The dark web community of those buying, selling, trading and sharing data is extremely active. Dark web sites such as BreachForums and LeakBase are heavily used by threat actors to trade data, ask about what is available and provide links to stolen data. However, some individuals in this community are more active than others, regularly sharing data leaks from high profile organizations, often claiming they have hacked the data themselves or worked with other hackers to make the data available.
One such threat actor is known as USDoD. He has been very active on BreachForums, sharing multiple leaks and also claiming to be starting his own site to share data. However, it was reported late last week that he had been arrested in Brazil. Here we will review some of USDoD’s activities and what lead to his arrest.
Leaks Shared by USDOD
USDOD has had a profile on BreachForums since July 2023. In that time, he had posted 112 times, created 33 threads and earned a reputation of 891. His profile also states that he had referred 31 people to join the forum. He also won awards as a “leaker,” “hacker,” and “God.”
Figure 1: USDoD’s BF profile which has been banned subsequent to his arrest
While most threat actors active on the dark web tend to try and hide details about themselves, USDoD shared further information on his profile. While this information is likely false, it is notable that any information at all was shared. The profile also provides links to his Telegram channel and his Twitter/X account.
Figure 2: Additional information provided on USDoDs BF profile
While many threat actors are active on Telegram, it is unusual that USDoD linked his dark web profile to an open web social media profile. Linking this digital footprint allows investigators more avenues to identify the true identity behind USDOD’s alias.
USDoD was known to share posts on Twitter/X which would detail his activities such as, visiting family members in hospital and watching the US election debates. While these details could have been shared to throw off researchers, it is still unusual and risky behavior for a threat actor. His Twitter/X account is currently suspended.
USDoD leaked a lot of data on BreachForums. Some high-profile leaks and data scrapes included:
LinkedIn
InfraGard
National Public Database
USA Criminal Records
Crowdstrike IoC list
Gov UK database
EPA.gov
Such high-profile targets meant that many governments and law enforcement operators were likely keen to identify and apprehend USDoD.
Figure 3: List of threads posted by USDoD highlighting his targets
A New BreachForums?
When BreachForums was seized in early 2024, USDoD posted on Twitter/X that he was planning to create his own forum, hosted on the surface web which would allow users to continue to share data.
He claimed that this new site would be completely run by him, as he did not trust anyone else. He also outlined the technology he would use, the domains he had registered and how he would operate the site and what information would be allowed on it.
He stated that he was launching this platform for the good of the community rather than for financial gain. USDoD named the new site BreachNation, and even spent time uploading profile images and media related to the new site.
Figure 4: Twitter posts from USDOD announcing BreachNation
Ultimately USDoD backtracked on his promise to launch this site. In a lengthy post on Twitter/X he stated that he did not have the time to run the site in the way that he wanted to. He stated he had a social life to maintain and if he ran this site it would take up all of his time and he would not be able to live his life.
By this point, BreachForums was back up and running as usual, albeit with some more security to enter the forum. USDoD continued to use BreachForums to share more leaked data.
USDOD Doxxed?
Reporting in August 2024 suggested that USDoD had been doxed and that his true identity had been identified. However, no information was identified on the usual dox sites such as Doxbin and Pastebin.
Chatter quickly stated that the information had come from CrowdStrike, one of the targets of USDoD. A Brazilian news agency stated that they had been leaked a “detailed report from CrowdStrike” which had identified USDoD as a 33-year-old man living in Minas Gerais, Brazil.
The article further stated that all of the information relating to this individual had already been passed on to Law enforcement Agencies.
After this article came out, USDoD appeared to confirm that the information shared, and his true identity were correct. He stated that he would be turning himself in for the actions that he had taken.
Figure 5: USDoD quote confirming his identity
However, many in the community thought that the information was incorrect and that the information was made up to protect USDoD’s true identity.
USDOD Arrested?
On October 16, 2024, Brazil’s Policia Federal announced that they had arrested a suspect in Brazil as part of Operation Data Breach, who was allegedly responsible for hacking the Federal Police and other international institutions.
In their release, the police went on to state that the suspect had also boasted of several other “cyber invasions” including the hack of InfraGard.
The community which USDoD seemed very proud to be a part of was quick to spread the news of the arrest, looking for information to confirm if it was true, with some noting that they were wrong to doubt the authenticity of the “dox.”
Figure 6: Chatter on BF related to USDoD’s arrest
Conclusion
The arrest of the individual behind USDoD highlights Law Enforcement’s continued efforts to counter the spread of stolen information and apprehend the individuals for hacking into organization’s systems on a global scale.
However, USDoD presents an interesting case given his transparency about his daily life and his seeming indifference to hiding his identity, usually a hallmark of those individuals who operate on the darkweb. The fact that he was willing to confirm his true identity and suggest that he would turn himself over to law enforcement maybe suggests he had become disillusioned with his criminal activities.
Whatever the case may be, USDoD was a prolific hacker and sharer of sensitive data. His apprehension by Brazilian authorities will contribute to a safer ecosystem until some other actor steps up to take his place. But a message has been sent to the stolen data sharing community that they are not safe from law enforcement action.
In this webinar, DarkOwl analysts explore the disinformation landscape on the dark web in the context of the upcoming U.S. presidential election. What emerges is a complex, multifaceted online space characterized by a variety of actors, ranging from nation states to American citizens and U.S.-based conspiratorial political movements. All of the above play key roles in both creating and amplifying mis- and disinformation which has seeped from the deep and dark web onto the surface web, and vice versa. As a number of prominent social media platforms maintain policies of limited disinformation regulation, false narratives previously concentrated on the dark web and alternative social media platforms have become mainstream, thereby gaining traction and reaching greater audiences. Combined, these factors reflect a complex environment in the lead up to the election and highlight the importance of identifying and combatting mis- and disinformation.
Make sure to check out our full report on this topic.
NOTE: Some content has been edited for length and clarity.
Erin: We’re excited to kind of talk about this topic. I’m Erin, I’m the Director of Collections and Intelligence at DarkOwl, and I’m joined by my colleague Bianca who works on all of our investigations and services and has been digging into this topic quite a bit. So obviously, it’s November next week, which I find insane. And we’re just about two weeks out from the election. And there’s a lot of things going on out there on mainstream media, obviously. But we wanted to take a deep dive and see what we’re seeing from our side of things on the dark web. So, with that being said, I think we can dive right in and Bianca, I guess the first question would be:
Why is it important that we’re looking at the dark web in this election cycle?
Bianca: Well, during this election period, as with previous elections and recent years, particularly since 2016, we’re seeing disinformation narratives gaining pretty significant traction. And disinformation, as we know, can play quite a significant role in influencing voters. And much of these false narratives that we’re seeing are originating on the dark web and dark web adjacent spaces, especially Telegram. And so, because of that, in order to get a comprehensive picture of the online disinformation landscape and the role it can play influencing voters, it really is vital to examine the role that the dark web plays in spreading that disinformation.
Who are probably the main groups that we should be concerned about them that we’re seeing kind of having, spreading this kind of disinformation and misinformation?
I think you can basically broadly divide the main groups into two categories. And I’d say that the first one is nation states and then you also have domestic actors. So, starting off with the nation states, two of the main actors we’re seeing are Russia and Iran. Russia of course has a history of leading influence operations against the US as we’ve seen since 2016. Russia’s strategy this year though, it’s worth noting, does seem quite different compared to previous years. Most notably, they really seem to be taking advantage of domestically produced conspiracy theories more and more really this year, as opposed to, as we’ve seen previously from them – creating their own false narratives and then sharing and disseminating those narratives. And I think that shift in tactics is a reflection of the domestic disinformation landscape that we’re seeing right now, where you have these absurd conspiracy theories entering the mainstream and then being viewed by millions of people online. So really, nation states like Russia that are leading these foreign influence operations are recognizing that that’s unfortunately something they can take advantage of these domestically produced conspiracy theories.
Other than Russia moving on with these nation -state actors, we are of course seeing Iran emerging as a key player right now in election influence operations. In the lead-up to November 5th, Iran has already carried out cyber-attacks against election campaigns with the DOJ – just recently announcing the indictment of, I believe, three Iranian hackers for targeting former President Donald Trump’s campaign. Importantly though, Iran is also actively sharing content that like Russia’s, is aimed at sowing discord in the US. And that’s something we’ve seen from Russia, of course, since 2016, increasingly. And for Iran, Microsoft researchers in particular identified these websites associated with Iran that are basically posing as American sources and spreading in disinformation.
