buyers use encrypted communications, and payments are almost exclusively in cryptocurrency. This digital placement of funds is immediate – for example, a ransomware group or drug vendor receives Bitcoin directly as the proceeds of crime. The challenge for criminals is to cash out or further obscure those crypto funds without revealing their identity. In response, they leverage a variety of obfuscation tactics online. 

One key evolution is the use of conversion services and intermediaries. According to Chainalysis, after illicit crypto is obtained (from hacks, darknet sales, etc.), criminals send it through “conversion services” during the layering stage – swapping coins, using DeFi protocols, gambling sites, mixers, or cross-chain bridges.  

At the same time, cryptocurrency’s transparency can aid investigators. Public blockchains allow law enforcement and blockchain analytics companies to trace flows of illicit crypto. As noted in a 2024 Chainalysis report, investigators leverage blockchain transparency to uncover illicit activity that might go undetected in cash dealings. 

NFT Art as a Laundering Vehicle 

In recent years, criminals have shown interest in non-fungible tokens (NFTs) as a new avenue for money laundering. NFTs are unique blockchain tokens often linked to digital art or collectibles. This is like traditional money laundering in the traditional art world where valuable art pieces can be bought with dirty money and later sold, making the sale look legitimate. 

While NFT-based laundering is a smaller piece of the puzzle, it is visible. Blockchain analysis by Chainalysis found that the value sent to NFT marketplaces from illicit addresses jumped significantly in late 2021, reaching about $1.4 million in Q4’2021. 

Criminals are indeed experimenting with NFTs by trading NFTs between wallets, they control (wash trading) or buying high-value NFTs with tainted crypto as they aim to obscure origins. 

Mixers, Tumblers, and Privacy Tools 

To further muddy the waters of blockchain tracing, criminals turn to cryptocurrency mixers (also called tumblers) and other  tools. Mixers are services that pool together cryptocurrency from many users and then pay it out to new random addresses, thus breaking any link between the incoming and outgoing funds. The result is that it becomes very difficult to prove which output coins are associated to which input, thereby obscuring the origin of the funds. Popular mixer implementations have included Tornado Cash (for Ethereum) and various Bitcoin tumbling services (like Blender.io, ChipMixer, Wasabi wallet’s CoinJoin feature, etc.).  

Mixers play the role of layering in the crypto laundering process. Illicit actors use mixers as “safe havens” to launder criminal proceeds, including funds from hacks, fraud, ransomware, and darknet sales. For example, after a big cryptocurrency theft or ransomware payout, the criminals will often route the BTC or ETH through one or multiple mixer services. By the time the coins exit the mixer, the hope is that investigators cannot easily follow the money, since the trail “goes cold” at the mixer’s wallet. 

Tornado Cash deserves special mention because it was an Ethereum-based mixer that gained popularity for its use by cybercriminals. Tornado Cash allowed users to deposit tokens and withdraw to a fresh address with no link. By 2022, it had become a go-to laundering tool for groups like Lazarus Group (North Korea) to launder their ransomware proceeds. The U.S. Treasury’s OFAC sanctioned Tornado Cash in August 2022. In 2023, the U.S. Department of Justice went further by indicting two alleged Tornado Cash founders. The August 2023 indictment accused them of facilitating over $1 billion in money laundering transactions through Tornado, including hundreds of millions of dollars for the Lazarus Group.  

Conclusion 

Money laundering has always been about staying one step ahead of investigators by exploiting gaps in the financial system. The dark web and cryptocurrencies introduced a new venue for launderers, where geography means little and anonymity is the default. We’ve seen how traditional stages of money laundering (placement, layering, integration) have counterparts in the crypto realm. From cash to crypto, to complex hops through mixers and tokens, then cashing out via exchanges or NFT sales. Tools like Bitcoin and Ethereum have public ledger trails, but coins like Monero offer near-total concealment but are harder to cash out. Decentralized mixers and wallets provide new ways to wash funds, even as authorities push back with sanctions and arrests. Meanwhile, novel schemes like NFT-based laundering show the creative lengths to which criminals will go. 

---

Interested in fraud prevention? Check out our use case.

June 13, 2025

In the early hours of 13 June (local time) Israel confirmed that that had launched airstrikes against Iran. The targets were reported to be against Iran’s nuclear program and other military targets. Further strikes were reported throughout the day. Iran’s Supreme Leader Ali Khamenei warned that Iranian forces will “act with strength” against Israel. Subsequently Iran fired missiles into Israel. Loud explosions have been heard over Tel-Aviv.

