Author: DarkOwl Content Team

May 07, 2025

In mid-April 2025 the infamous messaging board 4chan was taken down, the site returned an error allegedly as a result of a cyber-attack from a rival messaging board group. While the site was down for just over a week it did reappear, albeit with more security than the site had previously had.  

Throughout its tenure, 4chan has been a petri dish for internet culture, heavily influencing the humor and vocabulary of social media and meme pages worldwide. However, the anonymity the site works on that fosters creativity also enables its dark side with huge volumes of extremist content and the use of language, slurs and off-color jokes that historically would be banned from traditional social media sites. Nonetheless the site is important in understanding how some individuals operate on the internet and how this site has influenced real world events.  

In this blog we will review the history of 4chan, what it is used for and by who and review the recent activity which led to the brief downtime.  

Figure 1 – 4chan logo taken from the site 

Historical Overview of 4chan 

4chan was founded on October 1, 2003, by a 15-year-old New Yorker named Christopher “moot” Poole. Poole created 4chan as an English-language counterpart to the Japanese imageboard Futaba Channel (2chan), initially focusing on anime and manga discussion. Using translated open-source code from 2chan, “moot” built 4chan as an anonymous forum where users could post images and messages without registering accounts or providing any form of username. The site contains multiple boards which host discussions on a variety of topics. This anonymity and ephemeral design (threads are deleted after becoming inactive) set 4chan apart from other forums and quickly fostered a freewheeling, chaotic community. The site has gone through many changes both in management and in use since its inception.  

The site was originally launched as 4chan.net with a single board (“/b/” for random anime discussion). By year’s end, multiple boards for hentai, “cute” anime, wallpapers, yaoi, etc. were added. However, the site had issues almost from the beginning, in February 2004 the original domain was suspended, forcing a move to 4chan.org, and in March “moot” threatened to shut down the site due to server costs before user donations kept it alive. PayPal froze 4chan’s donations account in mid-2004 over content complaints, causing six weeks of downtime.

As the site rose in popularity, 4chan’s “/b/ – Random” board became infamous for its anything-goes culture. By 2008, /b/ was receiving up to 150–200k posts per day and had cultivated a reputation for adolescent irreverence and “notorious” pranks. Media outlets described /b/ as the “asshole of the Internet,” akin to a high-school bathroom wall of graffiti. In 2008, The Guardian summed up 4chan’s community as “lunatic, juvenile […] brilliant, ridiculous and alarming”, reflecting the site’s mix of absurd humor and offensive content. 

However, users on the 4chan site were not just posting and sharing memes between themselves. 4chan users pioneered collective online pranks and what they referred to as “raids.” Some of the users famously harassed white nationalist radio host Hal Turner with prank calls and DDoS attacks in 2006–07 (leading Turner to attempt an unsuccessful lawsuit). In early 2008, 4chan users helped spawn the hacktivist group Anonymous and launched “Project Chanology,” a protest against the Church of Scientology that moved from online pranks to real-life street demonstrations. This period was a “golden age” of trolling that saw users coordinating high-profile stunts, elevating 4chan’s notoriety and influence. 

By the 2010s, 4chan had expanded well beyond its anime roots. New boards were added for topics like weapons (/k/), video games (/v/), sports (/sp/), and literature (/lit/), reflecting a broader user base. In 2011, “moot” made a significant moderation decision: he deleted the “/new/” (news) board because it had become overrun with racist content, and also temporarily removed “/r9k/” due to issues with its purpose. Later that year, 4chan introduced “/pol/” (“Politically Incorrect”) as a replacement board for political discussion – a decision that would prove fateful as /pol/ soon became a hotspot for extremist and controversial content (more on that later). 

In August 2014, anonymous hackers leaked a trove of private celebrity nude photos, the infamous “Fappening” scandal, 4chan was one of the first sites where the images were widely posted. The incident forced 4chan to implement a DMCA policy and start cracking down on stolen explicit material, a notable shift for a site long permissive about content. However, the site continued to host images of this kind with a second scandal taking place, known as the Fappening 2.0 in 2017. 

Around the same time (2014), 4chan was deeply involved in the Gamergate saga – an online harassment campaign targeting women in the gaming industry. Discussions about “Gamergate” originated on 4chan (notably on the /r9k/ board) and led to coordinated harassment of game developers and journalists. Moot eventually banned Gamergate threads for violating 4chan’s rules, prompting many aggrieved users to migrate to alternative imageboards, such as 8chan, which at times have been considered to contain more extreme material. These 2014 events were watershed moments, bringing 4chan intense media scrutiny for facilitating harassment and hosting illicit content. 