So we’ve got Russia, Iran, and continuing on with nation states, we really shouldn’t forget China was also leading its own election -focused influence operations. One of its influence operation campaigns has been active since 2017. And we’ve recently been seeing increased activity from that campaign. But I do want to highlight that researchers do seem to believe that China’s efforts likely will be more restrained compared to Russia and Iran. And they don’t really seem to be aiming to undermine one campaign over another. So whereas you see Russia attempting to undermine Vice President Kamala Harris’s campaign and Iran attempting to undermine former President Donald Trump’s campaign, we’re not really seeing that lean or favoring from China to the same extent. So those are the main nation-state actors.
Erin: It’s interesting as well, sorry to interrupt you, but how the landscape has changed since 2016, right? So I saw some reporting with Russia as well that they didn’t necessarily get what they wanted maybe out of the Trump presidency and is that impacting what their goals are and how they’re reacting now. So it seems like as you were just saying, that they’re more trying to focus on just creating that conflict internally in the US, as well as still, promoting Trump, but it’s interesting how they’ve changed their tactic.
Bianca: Yeah, that’s a great point. And they’re just continuing to so discord, like that seems to be the number one priority, really, and undermining faith in the election process and undermining faith in democracy. So that’s something we’re still seeing from them. Those are the main nation-state actors to answer your question that are kind of the main players right now in the disinformation landscape.
But I do also want to highlight that second bucket I mentioned that’s domestic actors. And there are US-based individuals and political movements that are generating disinformation related to the election and candidates that we’re seeing right now. For instance, the far-right conspiratorial movement, QAnon in particular, which first appeared in 2017, they seem to have effectively entered the mainstream at this point, and their conspiracy theories are seen across the surface web. And that’s a lot of the disinformation that we’re seeing in the current landscape is coming from these far-right conspiratorial movements. To answer your question, I’d say those are the two main buckets, the nation-states, but then also domestic actors.
What are the most common types of disinformation narratives that we’re currently seeing being circulated?
I’d say broadly you can group the main narratives into two groups, two categories. So those that are questioning election integrity and then you have those that are targeting presidential candidates. So, for the first category, you have essentially all of the disinformation that’s questioning election integrity. So unfounded claims of voter fraud, which of course was also a very dominant narrative in 2020, and we’ve seen that narrative persist and enter the mainstream increasingly. And some of those narratives are being amplified by foreign actors, but American citizens themselves are also responsible, I think, for a lot of that amplification. That’s the first category and then the second category broadly is disinformation aimed at undermining either Vice President Kamala Harris’ campaign or former President Donald Trump’s campaign. To give an example, you have Russia spreading disinformation that’s again meant to support Trump and undermine Harris and then at the same time Iran spreading disinformation meant to support Harris and undermine Trump. To give a more specific example, one of the most recent examples of disinformation aimed at undermining a candidacy was this staged video that was created by Russia that falsely accused Governor Tim Walz of sexual misconduct. And that was a story in the news this week. The video has already been debunked, but it nonetheless gained hundreds of thousands of views on Twitter and has been shared on the dark web and on groups in Telegram. So, I’d say those are really the two main categories that we’re seeing right now.
Erin: I think with AI and things, it really highlights how videos can be made relatively easily these days that can be shared. And by the time that they’re debunked or shown to be false, the damage is almost done, the genie’s out of the bottle. So definitely concerning, but you just touched on the dark web and Telegram.
How are we seeing it being shared on the dark web and how are apps like Telegram being utilized?
Well, to address Telegram, right now we are seeing lots of groups on Telegram, especially far-right ones, that are basically spreading disinformation meant to sway voters. And again, some of that disinformation is coming from nation states. There are Russian news bots in a lot of these channels that are sharing headlines and articles that, again, are false and have no basis in fact. So, like you’ll see RT news, Russian bots, RT news, of course, being Russian funded propaganda. And then you’ll also have some of these same Telegram groups and channels sharing disinformation that’s originating from U.S. based individuals and again, conspiratorial movements like QAnon. So going back to this, the role that domestic actors are playing in addition to nation-states. It’s really interesting that a lot of the conspiratorial content that we’re seeing on spaces like Telegram, a lot of that content is leaking into the surface web. And vice versa, there is a lot of content overlap. And that’s concerning given that there used to be a much clearer distinction between the surface web and platforms, dark web adjacent platforms like Telegram. So, you’re seeing a lot of interaction in terms of the content we’re seeing on both spaces.
Erin: I think that’s an interesting point, right? Because we tend to think of the dark web, some dark web adjacent platforms like Telegram where there’s limited oversight, although obviously that seems to be changing at the moment, where people want to hide their intentions and stay anonymous. And with this, we’re really seeing people like move over and have less concern about hiding their identity. Like, how do you see that happening and why do you think that’s happening?
Bianca: I think it’s not surprising that we’re seeing, you know, anonymity being weaponized to spread this information, right? It’s more difficult to attribute this disinformation to a specific group, even a nation state or an individual, if they’re remaining anonymous, and that’s not just on the dark web, you know, we’re also seeing the anonymity on the surface web with users on Twitter, now X, spreading disinformation, but kind of hiding their true identity. And that’s become a lot easier on Twitter, especially where the verified checkmarks don’t signify reputability anymore that you just buy the checkmark. And it’s easier to kind of stay anonymous and sell yourself as this reputable source.
I did want to touch back about Telegram, though. I think it’s not surprising that we’re seeing a lot of disinformation there, of course, wanting to flag that just a few months ago in August, the app’s founder was arrested and charged in France in relation to an investigation into criminal activity on Telegram. So, it’s really not just disinformation being shared on the platform. The main concern right now also is violent extremist content and child sexual abuse material that we’re seeing on Telegram. But in terms of disinformation, I think it’s worth highlighting that one of the main concerns about Telegram is the sheer size of the groups and channels there. So, channels don’t have a limit on the number of subscribers and groups can have, I think as many as 200,000 members, which is massive, right? And that scale means that disinformation can very quickly reach large audiences and then gets shared and amplified by these massive groups in over and over and over again. So overall, Telegram is absolutely hosting a lot of the disinformation we’re seeing regarding the election, whether that’s false claims of voter fraud or also disinformation targeting presidential candidates. And that’s definitely something to be concerned about.
Erin: Yeah, and I think we’ve definitely seen Telegram being used in other arenas in that way as well. Israel Hamas is an excellent example of disinformation being shared and even actual news information being shared quicker on Telegram than it is on mainstream media. And someone was asking me earlier this week, actually, if I think what’s next after Telegram now that the CEO’s been arrested and moved on and I was like, honestly, I don’t think people are going to move or not quickly because there’s too many people in too many groups and they’re too well established that I think it will be difficult for them to move and create that with any of the other apps that are out there, but it’s definitely having an impact I think on a lot of the things that are going on. So that’s a really interesting insight.
There’s a lot of conspiracy theories going around and some conspiracy theories have even been shared by the candidates themselves. How do you think that’s impacting the information that’s being shared and how viral those things are getting?
Bianca: Conspiracy theories are effectively significantly distorting the information landscape right now, in the lead up to the election. And as you noted, a lot of them are gaining a lot of traction. And I think, you know, to give an example, a good example of the prominence of conspiracy theories right now is the information landscape we saw during Hurricane Helene and Milton. So you had far-right groups and individuals who were spreading disinformation claiming that the US government was using weather control technology so that the hurricane would be steered towards Republican voters. And you had, as you noted, of course, prominent figures reiterating these theories. There were politicians and public figures amplifying that conspiracy theory. Former President Donald Trump claimed that hurricane relief funds were being spent on illegal migrants, so having public figures reiterate those conspiracy theories lend them more credence, right, and makes it easier for them to gain traction, even though they are completely false. A lot of these conspiracy theories gained millions of views on Twitter and were reshared by more prominent figures in the Republican Party and also by Twitter’s own CEO, Elon Musk. And a lot of the most viral posts were from far-right individuals sharing often xenophobic and racist conspiracy theories. And so, I think the fact that there are millions of people engaging with this content, on Twitter especially, and amplifying and agreeing with the conspiracy theories is very concerning. And it’s ultimately a reflection of the divisiveness that we’re seeing ahead of the election. What we saw with Hurricane Helene and Milton was effectively the weaponization of tragic events, right? To influence voters ahead of the election. And that weaponization unfortunately worked and reached a massive audience. And it of course also had unfortunately real world implications with meteorologists receiving death threats. So absolutely conspiracy theories are playing a key part in this disinformation landscape right now.