On Telegram, hacktivist and news media sites have been reacting. Telegram is often used in the area as the first point of news. Hacktivist groups have used the platform in order to share details of their cyber-attacks and victims.

Hacktivist group DieNet claimed that they will attack Israeli radio stations in tandem with the attacks from Iran. 

They then shared images which they claimed to be proof.

They also claimed to have attacked Israeli companies and obtained data that they would share in order to assist Iranian Intelligence and military efforts.

Other groups shared images of the bombing of Tel-Aviv and images of the red alert system in Israel.

Another hacktivist group which states it supports Iran, has posted a call to action asking anyone with cyber security experience to help them target Israel.

Others are sharing information of cyber attacks against Israel targets.

Another hacktivist group, Islamic Hacker Army, is targeting Iranian government entities.

The IDF are using Telegram in order to make updates, informing citizens about what they need to do and encouraging people not to share any footage or information about airstrikes which they state have been intercepted.

Israeli news sites are also using Telegram to update on the ongoing events, with reports that Iran has targeted populated areas in Israel and caused casualties as well as videos of the attack.

This is an ongoing situation that DarkOwl will continue to monitor.

---

Follow us on LinkedIn to stay up to date.

June 12, 2025

Understanding the Divide in Offensive Security Tactics 

In the cybersecurity world, not all hackers wear the same hat. While the term “hacker” often carries a negative connotation, ethical hacking plays a vital role in defending systems, exposing vulnerabilities, and preventing malicious intrusions. In this blog, we’ll break down the differences between white hat and black hat hackers, and why ethical hacking is essential in the fight against cybercrime—especially as threats increasingly originate from the dark web. 

What Is Ethical Hacking? 

Ethical hacking is the practice of intentionally probing systems, applications, and networks for security vulnerabilities—with permission. These security professionals, often referred to as white hat hackers, simulate cyberattacks to identify and patch weaknesses before malicious actors can exploit them. 

Ethical hackers follow strict legal and contractual guidelines. Their work typically includes: 

• Penetration testing (network, web app, social engineering) 

• Vulnerability assessments 

• Red team/blue team simulations 

• Threat modeling and risk assessments 

Who Are White Hat Hackers? 

White hat hackers are cybersecurity experts who use offensive tactics for defensive purposes.  

They may work in-house at large enterprises, for managed security providers, or as freelance consultants. Their goal is to: 

• Identify misconfigurations and zero-day vulnerabilities 

• Help organizations comply with frameworks like NIST, ISO 27001, or GDPR 

• Harden systems before attackers find their way in 

White hats often contribute to bug bounty platforms like HackerOne or Bugcrowd, earning legal income through responsible disclosure. 

Who Are Black Hat Hackers? 

Black hat hackers exploit vulnerabilities for personal or financial gain, espionage, political disruption, or simply malicious intent. Their activities are illegal and unethical, and can include 

• Deploying ransomware or info-stealer malware 

• Harvesting credentials for sale on dark web markets 

• Running phishing campaigns and exploit kits 

• Selling zero-days or initial access on dark web forums 

These actors thrive in anonymity, often using dark web to communicate, trade tools, or collaborate with other threat groups. 

The Gray Area: Gray Hat Hackers 

Gray hat hackers operate in the middle. They might find vulnerabilities without permission but report them without malicious intent—sometimes requesting payment afterward. While not always harmful, their actions can still violate ethical and legal boundaries. 

Why Ethical Hackers Are Crucial in the Age of the Dark Web 

As threat actors increasingly coordinate and monetize attacks through dark web infrastructure, organizations need white hat hackers to stay one step ahead. For example: 

• Ethical hackers often emulate TTPs (tactics, techniques, and procedures) observed in dark web-sourced threat intel. 

• Red teams simulate attacks modeled after real-world adversaries, using leaked credentials or known malware strains. 

• Threat hunters rely on collaboration with ethical hackers to validate indicators of compromise (IOCs) harvested from dark web sources. 

By pairing dark web monitoring with ethical hacking, companies can proactively reduce risk exposure, especially in industries with high-value data (e.g., finance, healthcare, government). 

Conclusion: It’s About Intent—and Impact 

The difference between a white hat and a black hat isn’t in capability—it’s in intent, authorization, and impact. 