On January 21, 2015, Christopher Poole “moot” stepped down as 4chan’s administrator, citing stress and the strain of managing frequent controversies like Gamergate. In September 2015, Poole announced he had sold 4chan to Hiroyuki Nishimura, the Japanese entrepreneur who founded 2channel, the very site that inspired 4chan.  

As 4chan matured, it increasingly became associated with the rise of the alt-right and online extremist movements. The anonymous poster known as “Q” – who sparked the QAnon conspiracy theory – first appeared on 4chan’s /pol/ board in late 2017. 

Figure 4: Pepe the Frog

Memes and slogans, long used on 4chan seeped into mainstream politics; during the 2016 U.S. election, /pol/ users aggressively supported Donald Trump and spread memes like Pepe the Frog as political symbols, a meme which is now designated as a hate symbol. By this time, outsiders often conflated 4chan with its most toxic board (/pol/), even though the site still hosted diverse communities.  

In 2019, after a string of mass violence incidents were linked to manifestos on a 4chan spin-off (8chan), authorities and internet companies increased scrutiny on anonymous forums. Some ISPs in Australia and New Zealand even temporarily blocked access to 4chan in March 2019 following the Christchurch massacre, in attempts to stop the spread of the shooter’s video. 

Despite numerous controversies and predictions of its demise, 4chan remains online and influential. According to the site itself the site “serves approximately 680,000,000-page impressions to over 22,000,000 unique visitors per month (~11 MM in the US)”. It continues to be a global hub for internet subculture, though its reputation is forever tied to the edgier side of the web, which is perhaps what led to its recent troubles.  

The 4chan Community and Its Subcultures 

Data on 4chan’s user demographics is scarce due to the anonymous nature of the site However, it’s generally accepted that the user base skews young and male, with a strong representation of teenagers, students, and twenty-somethings who are internet-savvy.  

Figure 5: Stats shown on 4chan.org 

One of 4chan’s defining features is that users post anonymously – there are no usernames or profiles (aside from optional tags like “ID” on certain boards). This anonymity, combined with a lack of permanent archives on many boards, has cultivated a unique culture. Users often share gory or pornographic images, engage in extreme trolling, or discuss sensitive topics like self-harm, all under the banner of anonymity. 

Figure 6 – Example of Anonymous posts on 4chan 

Users often refer to each other simply as “anon,” and any hierarchy or fame a user gain is ephemeral. In this environment, community identity forms around boards and shared memes rather than individual people. Over the years, distinct subcommunities have thrived on 4chan, each with its own norms and in-jokes. The fact that all users are anonymous also makes it very difficult for investigators reviewing the credibility of threats made on 4chan which are unfortunately very common. 

Major Boards and Subcommunities 

Figure 7: List of boards currently active on 4chan 

4chan is divided into dozens of topic-specific boards, each indicated by a short tag (like /x/ or /g/). As the Wikipedia description aptly summarizes, “the site hosts boards dedicated to a wide variety of topics, from video games and television to literature, cooking, weapons, music, history, technology, anime, fitness, politics, and sports, among others.”  

While a lot of these topics are innocuous, such as discussions of TV, Movies and gaming, the anonymous nature of the sites means that even these topics can generate extremist and violent conversations. However, there are several boards hosted on 4chan where the content is almost exclusively extremist in nature.  

/b/ – “Random”  

The original board and longtime center of 4chan. /b/ has minimal rules and is known for its extreme anything-goes culture. Posts on /b/ can range from juvenile humor and absurd memes to grotesque shock images and offensive tirades. /b/ was where many famous pranks and memes originated. The LOLcats phenomenon – cutesy cat photos with captions and the practice of “Rickrolling,” tricking someone into watching Rick Astley’s music video, are often credited as starting on 4chan. One of the lighter sides of the site.  

/pol/ – “Politically Incorrect” 

Arguably the most controversial board on 4chan, /pol/ was created in October 2011 as a space for political discussion without strict moderation. It quickly became a magnet for extremists and fringe ideologies. Here, users share memes and news from a far right or conspiratorial perspective, often pushing and surpassing the limits of hate speech. Notably, many alt-right and white nationalist memes were popularized on /pol/. The board’s influence on real-world politics is significant. /pol/ was an early organizing hub for support of Donald Trump in 2016, and Trump’s campaign team appeared to acknowledge the board by tweeting memes that originated there. /pol/’s “culture” of aggressive, trolling debate has spread to other platforms and is emulated by some other extremist sites.  