What are we seeing from the far left or from others? Is it quite a similar activity or is it different?
Well, that’s a really interesting question because, of course, no political party is immune to conspiracy theories. But based on the research we’re doing right now, far-right individuals, including public figures or Republican members of Congress are dominating the disinformation landscape right now on the dark web and also on the surface web, importantly, and like I said, there is a lot of overlap in terms of content in both of those places. A lot of the dominant conspiracy theories we are seeing right now are rooted in far-right ideas. So again, for the Hurricane Helene and Hurricane Milton response and information landscape, we saw a lot of conspiracy theories and disinformation aimed at undermining the Biden-Harris administration and the Harris Walz presidential campaign. And on dark web adjacent platforms like Telegram, far-right groups are also dominant in terms of election disinformation. The group spreading significant disinformation and with the largest numbers of subscribers are our right groups as we’ve seen up until now. And that’s consistent with findings as well that that type of disinformation does tend to be particularly prevalent and toxic in that far-right online space.
Turning to left-wing conspiracies, the most prominent one I’d say that we’ve seen up until now was the baseless claim that the July 13th assassination attempt against former President Donald Trump in Pennsylvania was staged by the Trump campaign. And a lot of that chatter surrounding that unfounded conspiracy theory, interestingly enough, was on Twitter, X, rather than on the dark web. Ultimately, no political movement is free of conspiracy theories. But the ones gaining the most traction right now do appear to be far right conspiracy theories.
Erin: Yeah, I feel like it seems like the far right are just a lot better at organizing and weaponizing things like social media and telegram and etc. because we did a lot of work to try and balance and see what we could find left-wing group that’s thought of out there talking and you know maybe they’re just better at hiding what they’re saying or maybe they’re not you know doing it in the same way but it’s interesting how it does always seem to lean to that far-right side.
I know there was a recent arrest a couple of weeks back of an individual in Oklahoma that the FBI stated had intentions to attack voters. This is a very real-world impact. Can you talk about how that was linked to Telegram and how we’re seeing that thing being spoken about on dark web adjacent sites?
Bianca: Yes, absolutely. For more context, earlier this month, the DOJ announced that they had arrested this Afghan national who was based in Oklahoma City. Like you said, for plotting an attack on election day on behalf of ISIS. And then he was arrested by the FBI for purchasing two AK 37s with his brother-in-law, who was an accomplice, and the suspect admitted that he was going to carry out the attack on election day and expected to die in that attack and go down as a martyr. In terms of his connections to Telegram, the suspect interestingly was very active in pro-ISIS telegram groups and allegedly saved ISIS propaganda, as was noted in the indictment document, to his iCloud account and I believe also to his Google account. So, ISIS propaganda from Telegram. He had also been in contact with an ISIS associate via Telegram who was giving him guidance regarding the upcoming attack that he was plotting. So definitely Telegram connections there and it’s ultimately not that surprising given that Telegram is notorious for being a hotbed or extremist activity, particularly for ISIS. There are lots of pro-ISIS groups there. And not just, of course, pro-ISIS groups, unfortunately, a lot of domestic extremist groups, as I noted, that being one of the main issues leading to the CEO’s arrest recently in France. But absolutely, the individual had ties to individuals in ISIS,and those connections were through Telegram.
Erin: Yeah, it’s interesting how we see this group for really being used in Telegram and how the arrest of the CEO may impact that. I mean, we definitely saw after the announcements that Telegram are going to cooperate with law enforcement and individuals talking about moving to other messaging platforms. As I said, I’m not sure, that they’re all going to move, but I think it’s interesting that they’re having those conversations because Telegram really has been that hotbed and obviously, we’re talking about elections now, but I think you can go to any big event that’s happened or any kind of extremist group and find some kind of telegram footprint for them at the moment.
How do you think things are comparing to the disinformation and what we were seeing in the 2016 campaign?
Well, in 2016, we, of course, had Russia leading extensive disinformation operations against the U.S., also in an effort to interfere with the presidential election, and, as you mentioned, the aim of those campaigns was to sow discord and undermine American democracy, and they used bots and intelligence officers that were masquerading as American citizens to spread this information and again exacerbate divisions. And these operations have not stopped, right? We’re still seeing that activity today. But what’s different now, in 2024 compared to 2016, is that other nation-states have significantly ramped up their influence operations as well, you know, as I mentioned, particularly Iran, and they’re engaging in similar large-scale campaigns, you know, Iran in this election has really emerged as a prominent actor in the current disinformation landscape in the lead-up to November 5th. They’ve already carried out cyber-attacks against presidential candidates, campaigns, they’ve actively disseminated disinformation meant to sow discord among American voters like Russia did in 2016. And you know, as I mentioned, we’ve also seen China similarly amplifying divisive rhetoric and there are Chinese linked influence operations and campaigns that are spreading disinformation and conspiracy theories.
So, to answer your question, ultimately, this year is quite different from 2016, just in terms of the variety of actors that we’re seeing engaging in large scale influence operations. But also importantly, I think that what’s particularly concerning right now, and especially different from 2016 is the way that, as I’ve noted, conspiracy theories have effectively become mainstream. And that’s really not to say that 2016 was devoid of conspiracy theories. There were, of course, conspiracy theories in 2016 and there will always be conspiracy theories. But the scale of their reach today is on a completely different level. As I mentioned, there are mainstream platforms, particularly X, so not just the dark web, where false claims about presidential candidates and regarding the validity of the election, these conspiracy theories are gaining millions of views. And part of the reason that their It is so significant is that you have US prominent US based individuals that are amplifying those conspiracy theories and allowing it to gain even more traction. And because of that, these conspiracy theories have entered the mainstream and are not just in the dark corners of the internet anymore. So, I think that’s really the the main difference between 2016 and 2024.
Erin: Yeah, I feel like domestically, people are just more emboldened to share their views regardless of if they’re conspiracy theories or even if they’re not, they’re just, I think people are less concerned about the impact that that’s going to have as you say, because on both sides, so many politicians are backing that kind of rhetoric. And as you say, it’s interesting, obviously, we focus on the dark web and dark web adjacent, that it’s kind of impossible to look at this topic these days without looking at social media, because there’s such an overlap and they interact so much, like the things that are shared on Twitter, and then immediately put onto Telegram and vice versa. And there’s no one policing that or checking that. And the likes of Facebook and Instagram will try and say, this isn’t true or this isn’t verified or read this at your own cost, but Twitter seems to have moved away from doing that a little bit in recent years. And yeah, I think it’s very difficult with the amount of information that individuals are receiving to make sense of everything that’s going around and just the pure, as you say, the sheer size of data and conspiracy theories and things that are being shared now compared to previously. I can see why it’s difficult for people to make a judgment. And as I said earlier, like once these things are out there, it’s really hard to walk them back. There’s a lot of people that however many times you tell them something isn’t true and it’s been debunked, aren’t going to believe you.
Do you think we should expect a shift, as I said at the outset, we’re just over two weeks away from election day. So are we expecting any shift as we move closer to the election day?
Yes, absolutely. It’s very likely that we’ll see a pretty significant increase in disinformation targeting American voters as we get closer to November 5th. Russia, Iran and China are well aware of the fact that their influence operations can have a greater impact closer to the date of the election when they can influence voters. And as individuals have already begun to vote. And US intelligence officials are actually already warning of this increase. There were reports stating that influence operations targeting specific political campaigns have already increased. I think it’s really important to note, though, that foreign influence operations aren’t going to stop after November 5th. And the ODNI actually just released a report, I think yesterday, warning that Russia, China, and Iran are all expected to continue their influence operations well through inauguration day. And it’s very likely that they’ll continue spreading disinformation again meant to sow discord among Americans and to undermine trust in the election process. And that’s something we already saw with the presidential election in 2020. Election officials and intelligence officials have particularly warned that there’s a possibility that Russia, Iran and China could actually try to stoke post-election violence. So that’s something that definitely needs to be closely monitored. But yes, we’re expecting to see an increase in that kind of activity leading up to November 5th, but also well after November 5th up until inauguration day.