Hacker Type	Motivation	Legality	Common Tools & Tactics
White Hat	Security & defense	Legal	Metasploit, Burp Suite, Kali Linux, Cobalt Strike (licensed)
Black Hat	Profit or sabotage	Illegal	Ransomware, phishing kits, stealer logs, RATs, dark web forums
Gray Hat	Curiosity, recognition	Often borderline	Exploits, port scanners, self-written scripts

---

Don’t miss any updates from DarkOwl. Follow us on LinkedIn.

June 10, 2025

When most people hear the word “darknet,” they picture something out of a movie—hooded hackers, flickering monitors, maybe a green Matrix-style glow. But for companies, the darknet isn’t some far-off concept. It’s real. It’s active. And there’s a good chance your brand is already being mentioned there. 

And no—it’s not just paranoia. It’s reality. 

Let’s break down why that matters and what you should be watching for. 

1. Your Company’s Data Might Be for Sale 

One day, everything seems fine. The next? Your customer database, employee records, or internal strategy documents are listed on a darknet marketplace for a few hundred bucks in crypto. Maybe the breach happened through your systems. Maybe it was a third-party vendor. Either way, the fallout is yours. 

Hackers aren’t just targeting banks and tech giants anymore. Everyone has data worth stealing. 

Sites like the now-defunct Breached Forums were notorious for posting company breach data daily. In the wrong hands—whether cybercriminals or even unethical competitors—that data can do serious damage. 

Figure 1: Threat actor, ShinyHunters, advertise Ticketmaster data on BreachForums 

Take Oracle’s Cloud Supply Chain breach as an example. More than 6 million records were leaked, affecting over 140,000 tenants. The data reportedly included encrypted SSO passwords—critical keys to user authentication. 

Why it matters: Once your data hits the darknet, you can’t undo it. The faster you know, the faster you can respond—before customers, investors, or regulators find out the hard way. 

2. Your Employees’ Passwords Could Be Floating Around 

This one’s disturbingly common. All it takes is a phishing email or infected website, and suddenly someone’s corporate credentials are being traded online. 

Even more concerning is the rise of “stealer logs.” These are text files pulled from infected computers containing saved passwords, browser sessions, cookies, and more. They’re sold in bulk on markets like RussianMarket or 2easy. For as little as $10, a threat actor could buy their way into your network. 

Figure 2: Browser data in a stealer log showing phone numbers, dates of birth, usernames, and passwords; Source: DarkOwl Vision

What’s worse? You don’t always know what those credentials unlock. Access to email? Internal tools? Sensitive databases? 

Monitoring these stealer log sites is no longer optional—it’s a critical step in stopping ransomware and unauthorized access before it starts. 

3. Someone on the Inside Might Be Selling Access 

This is every security leader’s nightmare: an insider selling access to their own company’s systems. 

Disgruntled employees, ex-contractors, or even someone in financial distress may post offers like: 

“Access to large healthcare org. Admin rights. Serious buyers only.” 

Not all insider threats are intentional. Sometimes, an employee unknowingly becomes a risk—by being too trusting or unaware of security policies. Others may be driven by resentment, especially in today’s environment where layoffs are frequent and workloads increase for those who remain. 

The bottom line? Insider threats are incredibly hard to detect until it’s too late. Monitoring the dark web for chatter about your company can give you a head start in spotting them. 

Why it matters: These posts often appear just before a ransomware attack or data leak. The longer you stay unaware, the bigger the damage. 

4. Are Your Products Being Counterfeited? 

Copyright law isn’t the most exciting topic, but it becomes very real when your products start showing up as fakes online. 

If you ever plan to take legal action for copyright violations, one of the first questions a court will ask is: What steps did your company take to protect and enforce the copyright? 

That’s why big brands like the NFL send teams to sniff out counterfeit goods during events like the Super Bowl. 

The dark web is a known hub for counterfeit products. You can find knockoff software, clothing, purses—even security tools—for under $20. 

Figure 3: Darknet marketplace advertisement for counterfeit Rolex watch for $4500 USD

If your brand relies on copyrighted products or content, darknet monitoring is a smart move. It strengthens internal investigations, arms your legal team with evidence, and shows the courts you’re actively enforcing your rights. 

Final Thought 

The darknet isn’t just a playground for hackers. It’s a marketplace, a communication channel, and sometimes, a launchpad for real-world damage. 

Whether you know it or not, your company is being talked about. The only question is: 

Are you listening? 

---

Curious to learn more about what is on the darknet? Contact us.