/r9k/ – ROBOT9001 

This board was originally an experiment requiring posts to be unique to reduce copypasta, but it evolved into a different space. By the 2010s, /r9k/ became associated with lonely or disaffected young men with many posts about depression, social rejection, or nihilistic humor. It is here that the concept of the “incel” (involuntarily celibate) took root, along with memes about “beta” males.  

Spreading of Extremist Content 

4chan’s lax moderation has led to numerous instances of illegal and extremist content being posted, in some cases forcing law enforcement involvement. Users are known to often post violent content. In 2014, a 4chan user uploaded photos of a murdered woman’s body to /b/ claiming responsibility. The victim was later identified, and the post was linked to a real murder. Police were able to track and arrest the poster in that case, illustrating how anonymity can be pierced in some cases and with law enforcement powers.  

There have also been numerous bomb or mass violence threats posted on 4chan as “jokes” or hoaxes – several leading to evacuations and arrests. A recent case in 2023 saw a New Jersey man arrested for using 4chan to threaten a Florida sheriff, and other users in different states were arrested for copycat death threats. 4chan can therefore be seen as one of the first sites used to encourage the practice of Swatting.  

Hate speech and extremist propaganda is endemic to 4chan. The site has been accused in investigative reports of “incubating hate speech that may have fueled mass shootings”, since perpetrators of attacks in places like Christchurch, El Paso, and Buffalo frequented 4chan or its spinoffs and sometimes announced their intentions there. This resulted in a legal scare for 4chan when the New York State Attorney General investigated 4chan after the May 2022 Buffalo mass shooting – the shooter was radicalized on 4chan. The NY AG explored whether 4chan could be held liable for “providing a platform to plan and promote violence”, though ultimately, they didn’t file charges. 

4chan has been at the heart of numerous violent and extremis acts. Controversies have made 4chan a frequent target for those who argue the internet should be more regulated. Yet, despite every scandal – from child porn crackdowns to global news making hacktivism – 4chan persists. That resilience was tested yet again very recently, when the site faced one of its most serious disruptions to date: a major hack that took it offline. 

Recent Incident: 4chan Goes Down in a Cyberattack 

Figure 8: AI Generated Image An illustration of an anonymous hacker. In April 2025, 4chan suffered a major breach that exposed internal data and knocked the site offline. 

In mid-April 2025, 4chan experienced an outage, a rare event for a site that, despite its issues, usually stays online. On April 14, 2025, users suddenly found 4chan unreachable or only partially loading. It soon emerged that 4chan had been hacked and taken down by a hacker. The site was offline for days, prompting widespread speculation and the Twitter hashtag “#4chanHack” as people wondered what had happened. 

Figure 9: Soyjak.Party logo taken from website

A group of users on a rival imageboard called Soyjak.party (nicknamed “the Party”) began claiming responsibility for the attack. Soyjak.party is a community that splintered from 4chan, often antagonistic toward it. According to posts by someone with the handle “Chud” on that site, an unnamed hacker had gained access to 4chan’s systems over a year prior and waited. On April 14, this hacker finally “executed Operation Soyclipse,” as Chud described it, which involved taking control of 4chan’s backend. 

The hackers defaced 4chan by temporarily restoring a long-defunct board (/qa/) with the message “U GOT HACKED XD” emblazoned on it. They also claimed to have exfiltrated a trove of data, including 4chan’s source code and user information. Screenshots were leaked on Soyjak.party and other forums showing what appeared to be 4chan’s administrator control panels and maintenance tools.  

One screenshot showed internal discussions on a private staff board (/j/) and a moderator interface that could view users’ IP addresses and locations. Another leak contained a list of email addresses of 4chan’s moderators, administrators, and janitors (janitors are basically volunteer moderators). The attackers doxed 4chan’s own staff, ironic for a site that prizes anonymity. Posts on Soyjak.party even began to share personal info and photos purportedly of some 4chan mods after this leak. 

Figure 11: “Proof” of 4chan hack on Soyjak.party 

Facing this breach, 4chan’s administrators took all servers offline to “control the damage,” according to the attackers’ account. For a period on April 15, the site either wouldn’t load at all or showed only a basic text version with errors, indicating the staff was struggling to restore things. One major theory, supported by a screenshot of a Bluesky social media post, was that 4chan’s software was woefully out of date – running an unpatched PHP version from 2016 – making it vulnerable. If true, the hack was a result of 4chan’s technical debt and lack of updates, something the site had been lucky to avoid catastrophe from until now. A Wired article noted that rumors of legacy, unpatched software causing the breach were circulating widely.