We’ve mainly been talking about all the concerning things that are happening in this run up to the election, but I want to touch on what steps can individuals and organizations take to try and combat some of this election related disinformation.
I think the most important step and the quickest one, at least for individuals, to combat disinformation and this it seems very simple but it’s to verify sources. So before sharing or reposting anything online, just taking a few minutes to check the credibility of the source and also take the time to cross reference and see if you can find another source that’s also a reputable or sharing the same information. So if you can cross-reference, there’s a greater likelihood that that information is valid. For organizations, I’d say carrying out fact-checking initiatives already is vital. Social media platforms, it’s worth noting, have the ability to give users the opportunity to report disinformation. And that’s huge. But Twitter, again, coming back to Twitter unfortunately removed a feature that allowed users to report misinformation and disinformation. So, bringing that back that feature, I think, and for other organizations and social media platforms implementing that features is a pretty vital first step to combat election related disinformation. But yeah, fact checking in general and verifying your sources is the way to go.
Erin: I think knowing where something came from and make sure that it’s not just circular reporting. Everything is coming from one place. Usually, you know, a place that may not be that legitimate is such an important thing to do. And I think having discussions about that. So just going back to the dark web briefly, I think we’ve talked about how there’s a lot of crossover that’s going to mainstream social media sites. Would you say that there’s anything specific on the dark web relating to elections? I know like in the past, we’ve seen things related to like voting machines and hacking. And you know, DEF CON is famous for having their hacking village. Have we seen an increase in that kind of discussion or not really? Absolutely, seeing a lot of narratives about kind of questioning election integrity, like you said, voting systems.
Bianca: Absolutely, a lot of that on the dark web and on telegram channels, especially in a lot of these channels that have as many as, you know, and groups that have as many as 200,000 subscribers. Again, a lot of them are aimed at undermining confidence in the election process in the U.S. and sowing discord. So definitely seeing those conspiracy theories dominant on Telegram, but as you noted as well, you really can’t look at it in the vacuum, right, because a lot of those disinformation narratives are also being seen on mainstream platforms. So, it’s interesting that we’re seeing this kind of dialogue between the two spaces and that theories that previously would have probably been limited to the corners of the internet as it were are now very much so in the mainstream. And it’s sometimes even hard to identify where they first originated? Just because of the fact that we’re seeing them all over the place, all these conspiracy theories.
Erin: Yeah, absolutely. And I think that’s the thing I think on the dark web, the more things that we see are the traditional dark web things that you see people doing, like talking about hacking, or talking about, you know, leaking voter information or information that could be used relating to voters. That’s the dark web bread and butter whereas you know outside of things like Telegram I’m not sure that people are using the dark web for those kinds of conversations because they don’t need to they can do it on mainstream platforms without fear of you know reprisal so it’s a really interesting shift I think that you’re highlighting.
Any final thoughts that you wanted to share?
Well, just highlighting again I’m glad that you asked the question about things people can do to combat disinformation and just flagging again the importance of verifying sources. There are lots of great sources online as well from CISA on step selection officials can take to ensure to ensure that we’re combating disinformation right now. Organizations and individuals can do a lot to combat this rise in misinformation and disinformation that we’re seeing right now. Thank you all for joining this webinar.
Erin: That just made me think as well – I was at some sessions recently where I feel like you can’t have a dark web or an OSINT or a chat these days about mentioning AI. And I just feel like these days with the way AI is improving and deep fakes in terms of generating stories and generating videos and generating images is just something people that need to be so aware of and goes back to your point about really validating those sources because things can look so believable these days in a way that they couldn’t several years ago. So I think that’s an interesting point as well.
Read on for highlights from DarkOwl’s Product Team for Q3, including new exciting product features.
Major Vision UI Updates
Website Mentions
The team is thrilled to announce that one of our most requested features from clients went live this quarter! Website Mentions is now a feature extraction in our dataset, which provides more inclusive searching and monitoring for domain results. This helps you surface more results when you search—such as results with subdomains as well as domains within URLs.
Enhanced searching features are available in Vision UI and Search API, including:
New Search Tools and search options
Updated Filter values
Website field included on search results
Additionally, Score API and Ransomware API have been adjusted to use our new Website Mentions feature extraction for increased domain detection.
More Product Updates
Password Detection and Classification Updates
We’ve improved our password detection, which identifies more password formats within our data collection, as well as password classification, which identifies whether it is plaintext or hashed. Now, users can see more passwords associated with email addresses than ever. This feature is available in our Vision UI and Entity API.
Actor Explore and Actor API
Based on customer feedback, we’ve added Country Targeted and CVEs as filters on the main Actor Explore page. Recently updated actor dossiers include IntelBroker, USDoD, ShinyHunters, and yalishanda.
Actor API is now available as an add-on option for All-Data-and-Context subscriptions. This allows you to programmatically retrieve all information contained within our actor dossiers. The Actor Summary endpoint allows customers to see what actor dossiers are available in our database.
Other Vision UI Updates
Explore Training Guides
This quarter, we launched in-app training guides for our Explore section. These complement and expand on our previous Basic Onboarding guides. We walk through all the features in the Actors, Entity, and Leaks sections, showing exactly what to click on. Explanations and tips arm you with all the details you need to get started with these sections.
Query Builder and Template Additions
The new Company query builder makes it easy for users to search for both their company name and company domain in one search. To access, go to the Search Tools menu, and select Query Builders. There, you can select Company, and fill in the two fields.
Site Context for Forums
Site Context is information from the DarkOwl analyst team that gives additional enrichment about search results. This includes the Site Name and any aliases, and may include relevant dates or other information. Where available, options to pivot to Actor Explore, or to pivot to search associated Telegram channels will be present. We initially rolled out this feature for Ransomware sites, and this quarter we’ve expanded it to Forums.
Collection Stats
Highlights
This quarter was another one of growth in data collection. The team had 18% growth in credit card numbers, 11% increase in unique crypto wallets, a 14% growth in total collected Tor documents and another 14% growth in total collected records from Telegram – just to highlight a few.
Leaks of Interest Collected
When your search results are from data leaks, users can review additional information curated by DarkOwl analysts, giving you enrichment on the data leak. The descriptions below are all available in our Leak Context product feature.
LeakBase.io
Data purported to be from LeakBase was posted on Nulled, a hacking forum, on August 10, 2024. According to the post, this is a scrape of the site and contains data on 78,540 users. Data exposed includes user identification numbers (UID), usernames, number of messages, and reaction scores.
National Public Data
Data purported to be from National Public Data (NPD) was posted on BreachForums, a hacking forum, on August 6, 2024. According to the post by threat actor Fenice, the full NPD database was breached by SXUL. Data exposed includes full names, dates of birth, physical addresses, phone numbers, and Social Security Numbers.
Crowdstrike IoC list
Data purported to be from CrowdStrike was posted on BreachForum, a hacking forum, on July 28, 2024. According to the post, UsDoD claims to have the entire IoC (Indicator of Compromise) list from Crowdstrike but only released the first 100,000 records. Data exposed includes indicators, types of malware, actors, reports, kill chains, published dates, latest updates, and labels.
trello.com
Data purported to be from Trello was posted on BreachForums, a hacking forum, on July 16, 2024. According to the post, Trello had an open API endpoint that allowed unauthenticated users to map an email address to a Trello account. Data exposed includes email addresses, names, profile data, user identification numbers (UID), and usernames.
Neiman Marcus
Data purported to be from Neiman Marcus was posted on BreachForums, a hacking forum, on June 27, 2024. According to the post, ShinyHunters breached the Neiman Marcus Group Inc. in May 2024, claiming that the leak contained data on more than 40 million customers, including 29.7 million unique email addresses. Data exposed includes customer account balances, credit cards, dates of birth, gift cards, IP addresses, full names, payment histories and methods, phone numbers, and physical addresses.
Curious how these features and data can make your job easier? Get in touch!