June 04, 2025

Cybersecurity might as well have its own language. There are so many acronyms, terms, sayings that cybersecurity professionals and threat actors both use that unless you are deeply knowledgeable, have experience in the security field or have a keen interest, one may not know. Understanding what these acronyms and terms mean is the first step to developing a thorough understanding of cybersecurity and in turn better protecting yourself, clients, and employees.

In this blog series, we aim to explain and simplify some of the most commonly used terms. Previously, we have covered bullet proof hosting, CVEs, APIs, brute force attacks, zero-day exploits, and doxing. In this blog, DarkOwl analysts provide a summary of the digital whistleblower landscape, outlining the role of the dark web and examining some noteworthy whistleblower platforms. 

Whistleblower Sites 101

Though contemporary cases usually come to mind, whistleblowers—individuals “who disclose evidence of wrongdoing”—are by no means a recent phenomenon. The first documented whistleblowers in the United States were 10 American officers who, in 1777, reported abuses by their commander, Esek Hopkins. As explained by Dr. Allison Stanger, Hopkins, the first commodore of the U.S. Navy, was accused of torturing British prisoners of war. Following a testimony by the whistleblowers to the Continental Congress, Hopkins was suspended and subsequently retaliated against the officers, who were ultimately protected when the Continental Congress passed America’s first whistleblower law on July 30, 1778. 

The whistleblower landscape, however, has unsurprisingly changed since the 18^th century, in large part due to the emergence of digital whistleblowing platforms. As noted by Philip Di Salvo, the author of Digital Whistleblowing Platforms in Journalism,  whistleblowing platforms allow individuals to “submit documents to recipient journalists, using safer and anonymizing technologies based on strong encryption.” Di Salvo describes these platforms as being at the crossroads between journalism and hacking, and are significant in that they provide journalists’ potential sources “with safer, anonymous, communication channels online.” Many of the platforms in question utilize Tor—The Onion Router—to ensure whistleblowers remain anonymous by hiding their IP addresses and browsing history.  

The use of Tor by whistleblowers aiming to expose waste, fraud, abuse, or corruption challenges the common misconception that the dark web is accessed exclusively by bad actors. While the dark web does contain illicit marketplaces, hacking groups, terrorist activity, child pornography, and more, it can also protect whistleblowers and journalistic sources. The anonymity provided by the dark web is especially vital for sources and activists living in repressive regimes. 

As similarly highlighted by Di Salvo, since its emergence the digital whistleblower landscape has grown to include a wide variety of platforms that provide users with encrypted submission systems. Below, analysts examine some notable whistleblower platforms. 

WikiLeaks 

WikiLeaks is a whistleblowing platform originally founded by the Australian computer programmer Julian Assange in 2006. The platform, which publishes secret information obtained from anonymous sources, was initially created with the intention to “streamline the whistleblowing process.” Despite being founded in 2006, the platform only gained international attention in 2010, when it published hundreds of thousands of documents pertaining to the U.S. wars in Iraq and Afghanistan. The documents, leaked by former U.S. Army intelligence analyst Chelsea Manning, revealed that the U.S. military had “killed hundreds of civilians in unreported incidents.” The leak is still considered to be the largest classified leak in history.  

SecureDrop 

Initially developed by Aaron Swartz, Kevin Poulsen, and James Dolan under the name DeadDrop, the platform was subsequently taken over by the Freedom of the Press Foundation in October 2013. As noted on the company’s website, SecureDrop is “an open source whistleblower submission system that media organizations and NGOs can install to securely accept documents from anonymous sources.” Di Salvo highlights that the platform has become a standard in the whistleblower ecosystem, as reflected by the fact that the system is currently used by over 60 news organizations worldwide (“including The New York Times, The Washington Post, ProPublica, The Globe and Mail, and The Intercept”). The platform utilizes the encrypted Tor network.  

GlobaLeaks 

Another standard in the digital whistleblowing landscape, the free, open source software was developed in 2010 with support from the Hermes Center for Transparency and Digital Human Rights, an Italian civil rights organization. GlobaLeaks provides its users with software to “set up secure and anonymous whistleblowing initiative[s].” To provide whistleblowers with anonymity, the platform utilizes Tor, includes “robust security and legal features, such as free encryption software, and does not keep records of IP addresses or leave traces in web browsers.” As highlighted by RESET, GlobaLeaks has been used by a wide variety of entities, including by four French language media companies (Le Monde, La Libre Belgique, Le Soir de Bruxelles, and RTBF) to establish the whistleblower website Source sûre in 2015. 