Over the next couple of days, more information came out via cybersecurity reporters. BleepingComputer reported that the hacker had indeed leaked parts of 4chan’s PHP source code on another forum – Kiwi Farms. The Daily Dot obtained samples of the stolen data, confirming it included an index of 4chan’s staff (one admin and ~218 moderators/janitors), hundreds of pages of archived posts (possibly from private boards), and even a list of users who had purchased 4chan Pass subscriptions (which involves an email address). In short, this was a comprehensive breach – touching administrative info, user data, and site code. DarkOwl also obtained a copy of the leaked documents.  

During the outage, 4chan’s administrators maintained near-complete silence. Attempts by journalists to get a statement were futile – Reuters reported that messages to 4chan’s press email went unanswered. Amusingly (in true 4chan fashion), one of the compromised moderator emails did reply to a Reuters inquiry by sending a link to an unrelated 4-minute shock video, essentially trolling the reporter.

By April 16 and 17, 2025, 4chan’s service was still unstable. Some users could load the site; others encountered Cloudflare errors. Gradually, the site did come back online, though many wondered what long-term impact the hack would have.  This incident led many to speculate about the future of 4chan – would it bounce back as it always has, or was this the beginning of the end? However, the site did comeback online and appeared to have beefed up their security. Users on the site picked up where they had left off with no apparent reduction in activity in response to the attack and the leaked data, although there were some suggestions that jannies left after having their personal information leaked.  

Despite this the future of 4chan remains uncertain. The site stands at a delicate point: it must adapt to survive, yet it must retain its essence to remain 4chan. If it manages to tighten security, maintain financial stability, and navigate legal waters while continuing to let its community be largely self-regulating and anarchic, it may well continue to be a fixture of the internet for years to come. Even if 4chan were to fall, its influence would live on – in the memes we share, the slang we use, and the dispersed communities that would carry forward its spirit. As of now, 4chan endures and its story is a testament to the chaotic, untamable force of online anonymity that it pioneered back in 2003. 

---

Don’t miss anything from DarkOwl. Subscribe to email.

May 01, 2025

Our analyst team shares a few articles each week in our email newsletter which goes every Thursday. Make sure to register! This blog highlights those articles in order of what was the most popular in our newsletter – what our readers found the most intriguing. Stay tuned for a recap every month. We hope sharing these resources and news articles emphasizes the importance of cybersecurity and sheds light on the latest in threat intelligence.

1. Police shuts down KidFlix child sexual exploitation platform – Bleeping Computer

In an April 2 press release, Europol announced that Kidflix—”one of the largest platforms used to host, share, and stream child sexual abuse material (CSAM) on the dark web”—was shut down in an international operation dubbed “Operation Stream.” The investigation was led by the State Criminal Police of Bavaria (Bayerisches Landeskriminalamt) and the Bavarian Central Office for the Prosecution of Cybercrime (ZCB), and was supported by Europol. The platform was taken down on March 11 by German and Dutch authorities. Read full article.

2. Russia-Linked Gamaredon Uses Troop-Related Lures to Deploy Remcos RAT in Ukraine – The Hacker News

In a March 28 report, researchers at Cisco Talos revealed an ongoing phishing campaign believed to be carried out by the Russian hacking group Gamaredon against entities in Ukraine. The campaign uses malicious LNK files compressed inside ZIP archives and disguised as Microsoft Office documents featuring Russian words “related to the movement of troops in Ukraine.” As noted in the report, “The PowerShell downloader contacts geo-fenced servers located in Russia and Germany to download the second stage Zip file containing the Remcos backdoor.” Article here.

3. PoisonSeed phishing campaign behind emails with wallet seed phrases – Bleeping Computer

Researchers have observed a cryptocurrency and bulk email phishing campaign dubbed “PoisonSeed” that is compromising corporate email marketing accounts. As noted by BleepingComputer, the campaign utilizes the compromised accounts to “distribute emails containing crypto seed phrases used to drain cryptocurrency wallets.” A report from Silent Push reveals that targeted crypto companies have included Coinbase and Ledger, while the targeted bulk email providers include Mailchimp, SendGrid, Hubspot, Mailgun, and Zoho. Read more here.