Phishing-related attacks remain a highly effective method used by actors to gain initial access to victims’ environments. Despite increased efforts in cybersecurity education, phishing attacks continue to rise, posing a threat to individuals and organizations alike. According to IBM’s 2024 Threat Intelligence Index Report, initial access due to phishing increased from 30% in 2022 to 41% in 2023. DarkOwl regularly collects discussions on the dark web where bad actors share TTPs (tactics, techniques, and procedures) to perform more sophisticated phishing-related campaigns, some of which we will highlight below.
In the early days of phishing attacks, bad actors simply used emails with malicious links to lure their victims into exposing their credentials. Although this is still very prevalent, these techniques are quickly evolving as threat actors adopt adjacent styles of phishing, like voice phishing (vishing), SMS phishing (smishing), QR code phishing (Quishing), deepfake phishing (AI phishing), and more. It’s important to understand how these attacks are evolving and how threat actors are adjusting their approach to increase the likelihood of success.
Emerging Phishing Techniques
Voice Phishing (Vishing)
Vishing is one of the most common forms of social engineering used by threat actors. This method can be highly effective because, unlike traditional email phishing, communicating over the phone (or voicemail) adds a psychological trust element, boosting immediate credibility. A charismatic, personable, professional, or sincere caller can more easily trick a victim into providing sensitive details over the phone.
This tactic becomes even more difficult to prevent or identify due to how easily accessible VoIP (Voice over IP) software is, which enables anyone to spoof any phone number. This allows attackers to mimic the phone number of the entity they are impersonating, making their scam appear even more legitimate. Instead of targeting a specific individual, actors also use automated robocalls to reach thousands of potential victims around the clock. Like phishing emails, this method relies on the “it only takes one” strategy to make the fraud successful.
In 2020, a U.S. federal court indicted an India-based VoIP company on charges related to robocalls originating from their servers that impacted American victims. These robocalls were estimated to be in the tens of millions and resulted in losses of 20 million dollars.
SMS Phishing (Smishing)
Very similar to Vishing, is Smishing which also focuses on mobile devices to lure potential victims into gaining trust and exposing sensitive data. This attack vector also has much in common with traditional Phishing because malicious links are the primary source of exposure. Whether it’s a claim for a digital coupon, a USPS tracking code, or an Amazon shipment update, the actor wants to direct you to another page that entices you to provide your credentials or other sensitive data.
With the 2024 presidential election rapidly approaching, the United States has seen a surge in smishing messages involving fake voter registration pages. According to a recent CBS News report, these text messages claim to provide forms to register to vote online. This dangerous trend highlights the significant impact mass smishing campaigns can have on the public if malicious actors are able to tamper with, misuse, or impersonate citizens’ voter registration data.
Shameless Plug: If you haven’t registered for our webinar on Dark Web Influence on the 2024 U.S. Presidential Election, make sure to register!
QR Code Phishing (Quishing)
Although not as common as other phishing methods, quishing has been observed in the wild to trick victims into navigating to malicious links or downloading malware. A QR code can embed any text or data, with capacities of up to 4,296 alphanumeric characters or 2,953 bytes for binary data, encoded into a digital square. This means bad actors can devise creative and novel ways to lure someone into believing the content is genuine, such as placing malicious QR codes over legitimate ones in public places or online. For this reason, it’s vitally important to use a QR code scanner that provides you with a visual of the URL or data before you interact with it.
The following excerpt, discovered on DarkOwl’s Vision platform, showcases a dark web conversation in which the author explains how QR code exploitation occurs in the wild.
Figure 1: Two criminals putting fake QR codes over the ones on carparks, pub tables and EV charger points that redirect to a lookalike site and steal your credentials; Source: DarkOwl Vision
Deepfake Phishing (AI Phishing)
A more theoretical type of phishing tactic, not yet widespread, involves the use of artificial videos, photos, and audio—also known as deepfakes or AI phishing. Security researchers have explored potential ways actors could utilize these new forms of technology to perform malicious actions, but thus far, the impact has not materialized at a large scale. However, as this technology becomes cheaper, harder to detect, and more accessible, it is likely to become a popular mode of exploitation.
The implications of this attack are not difficult to imagine. In a Financial Times article, UK banks were cited as already grappling with how to best handle Know Your Customer (KYC) regulations, voice impersonation attacks, and other types of AI impersonation tactics that could impact global finance, as well as individual customers.
Summary
As phishing attacks continue to evolve beyond traditional email scams, it’s important for individuals and organizations to stay informed of the tactics cybercriminals employ. From vishing and smishing to quishing and deepfake phishing, threat actors are constantly adapting their methods to exploit new technologies and vulnerabilities.
Cybersecurity might as well have its own language. There are so many acronyms, terms, sayings that cybersecurity professionals and threat actors both use that unless you are deeply knowledgeable, have experience in the security field or have a keen interest, one may not know. Understanding what these acronyms and terms mean is the first step to developing a thorough understanding of cybersecurity and in turn better protecting yourself, clients, and employees.
In this blog series, we aim to explain and simplify some of the most commonly used terms. Previously, we have covered bullet proof hosting, CVEs, APIs, and brute force attacks. In this edition, let’s dive into Drainer as a Service.
Drainers as a Service (DaaS) is a disturbing evolution that makes sophisticated financial fraud accessible to even low-skill criminals. In this blog, we’ll explore what DaaS is, how it works, and why it’s becoming a growing concern in the cybersecurity world.
Drainer as a Service 101
A drainer refers to a malicious tool designed to drain cryptocurrency or traditional financial assets from a compromised account, wallet, or online platform. These tools target everything from crypto wallets to bank accounts and e-commerce platforms, allowing attackers to steal funds quickly and anonymously.
Drainers simplify the process for cyber criminals so you need not be sophisticated in able to use them. This makes this type of fraud much more accessible and easier for individuals on the dark web with very few skills to conduct these types of attacks.
Drainers can operate in a number of different ways, they can be deployed as part of a phishing kit which will steal users credentials to access their accounts as well as malware which can be deployed to track and collect information about a user’s financial transactions. Depending on how the drainer, they can also automatically “drain” the funds from a victims account, sending them to an account/wallet designated by the threat actor.
Due to the automated nature of drainers, it means that criminals can target large numbers of victims at once. This makes this type of fraud highly profitable.
However, there are threat actors and groups that are also offering the use of drainers as a service. This means that they are selling the tools for others to use. This allows others to purchase, on the dark web, drainers on demand. They will also often be accompanied by support for any issues as well as tutorials on how to use the tools. In this way cyber criminals have commoditized Drainers, selling them much like a legitimate company would sell software.
Providing Drainers as a Service means that the providers are able to profit from this type of activity without directly participating in financial fraud. However this doesn’t make it any less illegal.
Figure 1: Source: DarkOwl Vision
Criminals will advertise their drainer on dark web forums and Telegram and offer subscriptions to the service, this allows them to get access to the tools, the updates that are made as well as support.
Figure 2: Subscription for drainer advertised on carding forum
It is also possible to purchase the tool direct. However criminals prefer to offer this as a service or an affiliate program as this means that they can charge a commission on the funds that are stolen by the buyer or affiliate.
Figure 3: Drainer for sale with commission
Often, Drainer tools will only work with certain cryptocurrencies or wallet types, which can restrict how they can be used. Although some providers will offer customization as part of their service so the buyer can use it as they wish.
Figure 4: Advertisement for Drainer which only works with certain wallets; Source: DarkOwl Vision
Although most drainers do target cryptocurrency, as it is commonly used on the dark web and the transactions are always digital in nature. However, Drainers are also traded on the dark web which are designed to target traditions bank accounts.
Figure 5: Chat with users asking about bank drainers; Source: DarkOwl
The rise of DaaS poses a significant threat to both individuals and organizations. As these tools become more widespread, even unsophisticated attackers can cause substantial financial damage. Cryptocurrency holders, in particular, are at risk, as crypto wallets are often less regulated and less secure than traditional banking systems.
As these services become more prevalent, it is crucial for individuals and organizations to stay vigilant, adopt best security practices, and remain informed about the latest threats.
To see DarkOwl Vision and our collection in action, contact us.
In a September 04 press release, the U.S. Department of Justice (DOJ) announced it had seized 32 domains used in Russia’s ongoing foreign influence operations. In addition to efforts to reduce international support for Ukraine and amplify pro-Russian propaganda, the campaign also aimed to influence voters in the upcoming U.S. 2024 presidential election. Since its alleged targeting of the 2016 election, Russia has continued to bolster its disinformation operations in an effort to secure its “preferred outcome in the election.” Russia is not alone, however, in its endeavors; Iran and China, too, appear to have ramped up influence operations against the U.S.