Platform to Protect Whistleblowers in Africa (PPLAAF) 

Founded in 2017, The Platform to Protect Whistleblowers in Africa (PPLAAF) is a non-governmental organization (NGO) that aims to defend and support whistleblowers in Africa. PPLAAF provides whistleblowers, NGOs, media, and governments with legal assistance, media assistance, and advocacy and research. As highlighted by the non-profit Whistleblowing International Network (WIN), PPLAAF also “provides a secure web portal for sending information and documents.”  

WildLeaks 

Founded by the NGO Earth League International (ELI), WildLeaks is a whistleblowing initiative dedicated to environmental and wildlife crime. Launched in 2014, WildLeaks’ mission is to “receive and evaluate anonymous information and tips regarding environmental and wildlife crime, and then transform those tips into concrete action.” The initiative also provides potential whistleblowers with secure communication channels via Tor. Upon receiving information, WildLeaks may launch an investigation or share the information with trusted law enforcement agencies and media partners. As summarized by the organization, WildLeaks’ first priority is to “facilitate the identification, arrest, and prosecution of criminals, traffickers, businessmen, and corrupt government officials behind environmental crime, including the poaching of endangered species, the trafficking of wildlife and forest products, illegal logging and IUU (Illegal, Unreported, and Unregulated) fishing.” 

Climate Whistleblowers (CW) 

Founded in 2023, Climate Whistleblowers (CW) is a non-profit dedicated to protecting individuals “who expose wrongdoings that worsen the climate crisis.” The organization defines a climate whistleblower as an individual who “discloses information about abuses that worsen the climate crisis in order to protect the environment and public health.” As highlighted on their website, CW provides secure communication channels for whistleblowers. Additionally, the non-profit advocates for whistleblower protection by publishing articles and providing training to professionals and organizations.  

Psst  

Founded in 2024, Psst is a “non-partisan, non-profit public service that helps people bring forward public interest information.” In addition to providing whistleblowers with legal and media support, the non-profit has also created a secure web portal—dubbed “Psst Safe” for submitting non-public information. Psst Safe is described as a “digital safe haven” for information of concern that allows users to remain anonymous and encrypts any uploaded information.    

International Consortium of Investigative Journalists 

Founded in 1997 by the American journalist Charles Lewis, the International Consortium of Investigative Journalists (ICIJ) is a network of “more than 290 of the best investigative reporters from more than 100 countries and territories.” Importantly, the network provides whistleblowers with secure communication channels, and “encourages​ ​whistleblowers​ ​to securely​ ​submit​ ​all​ ​forms​ ​of​ ​content​ ​that​ ​might​ ​be​ ​of​ ​public​ ​concern​ ​-​ ​documents,​ ​photos, video​ ​clips​ ​as​ ​well​ ​as​ ​story​ ​tips.” 

Final Thoughts 

As highlighted in this blog, the whistleblowing landscape has evolved significantly since the first documented whistleblowing in the U.S. in the 18^th century. The emergence of digital whistleblowing platforms like SecureDrop over the past two decades has transformed the whistleblowing process by providing sources with more secure online communication channels. By using Tor, whistleblowers can remain anonymous and improve their safety by hiding their IP addresses and browsing history. The number of online whistleblowing platforms has also grown to include platforms dedicated to specific causes, such as combatting wildlife crime and the climate crisis. The existence of such efforts once again highlights that while the dark web is home to extensive criminal activity, it is also used by individuals aiming to expose wrongdoings and can be a force for good.  

---

Stay up to date with DarkOwl. Follow us on LinkedIn.

June 02, 2025

Our analyst team shares a few articles each week in our email newsletter which goes every Thursday. Make sure to register! This blog highlights those articles in order of what was the most popular in our newsletter – what our readers found the most intriguing. Stay tuned for a recap every month. We hope sharing these resources and news articles emphasizes the importance of cybersecurity and sheds light on the latest in threat intelligence.

1. FBI: Scammers pose as FBI IC3 employees to ‘help’ recover lost funds – Bleeping Computer

On April 18, 2025, the Federal Bureau of Investigation (FBI) released a public service announcement warning of an ongoing fraud scheme in which scammers are impersonating FBI Internet Crime Complaint Center (IC3) employees. According to the announcement, the FBI has received more than 100 reports of such impersonation scams between December 2023 and February 2025. The scammers have been observed impersonating IC3 employees while offering to assist victims of fraud. Read full article.