4. Infamous message board 4chan taken down following major hack – Bleeping Computer

6. FBI: Scammers pose as FBI IC3 employees to ‘help’ recover lost funds – Bleeping Computer

On April 18, 2025, the Federal Bureau of Investigation (FBI) released a public service announcement warning of an ongoing fraud scheme in which scammers are impersonating FBI Internet Crime Complaint Center (IC3) employees. According to the announcement, the FBI has received more than 100 reports of such impersonation scams between December 2023 and February 2025. The scammers have been observed impersonating IC3 employees while offering to assist victims of fraud. Read full article.

7. Six arrested for AI-powered investment scams that stole $20 million – BleepingComputer

In an April 7 press release, Spain’s Policía Nacional announced the arrest of six individuals affiliated with a criminal organization behind a large-scale cryptocurrency investment scam that defrauded 19 million Euros from 208 victims worldwide. The joint Policía Nacional and Guardia Civil operation—dubbed “COINBLACK — WENDMINE”—began just over two years ago following the report of a victim in Granada being defrauded of €624,000. In addition to the six arrests, the operation also resulted in the seizure of “100,000 Euros, mobile phones, computers, hard drives, firearms, and documents.” Read full article.

8. Chinese Hackers Target Linux Systems Using SNOWLIGHT Malware and VShell Tool – The Hacker News

The Sysdig Threat Research Team (TRT) has identified a new campaign carried out by the Chinese state-sponsored threat actor UNC5174 (also known as Uteus). In late January 2025, researchers observed the threat actor using VShell, a new open-source tool and command and control (C2) infrastructure, to infect Linux systems. The newly observed campaign also utilizes a variant of SNOWLIGHT malware. According to the report, the campaign has been active since at least November 2024. Learn more.

---

Make sure to register for our weekly newsletter to get access to what our analysts are reading on a weekly basis.

April 24, 2025

We often associate the darknet with a negative stigma, primarily due to its frequent portrayal in the media for illicit activities and cybercrimes. However, much like the surface web, the darknet is a wide-open space that hosts a variety of resources – some of these resources are incredibly positive and life-changing. In this blog, our hope is to shine a light on the beneficial aspects of the darknet and explore the sites and services that make a positive impact on society. 

Privacy Protection and Freedom of Speech 

In an age where privacy is increasingly under threat, the darknet offers individuals a crucial safeguard for anonymity and freedom to express their thoughts without censorship. For people living under oppressive regimes where free speech is restricted or monitored, the darknet can be a haven. 

One of the most well-known privacy-focused platforms in ProtonMail, an encrypted email service that allows users to communicate safely without the fear of surveillance. SecureDrop, is an open-source platform developed by the Freedom of the Press Foundation, allowing journalists to receive tips from whistleblowers and activists without exposing their identity. These services are critical tools in protecting privacy and supporting democracy and transparency. 

Human Rights Advocacy and Whistleblower Protection 

The darknet provides a critical space for those fighting for human rights. Websites like The Tor Project provide the infrastructure that allows individuals to browse the web anonymously, reducing the risks of being tracked or persecuted. Activists can use the darknet to share critical information about political oppression, corruption, and human rights abuses without fear of retaliation.

Whistleblower sites give individuals a platform to report government or corporate wrongdoings while protecting their identities. Whistleblowers help expose corruption and injustice on a global scale. Many journalists, including those at major news outlets such as The Guardian or The New York Times, rely heavily on these darknet platforms to connect with sources who need to remain anonymous for their own safety. 

Education and Knowledge Sharing 

Although controversial, the darknet is a hub for educational resources. Multiple darknet sites are dedicated to providing free knowledge in areas ranging from cybersecurity to history and politics. These platforms can be indispensable to individuals who want to learn but cannot afford traditional schooling or because of restrictions imposed by government censorship or other types of censorship. 

Academia.edu is a darknet academic resources that provides access to papers, books, and research that may be blocked or restricted in certain countries. This availability to free education empowers individuals to improve their skills and access knowledge that may otherwise be out of reach 

Charitable Organizations and Support Services 

This might surprise some but there are many {legitimate} charitable organizations and support groups that operate on the darknet to assist those in need. For people in dangerous situations, whether they are refugees, victims of domestic violence, or living under oppressive regimes, the darknet offers a safe space to access vital resources. 

The Hidden Wiki offers links to the support networks that provide guidance on escaping from abusive relationships, finding medical care, and accessing counseling services. These resources can be critical for people who cannot access help through traditional means due to the fear of being tracked or judged. 

Privacy-Focused Marketplaces for Legal Goods 

While the darknet is notorious for illegal activity, there are also legitimate marketplaces that focus on privacy and security. These marketplaces allow people to buy and sell goods while keeping personal information private. Some marketplaces provide privacy conscious alternatives for purchasing legal items, like books, software, or hardware. 