In this report, DarkOwl analysts explore the election disinformation landscape on the dark web. What emerges is a complex, multifaceted online space characterized by a variety of actors, ranging from nation states to American citizens and U.S.-based conspiratorial political movements. All of the above play key roles in both creating and amplifying mis- and disinformation which has seeped from the deep and dark web onto the surface web, and vice versa. As a number of prominent social media platforms maintain policies of limited disinformation regulation, conspiracy theories previously concentrated on the dark web and alternative social media platforms have become mainstream, thereby gaining traction and reaching greater audiences. Combined, these factors reflect a complex environment in the lead up to the election, and highlight the importance of identifying and combatting mis- and disinformation.
Have any questions for our team? Interested in learning how our analyst team can help your research and investigations? Contact us.
In light of Cybersecurity Awareness month, DarkOwl is committed to sharing research, trends and industry news from our analysts.
Be the first to know as we release new research by entering your email below!
Upcoming Content This Month
REPORT
Election Disinformation
In the lead-up to the upcoming U.S. presidential election, the disinformation landscape is becoming increasingly complex. DarkOwl analysts have delved into how mis- and disinformation originating from the dark web, and alternative online spaces, is infiltrating mainstream platforms. Various actors, including nation states, U.S.-based political movements, and conspiracy groups, are shaping this online space. Their activities have led to false narratives moving between the deep, dark web and more widely accessible platforms.
As major social media companies struggle with regulating disinformation, narratives once confined to niche spaces are now gaining broader traction. This underscores the importance of recognizing and addressing the growing influence of disinformation as the election approaches. Stay tuned for the full report and sign up for emails to get this report directly delivered to your inbox upon publication. Read full report.
BLOG
What are Drainers as a Service?
In this blog series, we aim to explain and simplify some of the most commonly used terms. Previously, we have covered bullet proof hosting, CVEs, APIs, and brute force attacks. In this edition, let’s dive into Drainer as a Service.
Drainers as a Service (DaaS) is a disturbing evolution that makes sophisticated financial fraud accessible to even low-skill criminals. In this blog, we’ll explore what DaaS is, how it works, and why it’s becoming a growing concern in the cybersecurity world. Check it out.
BLOG
The Rising Tide of Phishing: Exploring Emerging Threats Beyond Email
In the early days of phishing attacks, bad actors simply used emails with malicious links to lure their victims into exposing their credentials. Although this is still very prevalent, these techniques are quickly evolving as threat actors adopt adjacent styles of phishing, like voice phishing (vishing), SMS phishing (smishing), QR code phishing (Quishing), deepfake phishing (AI phishing), and more. It’s important to understand how these attacks are evolving and how threat actors are adjusting their approach to increase the likelihood of success. Read here.
EVENT
DarkOwl @ OsmosisCon in Las Vegas, NV
Attending OSMOSIScon conference? The open source skills-building conference’s mission is to educate and train cyber intelligence investigators, researchers, reporters, and analysts on OSINT and SOCMINT techniques and best practices. Stop by Table 17 and schedule time to meet with us in-person here.
BLOG
Q3 Product Updates
Stay tuned for our quarterly update blog highlighting new product features and collection stats updates. There is always something exciting coming from our Product and Collections teams and the team is excited to share this round of updates! Check it out!
EVENT
it-sa Expo&Congress in Nuremberg, Germany
Going to be at it-sa, Europe’s largest trade fair for IT security…and one of the most important dialogue platforms for IT security solutions? Make sure to schedule time to meet us and see us at Booth 7A-632 during the show.
WEBINAR
Election Disinformation
In this webinar, DarkOwl analysts explore the disinformation landscape on the dark web in the context of the upcoming U.S. presidential election. What emerges is a complex, multifaceted online space characterized by a variety of actors, ranging from nation states to American citizens and U.S.-based conspiratorial political movements. All of the above play key roles in both creating and amplifying mis- and disinformation which has seeped from the deep and dark web onto the surface web, and vice versa. As a number of prominent social media platforms maintain policies of limited disinformation regulation, false narratives previously concentrated on the dark web and alternative social media platforms have become mainstream, thereby gaining traction and reaching greater audiences. Combined, these factors reflect a complex environment in the lead up to the election, and highlight the importance of identifying and combatting mis- and disinformation. Recording and transcription here.
BLOG
Cyber Actor Spotlight: Terrorgram
The dark web community of those buying, selling, trading and sharing data is extremely active. Dark web sites such as BreachForums and LeakBase are heavily used by threat actors to trade data, ask about what is available and provide links to stolen data. However, some individuals in this community are more active than others, regularly sharing data leaks from high profile organizations, often claiming they have hacked the data themselves or worked with other hackers to make the data available.
One such threat actor is known as USDoD. He has been very active on BreachForums, sharing multiple leaks and also claiming to be starting his own site to share data. However, it was reported late last week that he had been arrested in Brazil. Here we will review some of USDoD’s activities and what lead to his arrest. Full blog here.
BLOG
Exploring the Darknet: A Halloween Journey
The darknet can be a scary place. 👻 For Halloween, we will highlight some spooky findings from our analyst team that they have come across this past year. In the meantime, check out last year’s edition where the team uncovered human organs for sale, human meat for sale, and hitmen for hire! Check out this years’ blog here.
Curious to see how darknet data can improve your cybersecurity situational awareness? Contact us.
Our analyst team shares a few articles each week in our email newsletter which goes every Thursday. Make sure to register! This blog highlights those articles in order of what was the most popular in our newsletter – what our readers found the most intriguing. Stay tuned for a recap every month. We hope sharing these resources and news articles emphasizes the importance of cybersecurity and sheds light on the latest in threat intelligence.
1. US cracks down on spyware vendor Intellexa with more sanctions – BleepingComputer
In a September 16 press release, the U.S. Department of the Treasury announced the sanctioning of five individuals and one entity linked to the Intellexa Consortium for the development of Predator spyware. Intellexa Consortium is a network of decentralized companies responsible for creating highly invasive spyware products that have been marketed under the “Predator” brand. Predator spyware is notably used by state-sponsored actors and governments to gain access to sensitive information on victim’s devices. As highlighted in the press release, previous targets of the spyware have included “government officials, journalists, policy experts, and opposition politicians.” Full article here.
2. China is pushing divisive political messages online using fake U.S. voters – NPR
Chinese State linked actors are reportedly running an influence operation, known as Operation Spamouflage, in which they are claiming to be US soldiers or American voters and commenting on controversial topics on social media. Topics have included reproductive rights, America’s policy towards Israel and support for Ukraine as well as criticizing both candidates. They are reported to have used AI to create some of this content. Read more.
3. Iranian Hackers Set Up New Network to Target U.S. Political Campaigns – The Hacker News
Insikt Group researchers have identified a new network infrastructure associated with GreenCharlie, an Iranian threat actor that overlaps with APT42, Mint Sandstorm, Charming Kitten, Damselfly, TA453, and Yellow Garuda. GreenCharlie is linked to malware that reportedly aims to target U.S. political campaigns and government entities. According to Insikt Group, GreenCharlie has been linked to POWERSTAR and GORBLE malware, both of which are used in phishing campaigns for cyber espionage. Article here.
4. Telegram now shares users’ IP and phone number on legal requests – BleepingComputer
On September 23, the CEO of Telegram, Pavel Durov, announced a change to the platform’s privacy policy. According to the new policy, Telegram will comply with requests for user data as part of criminal investigations if it receives a valid court order confirming that the user is a “suspect in a case involving criminal activities that violate the Telegram Terms of Service.” Specifically, IP addresses and phone numbers of suspects will be shared with authorities. Additionally, the app is reportedly altering its search feature by removing problematic content from search results. Read article.
5. New Voldemort malware abuses Google Sheets to store stolen data – Bleeping Computer
Cybersecurity analysts have identified a new malware campaign spreading a backdoor dubbed “Voldemort.” The campaign—which first began on August 5—has disseminated over 20,000 emails and targeted more than 70 organizations worldwide. The campaign notably impersonated tax agencies from the U.S., Europe, and Asia, claiming that changes had been made to tax filings. At this time, the threat actor behind the malware campaign remains unidentified, however, based on the targeted sectors—notably insurance, aerospace, and transportation—Proofpoint assesses that the purpose is likely cyber espionage. Full article here.