2. Europol Shuts Down Six DDoS-for-Hire Services Used in Global Attacks – The Hacker News

In a May 7 press release, Europol announced that Polish authorities arrested four individuals “who allegedly ran a network of platforms used to launch thousands of cyberattacks worldwide.” The suspects were linked to six DDoS-for-hire platforms, specifically Cfxapi, Cfxsecurity, neostress, jetstress, quickdown and zapcut. As noted in the report, the arrests were part of a coordinated international operation involving four countries and assisted by Europol. Furthermore, as part of the operation the United States also seized nine domains associated with booster services. Article here.

3. Chinese hackers target Russian govt with upgraded RAT malware – Bleeping Computer

Researchers at Kaspersky’s Global Research and Analysis Team have observed IronHusky hackers targeting Russian and Mongolian government entities. IronHusky, a Chinese-speaking threat group that has been active since at least 2017, is using an upgraded version of MysterySnail remote access trojan (RAT) malware. Researchers identified the updated RAT “while investigating recent attacks where the attackers deployed the RAT malware using a malicious MMC script camouflaged as a Word document.”
Read more here.

4. Fake AI video generators drop new Noodlophile infostealer malware – Bleeping Computer

Researchers at Morphisec have observed threat actors distributing malware via fake AI-powered video generators. According to Morphisec’s May 08 report, the fake AI platforms are being predominantly advertised in Facebook groups. Victims who are lured into visiting the fake site are prompted to upload their images or videos to generate content. The users are subsequently asked to download the generated AI content—in attempting to do so, however, the victims unknowingly download a malicious ZIP archive instead (“VideoDreamAI.zip”). The file then installs the newly identified infostealer dubbed “Noodlophile.” Read here.

6. 3AM ransomware uses spoofed IT calls, email bombing to breach networks – Bleeping Computer

In a May 20 report, Sophos researchers outlined two distinct threat clusters using “’email bombing’ to overload a targeted organization’s employee with unwanted emails, and then […] posing as a tech support team member to deceive that employee into allowing remote access to their computer.” As noted in the report, Sophos has observed over 55 attempted attacks using this technique between November 2024 and January 2025. Among the tracked incidents was an attack carried out in 2025 by a 3AM ransomware group affiliate that used a similar email bombing technique; rather than calling via Microsoft Teams, however, the threat actors used a real phone spoofing the organization’s IT department. Read full article.

7. U.S. Charges Yemeni Hacker Behind Black Kingdom Ransomware Targeting 1,500 Systems – The Hacker News

In a May 1 press release, the U.S. Department of Justice (DOJ) announced that a Yemeni national was indicted for allegedly deploying Black Kingdom ransomware “on roughly 1,500 computers in the United States and abroad.” The 36-year-old suspect has been charged with “one count of conspiracy, one count of intentional damage to a protected computer, and one count of threatening damage to a protected computer.” According to the press release, the individual is currently believed to be residing in Yemen. Read full article.

8. Germany Shuts Down eXch Over $1.9B Laundering, Seizes €34M in Crypto and 8TB of Data – The Hacker News

In a May 07 press release, Germany’s Federal Criminal Police Office, the Bundeskriminalamt, announced the takedown of the cryptocurrency exchange platform “eXch” for alleged money laundering. According to the report, the operation took place on April 30, 2025, and also involved authorities seizing over eight terabytes of data and €34 million worth of crypto assets (Bitcoin, Ether, Litecoin, and Dash). Significantly, this is the “third-largest seizure of crypto assets in the history of the BKA”. Learn more.

---

Make sure to register for our weekly newsletter to get access to what our analysts are reading on a weekly basis.

May 29, 2025

Government and law enforcement agencies are increasingly treating the dark web as a serious threat. Over the past five years in particular, takedowns of marketplaces and forums have become more frequent and coordinated—a welcome and long-overdue shift. While dark web enforcement isn’t new, it has clearly gained momentum and visibility in recent years. 

So, what exactly are government agencies and investigators doing to regulate, monitor, and stay ahead of dark web-enabled cybercrime? Let’s break it down. 

Are There Even Enacted Regulations? 

The short answer—so you can move on to the next section—is: no. 

There are currently no laws that explicitly target the dark web itself. What we have instead are laws aimed at illicit activities commonly associated with the dark web. 

However, a proposed bill, the Dark Web Interdiction Act, would take meaningful steps. According to Congressman Chris Pappas’ website, the bill would: 

• Increase criminal penalties for individuals convicted of trafficking illegal drugs on the dark web by directing the U.S. Sentencing Commission to enhance sentencing guidelines. 