The OpenBazzaar is a marketplace with a decentralized platform that allows users to trade goods and services directly with one another, using cryptocurrency for payments. OpenBazzaar was built on the principles of privacy, freedom, and distribution offering a safe and anonymous way to transact without the interference of third-party entities. 

Crisis Communication and Emergency Support 

In some cases, the darknet has served as a lifeline during times of crisis. For instance, during political unrest or natural disasters, the darknet has provided an outlet for individuals in need of urgent assistance or communication. Various groups have used the darknet to organize rescue operations or provide emergency services to people in need. 

This is most often showcased in countries facing censorship or political turmoil, the darknet becomes a vital tool for maintaining open lines of communication. People can continue to organize protests, share information about the safety of family members and coordinate relief efforts.  

Final Thoughts on the Darknet Being a Hidden Resource for Positive Change 

While the darknet is often associated with its darker more malicious side, and rightly so, it’s important to recognize that there is a great deal of good happening below those layers of the surface. From protecting privacy and freedom of speech to supporting human rights and providing resources for those in need. The darknet offers much more than what is often portrayed in the media. 

By highlighting these positive aspects, we can begin to bring awareness and understanding the true potential of the darknet as a force for good. It is a tool, and as with any tool, its value is deemed by those who wield it. When leveraged for privacy, security, and human rights, the darknet can provide vital services that improve the lives of individuals and strengthen society as a whole. 

If you’re interested in exploring the darknet firsthand or discovering its positive aspects, it’s crucial to educate yourself on the best practices for navigating it safely. DarkOwl has compiled a list of six best practices for exploring the darknet which you can find here.

---

Curious to learn more? Chat with us!

April 22, 2025

The modern intelligence analyst simply cannot cope with the wealth of data at their disposal.

The sheer volume of available intelligence is overwhelming. Nowhere is this need clearer than in open-source intelligence (OSINT), where the darknet plays a critical role.

As Randall Nixon, Director of the Open-Source Enterprise at the CIA, warned: “It’s amazing what’s there…the next intelligence failure could easily be an OSINT failure, because there’s so much out there.”

The U.S. Office of the Director of National Intelligence (ODNI) has designated OSINT the “INT of first resort.” Recent global conflicts, including those in Ukraine and Gaza, have underscored OSINT’s critical role in modern intelligence.

Darknet Data is Critical OSINT

Cybercriminal marketplaces, encrypted messengers, forums and hacker sites serve as hubs for illicit transactions, where drugs, weapons, extreme politics, stolen credentials, malware, and hacking services are openly traded. These platforms operate much like traditional e-commerce sites, complete with vendor ratings, escrow services, and customer reviews. As a non-exclusionary ecosystem, its potential is infinite.

Darknet Data Challenges

Darknet data is a goldmine of intelligence. Unlike structured enterprise datasets, darknet data is chaotic, multilingual, and riddled with deception, requiring robust machine learning techniques to extract meaningful insights.

Darknet data is inherently messy, containing slang, obfuscation techniques, and multilingual text. Let alone short-lived and transient sites and pages. Additionally, much of the data is stored in an unstructured format, making it difficult to apply Natural Language Processing (NLP) and Large Language Models (LLMs) effectively. Many darknet sites also introduce deliberate noise—web pages filled with random or misleading content—to further obscure information.

Legal and Ethical Risks

Since the darknet is designed for anonymity, traditional privacy regulations don’t always apply in the same way they do for regulated social media. However, the ethical implications of darknet surveillance must still be considered, especially when handling sensitive intelligence and personally identifiable information (PII).

Illegal Content

Darknet data often includes information related to illegal activities, which can pose significant challenges for generative AI and Large Language Models (LLMs). Many models have built-in safeguards that restrict processing such content, making off-the-shelf AI solutions less viable for darknet analysis. Additionally, the more specific the input data, the harder it is to bypass these restrictions. For example, extracting insights from a full dataset structure is generally easier than pulling highly specific details, such as product names, which may trigger model safety mechanisms.

The Possibilities of AI

The goal of intelligent systems should be to enhance human capabilities, enabling people to focus on higher-value, strategic decision-making, and creative tasks rather than routine processing.

As darknet activity continues to expand, advanced big data analytics and AI-driven methods will be essential to making sense of this vast, high-risk ecosystem.

Quantum Computing increases computational power so that week-long analysis will take minutes, with unprecedented levels of accuracy. Recent leaps in quantum computing will ensure the processing of Darknet data is considerably easier.  