6. Five Russian GRU Officers and One Civilian Charged for Conspiring to Hack Ukrainian Government – DOJ
The DOJ announced the indictment of five Russian GRU offices and one civilian for conspiring to hack the Ukrainian government. The GRU officers are part of Unit 29155 of the Russian Main Intelligence Directorate, a military intelligence agency of the General Staff of the Armed Forces. They are accused of conspiracy to hack into, exfiltrate data from, leak information from and destroy computer systems associated with the Ukraine Government in advance of the Russian invasion of Ukraine. “The GRU’s WhisperGate campaign, including targeting Ukrainian critical infrastructure and government systems of no military value, is emblematic of Russia’s abhorrent disregard for innocent civilians as it wages its unjust invasion,” said Assistant Attorney General Matthew G. Olsen of the National Security Division. Full article.
7. Chinese botnet infects 260,000 SOHO routers, IP cameras with malware – BleepingComputer
The Federal Bureau of Investigation (FBI) has disrupted a Chinese state-sponsored botnet dubbed Raptor Train. The botnet—“a network of computers infected by malware”—had infected more than 260,000 devices to target critical infrastructure in the U.S. and abroad and steal data. The botnet notably targeted victims in the “military, government, higher education, telecommunications, defense industrial base (DIB), and IT sectors.” Read more.
8. New Tickler malware used to backdoor US govt, defense orgs – Bleeping Computer
According to BleepingComputer, the Iranian government-backed hacking group APT33 (also known as Peach Sandstorm and Refined Kitten) has been observed using a new malware dubbed “Tickler” to backdoor U.S. government and United Arab Emirates networks between April and July of this year. The group is assessed to be working on behalf of the Iranian Islamic Revolutionary Guard Corps (IRGC) and has been carrying out cyber espionage operations since at least 2013. In the group’s most recent intelligence collection campaign, the new Tickler malware is being used to target organizations in the “government, defense, satellite, oil and gas sectors,” and functions by leveraging Microsoft Azure infrastructure. Read article.
9. Germany seizes 47 crypto exchanges used by ransomware gangs – Bleeping Computer
In a September 19 press release, the Federal Criminal Police Office of Germany (BKA) announced that it had seized 47 cryptocurrency exchange services hosted in Germany that were facilitating cybercriminal activity and were used for money laundering. The exchange services in question allowed cybercriminals to exchange cryptocurrencies while remaining anonymous, thereby creating a “low risk-environment for cybercriminals.” The press release lists ransomware groups, darknet traders, and botnet operators as examples of threat actors who utilized these exchange services, often to exchange ransom payments. Read more.
Make sure to register for our weekly newsletter to get access to what our analysts are reading on a weekly basis.
In DarkOwl’s Darknet Marketplace Snapshot blog series, our researchers provide short-form insight into a variety of darknet marketplaces: looking for trends, exploring new marketplaces, examining admin and vendor activities, and offering a host of insights into this transient and often criminal corner of the internet. This edition features Dark Empire Market.
Don’t forget to subscribe to our blog at the bottom of this page to be notified as new blogs are published.
Introduction
Darknet marketplaces (DNMs) are synonymous with where on the dark web users can buy and sell illicit goods.
Traditional DNMs are defined as dark or deep web sites where numerous (often hundreds) vendors can sell various types of products ranging from drugs, digital goods, leaked databases, counterfeit documents, credit cards, etc. The most popular traditional DNMs that remain today are:
Ares Market
Archetyp Market
MGM Grand Market
Dark Empire Market
DISCLAIMER: Please note that this list specifically excludes any forum that also has a marketplace section like XSS or Exploit, as well as marketplaces that specialize in one product category like digital goods on Russian Market.
As we continue our Darknet Marketplace snapshot series we will review Dark Empire Market, one of the most popular marketplaces available on the darknet today. In our last snapshot, we explored Ares Market.
Dark Empire Market
Dark Empire Market’s name is sometimes confused with Dark Market or Empire Market, which were both darknet markets which have been seized by law enforcement. This highlights a trend that darknet admins have to sometimes create new sites with intentionally misleading names that are similar to defunct DNMs, whether to gain popularity or to make it easier for previous customers to find them.
Dark Empire Market appears to have originally surfaced in early 2021, based on the earliest results that are still viewable on the site. However, its popularity increased shortly after the Bohemia, Hydra, and Monopoly markets were seized in early 2023. DarkOwl’s Vision database to date has over 19,000 results pertaining to Dark Empire Market. There is very little open-source information available to provide more information on the history of this site and its admins. In fact, when you search for this site, most results are related to the now defunct Empire Market. Additionally, it has not gained particular attention from the media meaning there is little information in relation to it. However, it has been previously mentioned on sites like Reddit, Dread, and Ransomlook.io.
Homepage
The below screenshot displays Dark Empire Market’s Homepage. This includes the logo, followed by various topics, and a disclaimer and banner advertisement. This is a format that we commonly see on other traditional DNMs.
Additionally, credentials are not required to view content on this site, which is uncommon on most DNMs. Therefore, it is a good site to explore if you do not want to create credentials and/or are new to the darknet. It is usually uncommon for darknet sites to allow you to view products on their sites without eventually facing a paywall.
Underneath is a visual display of the various product categories:
Counterfeits
Credit Cards
Documents
Drugs
Gadgets
Gift Cards
Guns
Money Transfers
Other
The site claims to offer worldwide shipping, it states every vendor sells worldwide.
It also provides escrow services and advertises for individuals to become a vendor on the site. They provide an email that can be used for any enquiries or issues – offering full customer support to the users on the site.
Counterfeits
Counterfeit goods are products that are made to imitate genuine items with the intention of deceiving others. They can be used for financial crime, identify theft, as well as counterfeit goods. Counterfeiting can range from physical documents like licenses and passports to counterfeit cash (euros and dollars).
The counterfeiting category on Dark Empire Market primarily advertises counterfeit financial products. Currently there are 12 actives listings, and the below screenshot shows 3 financial counterfeit products.
Looking a step further, DarkOwl analysts reviewed one of the products. The below screenshot is one of the above products and advertises as, “Pre-Shredded Cash 25,000 USD Cash” and is for sale for $999.00, which was discounted from an original price of $2,100.00 USD. The vendor claims these US dollars came from the Federal Reserve in 2017. The vendor self identifies as “The Queens Cash aka queencdcguev” in the below description.
It is not uncommon for vendors to use snark or humor in their advertisements, below we provide some real FAQs that are provided by the vendors.
The FAQs also highlight why the vendor can be trusted. Reviews are what most DNMs rely on to ensure that they are receiving the products that they are buying. A lot of the time the products for sale sound too good to be true. This is usually because they are. But as demonstrated below vendors will try to explain why they have received bad reviews.
Credit Cards
Many DNMs sell cloned or stolen credit cards. The Credit Cards category on this market has a total of 22 listings. Most of the listings advertise access, credit card fraud aka carding products. Most of these products advertise access to Visa, Mastercard, and American Express Credit Cards and Gift Cards. The below screenshot displays 3 Credit Cards listings. It appears these listings advertise pre-paid Visa and Mastercard Gift Cards.
The below screenshots display a recent product listing titled, “3 x AMEX Prepaid 3100$ / 2700 Euros,” which is allegedly selling for $299.00 USD. The product description continues to explain that there is a daily withdrawal limit of $3500.00 USD. Additionally, the vendor claims that after purchase they will send a printed guide of how to “safely cash out” via parcel service.
Guns
There are a total number of 35 listings under the Guns category. Most of the products are for guns and or ammunition. The below displays a few of the products. Product pricing ranges from 200.00 USD to over 1000.00 USD. The images posted on the site have the onion URL over them, presumably so they cannot be shared on other sites.
DarkOwl analysts selected the following product titled, “Bushmaster AR15 Tactical Package Semi Auto Rifle.” The product has a 5-star rating and there are 35 customer reviews for this vendor. The product description meticulously explains the technical specs of this weapon.