• Strengthen and make permanent the Joint Criminal Opioid and Darknet Enforcement (J-CODE) task force, which has coordinated federal, state, local, and international efforts since 2018. J-CODE has already led to hundreds of arrests, major drug seizures, and marketplace takedowns. 

• Require a comprehensive report from the DOJ, DHS, and the Treasury Department on how cryptocurrency is being used on the dark web—plus recommendations on how Congress should address virtual currency in opioid trafficking cases. 

The U.S. has historically lagged behind in addressing cybercrime. This bill is a step in the right direction—especially when it comes to drug trafficking and interagency coordination. 

That said, some states do have laws that can be applied in dark web-related cases. For example, Florida Statute 934.215 – Unlawful Use of a Two-Way Communications Device—can be added as a charge when a suspect uses a device to facilitate a felony. To convict under this statute, prosecutors must show: 

• The defendant used a device capable of two-way communication; and 

• That device was used to further the commission of a felony. 

Even so, this statute doesn’t specifically target the dark web—just the tools often used to commit dark web crimes. 

When Lawmakers Lag, Law Enforcement Logs On 

With little legislative backing, the burden of confronting the dark web has largely fallen on law enforcement. So, what exactly are they doing—and how? 

Federal agencies are leading the charge, but state and local departments are getting involved as well. It seems like every week there’s a press release announcing the takedown of a forum, vendor, or marketplace. Here are the core tactics behind those headlines: 

• Undercover Operations: Agents go undercover in forums and marketplaces, posing as vendors, buyers, terrorists, or traffickers to infiltrate criminal networks. 

• Cryptocurrency Tracing: Investigators are using advanced blockchain analysis tools—often in partnership with private companies—to follow the money trail, even across anonymized transactions. 

• Controlled Buys: Borrowing tactics from traditional narcotics work, law enforcement is conducting digital sting operations on dark web vendors. 

• Cross-Agency Collaboration: Most major takedowns involve 6–9 agencies working together. Agencies like the FBI are also partnering with private-sector firms to build new intelligence pipelines and share valuable information. 

One of the most powerful tools in their arsenal? The Network Investigative Technique (NIT) search warrant. These warrants authorize the use of technical tools or code to identify users operating on anonymized or encrypted networks like Tor. Think of it as a legally sanctioned hacking method used to pierce digital anonymity. 

Notable Dark Web Cases 

Silk Road (U.S. v. Ross Ulbricht) 

• The first major dark web marketplace for drugs and services (launched in 2011) 

• Ulbricht, aka “Dread Pirate Roberts,” was arrested in 2013 and sentenced to life (although recently pardoned) 

• Paved the way for the rise—and fall—of copycat markets 

AlphaBay (Operation Bayonet) 

• Became the dominant market after Silk Road’s fall 

• Shut down in 2017 through a global operation; founder Alexandre Cazes committed suicide in custody 

• Showed how effective international coordination can be in disrupting cybercrime 

Operation Pacifier / Playpen 

• FBI took control of a child exploitation site and used NITs to identify users 

• Led to hundreds of arrests and intense legal debate over warrant scope and privacy 

Hansa Market Takedown 

• Dutch authorities secretly operated Hansa while AlphaBay was live 

• After AlphaBay’s fall, users flocked to Hansa—unaware law enforcement was in control 

• A strategic win that yielded a wealth of investigative intelligence 

Shedding Light with DarkOwl: Giving Law Enforcement a Strategic Edge 

Too often, investigators are taught how to access the dark web manually in training—only to be told by their agency that they can’t use those methods due to cybersecurity risks. That’s where DarkOwl steps in. 

DarkOwl allows federal, state, and local law enforcement to access dark web intelligence—without having to log in, risk exposure, or authenticate into hidden forums. 

From fraud and identity theft to weapons trafficking and the sale of stolen goods, DarkOwl’s data isn’t just for cybercrime units. It supports a wide range of investigations, like economic crime, property crimes, human trafficking, missing person, by: 

• 🔍 Keyword searches across millions of dark/deep web records (emails, usernames, VINs, credentials, IPs, etc.) 

• ⏱️ No direct access needed—reducing risk and operational overhead 

• 📬 Real-time alerts when new mentions of targets appear 

• 🤝 Multi-jurisdictional coordination, helping agencies work together to track threats and follow digital leads 

Whether you’re working a fraud ring using stolen credit cards, a counterfeit ID scheme, or a local burglary ring fencing goods on dark markets, DarkOwl gives investigators the intelligence and visibility to act quickly—and safely. 