Human Behaviour Analysis in Anonymized Spaces

When no one is looking, how do people behave? The darknet provides a unique perspective on human behavior—a reflection of how individuals and groups act when they believe they are untraceable. Under the veil of assumed anonymity, forums and marketplaces reveal unfiltered reactions to the outside world. This creates an opportunity for social scientists, intelligence analysts, and behavioral researchers to study criminal psychology and radicalization patterns.

Graph Neural Networks (GNNs) are particularly effective for link prediction and clustering, helping identify connections that may not be obvious through traditional analysis for entity resolution.

Anomaly Detection and Trend Monitoring

Detecting anomalies in darknet activity is essential for identifying emerging threats. Analysts tracking illicit trades look for anomalous patterns in trade volume, pricing, and vendor behavior—indicators that may signal disruptions, law enforcement interventions, or the emergence of new criminal enterprises.

Predictive Analysis and Threat Forecasting

By analyzing historical data, organizations can predict the likelihood of future cyber threats, misinformation campaigns, and illicit trade patterns.

As Greg Ryckman, Deputy Director for Global Integration at the Defense Intelligence Agency (DIA), stated: “We need a professional cadre that does open-source collection for a living, not amateur.”

With the integration of AI-powered predictive models, darknet data can be used to simulate complex scenarios, sanitise PII and help organizations prepare for emerging risks—whether that be the spread of disinformation, shifts in ransomware tactics, or geopolitical cyber threats.

DarkOwl’s Contribution

DarkOwl is exploring the use of LLMs to identify additional personally identifiable information (PII) entities. By refining these models to detect structured elements within highly unstructured text, we are developing tools that can track cybercriminal activity and detect fraud at scale.

Beyond entity extraction, we are also applying topic modeling techniques to classify and label darknet content. By using Latent Dirichlet Allocation (LDA) and transformer-based models like BERT, we have successfully categorized subsets of forums, marketplaces, and chat data.  We plan to expand on this work to create unique digital fingerprints of these spaces. This will allow us to track shifting trends, identify when threat actors migrate from one marketplace to another, and detect the resurgence of illicit communities following law enforcement takedowns.

We have successfully applied Generative AI models to pull structured product details from specific darknet marketplaces. We plan to expand this work to allow us to monitor illicit trade trends, track specific vendors, and assess market shifts over time. As our AI models continue to structure and analyze darknet data, we gain deeper visibility into longitudinal trends.

We are exploring AI-driven summarization, NER, clustering, and topic modeling to filter out irrelevant noise and surface high-priority leaks. By applying AI-powered triage mechanisms, we can determine which breaches pose the greatest risk to organizations.

---

Curious to learn more? Contact us.

April 15, 2025

Telegram, once the Wild West of chat applications, has undergone significant changes. This shift came after its CEO and founder faced legal troubles with French authorities. (We recently covered this situation in another blog, if you haven’t read it, I highly recommend checking it out. Good Read Ahead) 

In short, Telegram is now implementing new trust and safety measures aimed at making the platform safer for users and curbing cybercrime. These efforts include banning and shutting down cybercrime-related channels, as well as making it harder to find them when they do operate. 

At first glance, this sounds like a huge win, something worth celebrating. We should be cheering, maybe even organizing a parade in honor of these developments. 

However, before we start throwing confetti, there’s a significant problem: these cybercriminal channels are still operating—they’re just harder for investigators to track and monitor. 

Locks only keep honest people honest… or, in this case, anything good on the internet can also be used for bad. 

A Frustrating Reality for Investigators 

This isn’t meant to be a criticism of Telegram (though it might sound like one), but rather an expression of investigator frustration. I fully support Telegram’s efforts to prevent illicit activities on its platform. It’s an uphill battle, especially considering how much easier it was for threat actors to operate on Telegram compared to traditional dark web sites. 

Previously, Telegram had key advantages for cybercriminals: 
👍Ease of access – Unlike dark web forums that require special browsers, Telegram is readily available. 
👍Simple search functionality – No need to memorize or hunt for links; just use the search bar. 
👍 A wider customer base – More users meant more potential buyers for illicit services. 

For investigators, this also made Telegram a gold mine of intelligence; until now. 

The Growing Challenges of Threat Intelligence on Telegram 

The issue is not just that threat actors continue to operate on Telegram. It is that the platform’s new safety measures make Telegram threat intelligence and related investigations exponentially more difficult.