Below is a chat that appears below the product description. Most prospective buyers are inquiring with the vendor to confirm if they ship to a particular country. The below shows buyers asking about if they can safely send the weapon to the Dominican Republic, Australia, Turkey, Sweden, and others. Every time the vendor responds saying “Yes worldwide” or “Yes without problems.” It is unclear what shipping methods this vendor is using. Although some other vendors state that they use FedEx and FedEx international to ship overseas.
As stated above there are other areas and goods that are sold on this market. Drugs are another area of the site which appears to be popular. There are currently 50 listings in this section, second only to gadgets, which sells products such as phones and computers. A range of different drugs are made available and a varying range of prices. Some of them have discounts applied. Most of the listings have over 4.5 stars.
One seller, providing cocaine claims to be the most trusted seller in the world, who used the best packaging to ensure “stealth and security.” There are many comments stating that they have successfully received the drugs.
Dark Empire Market is currently online and operating. It highlights the variety of goods that can be sold and the methods which they use to ship these goods worldwide. It also gives insight into how the vendors operate and how they explain their products and the reviews that they receive.
During our next blog in this series of DNM reviews we will look at Archetyp Market.
Subscribe to email to receive the latest research directly into your inbox every Thursday and don’t miss our next Darknet Marketplace Snapshot.
The dark web has undergone a significant transformation in the past two decades, demonstrating remarkable tenacity and adaptability. Similarly, the concept of self-healing networks is a groundbreaking approach to maintaining robust and reliable networks without the need for manual human interaction to reestablish connections. The evolutionary parallels between what has come to be the darknet and the core principles of self-healing networks highlights one critical similarity: resilience. Resilient networks are by necessity required to be flexible, scalable, secure, and reliable. Core qualities of resilience being the ability to adapt to unforeseen variables and embrace dynamic changes. These are qualities that the dark web is not new to. And today, resilient networks play a crucial role in minimizing downtime, preventing disruptions, and mitigating interruptions regardless of where that network falls on the iceberg.
Comparing the similarities of these two domains gives insight into how self-healing fundamentals contribute to the dark web’s resilience. Looking through the lens can inform how the dark web will continue to evolve in the future.
A Cliff Note Summary of Darknet Evolution
Initially, dark web marketplaces focused primarily on illegal drugs. However, over the years, marketplaces achieved diversification by expanding goods and services beyond the “illicit” as well as other illicit goods and services not linked to drugs, such as hacking tools, malware, and financial information. There has also been a huge boom in the sale and release of data.
Today’s platforms and alternative communication services offer a wide range of goods and services far beyond the early years of the dark web. This diversification continues to attract a broader user base of buyers and sellers on a global scale contributing to a significant increase in the overall volume of darknet transactions. The darknet global ecosystem of feeding buyers and sellers also saw the rise of professional criminal organizations offering specialized services including targeted cyberattacks, custom malware development, and global money laundering operations, not to mention the incredible growth of professional ransomware groups. Darknet professionalization further entrenched the darknets role in global cybercrime.
Figure 1: The Dark Jungle Market offers wildlife trafficked goods; Blog write-up.
Figure 2: Ares Market offers illicit & pharmaceutical substances, digital fraud products (credit card & cryptocurrency fraud), counterfeit products (currency and IDs); Blog write-up.
Figure 3: Styx Market offers illegal techniques for committing fraud, money laundering, and access to stolen data; Blog write-up.
Dark web marketplaces have evolved from rudimentary platforms to sophisticated darknet e-commerce services complete with user reviews, escrow services, and dedicated customer support. An evolutionary change in sophistication that mirrored changes in traditional commercial e-commerce platforms making darknet marketplaces more accessible to the most basic consumer. Adding a means of measuring trust for vendors and buyers only added more fuel to the evolutionary fire. Additionally, darknet services adopted more advanced security measures such as end-to-end encryption, multi-factor authentication, and robust anonymization techniques. More accessibility to trading and improved security enhancements equating to resilience for darknet vendors. Darknet resilience that also made it increasingly difficult for authorities to track and shut down.
The adoption of cryptocurrency marked yet another critical evolution to the darknet. Bitcoin has been the hallmark of darknet transactions for over a decade, providing a degree of anonymity between buyers, sellers. However, newer tactics and tools now contribute to the traceability of cryptocurrency transactions and possible attribution which led to the desire for more privacy-focused cryptocurrencies that offered enhanced anonymity and security, a mark in resilience triggering yet another evolution. Currencies such as Monero and Z-Cash are now widely accepted on dark web marketplaces. Additionally, illicit dark web laundering services known as tumblers, or crypto mixers, become prevalent, helping to further obscure both origin and destination of cryptocurrency transactions.
In recent years, the use of mobile applications emerged as a significant development in facilitating illicit transactions on the dark web. Mobile applications designed to operate on both Android and iOS platforms, provide users with convenient, on-the-go access to darknet marketplaces, alternative communication services, and forums. Many of these custom mobile applications feature built-in end-to-end encryption, anonymization tools, and secure messaging capabilities that protect user identities and communications. The use of private APK or IPA applications not made available through the authorized marketplace added yet another level of obfuscation and secrecy to potentially nefarious activities. The proliferation of mobile applications only made it easier for cybercriminals to conduct illicit business, stay connected, and further evade law enforcement. These mobile platforms extended the reach of dark web activities, making the darknet more accessible and pervasive.
Law enforcement agencies made significant strides in combating illicit activities despite the darknets growth in sophistication and diversification. For the better part of two decades, high-profile takedowns by law enforcement of major dark web marketplaces like Silk Road, AlphaBay, Wallstreet, Dream, Genesis, Empire, and Hansa disrupted illicit marketplace activities resulting in numerous arrests around the globe. These operations not only dismantled key illicit marketplace but were also used as a platform by law enforcement to send a strong message to cybercriminals. Improved international collaboration among law enforcement agencies resulted in more coordinated and effective operations against dark web criminal activities, making it harder for darknet marketplaces to operate unchecked. But regardless of law enforcement takedowns, the darknet has continued to be resilient and self-healing with many new markets popping up to replace those that had been taken down.
Self-Healing Networks: Fundamental Concepts, Principles and Achievements
Self-healing networks are networks designed to automatically detect, diagnose, and repair network connection faults without human intervention. These networks focus on network redundancy features and are built on the principle of autonomic computing. Autonomic computing embeds hardware and code with self-managing capabilities that enables the network to adapt to changes and recover from failures autonomously. The implementation of redundancy and failover mechanisms ensures multiple redundant paths and systems are in place that guarantee continuity of service in case of critical failure. Continuous monitoring and real-time diagnostics are not required but often help identify connection issues, enabling prompt remediation and reinforcing network stability.
Self-healing networks significantly enhance the reliability of network infrastructures by reducing downtime and ensuring continuous operation. The inherent scalability and flexibility of self-healing networks adapt to changing demands and conditions, providing reliable services to dynamic environments. Furthermore, self-healing networks are known to contribute to cost efficiency by minimizing the need for manual intervention. Manual intervention is a reactive process. Minimizing manual interventions reduces the financial impact of network disruptions. When a connection is interrupted, a self-healing system recognizes the fault and deploys a countermeasure to reestablish the connection. To say that self-healing networks are resilient is an understatement.
Conclusion: Resilience in Parallel
The evolutionary path of the darknet continues to highlight remarkable resilience over the last two decades, despite efforts of law enforcement. Even when major dark web markets are dismantled, new gateways quickly emerge to fill the void and further perpetuate illicit online activities in a continuous game of whack-a-mole for authorities. The darknet continues to recover from takedowns, shutdowns, and social migrations the same way that self-healing systems autonomously recover from connection faults. When one marketplace, forum, or alternate communication service ceases to exist, another connection opens to reestablish the flow. The darknets ability to adapt and evolve quickly aligns with and demonstrates self-healing resilience. This resilience is critical to the survival and functionality of the darknet in the face of internal and external challenges. Understanding the resilience and evolution of the darknet is crucial for anticipating and effectively responding to future changes.
DarkOwl is a Denver-based company that provides the world’s largest index of darknet content and the tools to efficiently find leaked or otherwise compromised sensitive data. We shorten the timeframe to detection of compromised data on the darknet, empowering organizations to swiftly detect security gaps and mitigate damage prior to misuse of their data.