In short, DarkOwl enables broader use of dark web intelligence, putting actionable data in the hands of every level of law enforcement. 

As threat actors become more anonymous and their tactics more complex, having access to tools like DarkOwl is no longer optional—it’s essential. 

Summary 

While there are no current laws that directly regulate the dark web, law enforcement is adapting and responding aggressively. It’s an uphill battle—and it may never be fully “won”—but every arrest, takedown, and disruption counts. The more we invest in intelligence, coordination, and modern investigative tools, the better our chances of keeping communities safe in both the physical and digital worlds. 

---

Curious how DarkOwl can help you? Contact us.

May 27, 2025

We all have a fear—or at least know of someone with a fear—of getting breached. And chances are, you yourself have been, or at the very least, know someone who has. But what is a breach, really? What actually happens when you or someone close to you becomes the victim of one? 

A data breach occurs when unauthorized individuals gain access to sensitive information—like login credentials, personal data, financial info, or private communications. These breaches can happen through phishing, malware, weak passwords, or exploiting security vulnerabilities. Once inside, attackers may steal, copy, sell, or leak your data—often on places like the dark web. The consequences can range from identity theft to financial fraud to long-term reputational damage. 

The sense of violation people feel after a breach is real—and often overwhelming. What follows is a quick personal story of someone who experienced this firsthand: an acquaintance trying to make sense of a data breach that impacted his family. 

---

I had an old coworker reach out to me a while ago. One of her current coworkers had recently experienced a breach for one of his loved ones and asked if it was okay for her to give him my contact information so we could talk about the options.  

When we hopped on a call, he informed me that his daughter had been breached and given away her various credentials for both her bank, social media, and email. He knew vaguely about what was happening – he knew that the information stolen would probably be sold on the darknet, and wanted to know what he could do as a father: “Should I get a copy of tails up and running? Am I able to find the data that was stolen?” Tails is a flavor of linux with anonymity as a focus. “How do I even approach this?  Where do I get started with the dark web?”  

I let him know that he could get a tor browser and start browsing around but warned him that that’s problematic for a couple of reasons, one just being your own mental state depending on some of the things one could stumble across when searching on the dark web.

He was just at such an utter loss and unsure of what to do with the complete sense of violation that he was feeling. He did have some technical abilities as he’d been a software engineer. So I explained to him the process of some of these operations.

Even if he did learn the technologies required to browse the darknet safely, which is a non-trivial task, he’d still need to know where to go, which in itself is information that is shielded.  Even if he were able to do that, and find sites where stolen data is being brokered, the chances of finding his daughter’s data are very slim. While it’s true that some hackers will post the entirety of their breaches for cred, organizations that do this as a business will generally post a subset of the data they steal as a sample to entice buyers. The chances of his daughters information being in that sample are slim. But let’s say that happens to be the case. If that was the case, would he be attempting to purchase the data? Firstly, that’s very illegal, but also, there are no guarantees that they won’t sell it to multiple people anyway. On top of that, if his daughter’s data was posted as a sample, it’s out there to everyone that can see it now anyway.

All this to say once it’s out there, it’s better to just assume it’s out there. With the major breaches of companies with millions of users that have been happening for years, it is safe to say that plenty of our data is already out there – yours and mind. It’s just the world we live in.

What Can You Actually Do After a Breach? 

I gently told him that diving into the dark web in search of his daughter’s stolen data wasn’t just risky and likely futile—it also wouldn’t change the outcome. Once data is out there, it’s essentially impossible to retrieve or erase. In most cases, the better path forward is not chasing what’s already lost but protecting what remains. 

If you or someone you know has been breached, here’s what you can and should do immediately: 

• Freeze or close any compromised accounts (banking, email, social media, etc). 

• Change all passwords—not just the affected ones. 

• Enable two-factor authentication everywhere possible. 

• Monitor financial accounts and credit reports for unusual activity. 

And most importantly, take this as a chance to build long-term security habits. Teach your kids, friends, and coworkers to: 

• Use a different password for every site. 

• Regularly update passwords, even if there’s no sign of compromise. 

• Think twice before sharing information, especially in response to unexpected emails, texts, or calls. 

The best thing we can do in a world where breaches are increasingly common is stay vigilant, proactive, and prepared—not paralyzed by what’s already been lost. ll do is keep a posture of vigilance, instead of attempting to recover what’s been lost.

---

Curious what data is on the darknet? Contact us.