• Frequent bans, frequent reappearances – Some channels are getting shut down weekly, if not daily, only to resurface under new names. 

• Time-consuming investigations – Investigators now have to spend considerable time tracking a single channel and its possible reincarnations. 

• Obscured search results – Telegram has adjusted its search algorithm, making it harder to locate certain channels, even when using exact keywords. 

Gone Are the Days of Easy Telegram Monitoring 

Take the following example: 

A cybercriminal channel was banned and then quickly reopened. You’d assume it would be easy to find again, but if you search for a keyword from the screenshot, like “txtlog”, the new version of the channel won’t appear in the results. 

For threat intelligence teams, this is a nightmare. Valuable intelligence is still out there, but now there’s a significant delay before someone manages to find it. This lag time creates a window of opportunity for cybercriminals to regroup and continue their activities unchecked. 

Final Thoughts: A Step in the Right Direction, but Challenges Remain 

To conclude this rant, I want to acknowledge that Telegram’s efforts are commendable. Their actions prove that they are taking a stronger stance against cybercrime on their platform. 

As someone with experience in social media trust and safety, I understand the immense challenge of moderating a platform at this scale. But the fight isn’t over. The real goal should be deterring threat actors from returning at all, rather than just making it harder to find them. 

Hopefully, with continued improvements, Telegram can reach a point where cybercriminals realize it’s no longer a viable option—and investigators don’t have to spend all their time chasing shadows. 

---

Stay up to date with the latest from DarkOwl analysts. Follow us on LinkedIn.

April 10, 2025

The semiconductor industry powers everything from computing and artificial intelligence to defense systems and the Internet of Things. Given its strategic importance, it has become a prime target for cybercriminals, nation-state actors, and ransomware groups—many of whom operate across the darknet. 

On these hidden networks, adversaries trade stolen intellectual property, zero-day exploits, and even sell access to compromised enterprise environments. This blog explores how these darknet-enabled attacks unfold. 

Why Semiconductor Companies Are Prime Targets 

Semiconductor companies, design, manufacture and sell semiconductors which are essential to modern electronics. Semiconductors are materials, typically silicon, that have electrical conductivity between a conductor and an insulator. They power everything from smartphones and laptops to cars and medical equipment. Due to their importance these companies are targeted for a range of reasons and in a range of ways.  

Due to their use of advanced chip designs and fabrication techniques, which are worth millions, they are often targeted by advanced persistent threat (APT) groups in order to steal intellectual property. Governments seek to control semiconductor advancements for technological and military superiority, leading to targeted cyberespionage campaigns. 

Due to the components that are required the companies often rely on a complex global supply chain made up on many different companies and providers. This leaves them open to vulnerabilities from cyber threat actors which could lead to compromise. The SolarWinds and Kaseya attacks, where third-party vulnerabilities led to board compromises.  

Given the high cost of production downtime, attackers often use ransomware and wiper malware to extort payments or cripple manufacturing facilities. This can be in an attempt to crimple critical infrastructure or simply to extort companies worth millions of cash.  

How Semiconductor Firms Are Targeted on the Darknet 

Threat actors can use multiple tactics to infiltrate semiconductor companies and their supply chains. Some of their activities take place on the dark web.  

Darknet Markets for Stolen Data & Initial Access 

Darknet forums such as RAMP, Genesis Market (before takedown), and BreachForums can offer compromised credentials, session tokens, and MFA bypass methods for employees in the semiconductor sector. Threat actors will offer these credentials for sale to the highest bidders. They are often known as Initial Access Brokers. (IAB) 

Initial access brokers (IABs) often sell pre-compromised RDP, VPN, and Citrix credentials, allowing ransomware groups to gain footholds in corporate networks. 

Ransomware Attacks on Semiconductor Manufacturers 

Semiconductor companies are not immune to ransomware attacks, as few organizations are these days. In fact they may appear as enticing targets due to the worth of the organizations and the technology that they deal in. As with any other ransomware attack, information relating to the organization is exfiltrated, which can include a range of document types, in this case including  sensitive semiconductor designs and threaten to leak them unless a ransom is paid. Ransomware Groups such as LockBit, BlackCat (ALPHV), and RansomEXX have been observed targeting semiconductor firms. 

Zero-Day Exploits and Vulnerability Markets 

A zero-day vulnerability is a security flaw in software or hardware that is to the technology owner and therefore has no patch or fix available at the time it’s discovered. Zero-day vulnerabilities in ICS/SCADA, firmware, and chip toolchains can be sold on the darknet and in private Telegram channels. This is very rare and these types of vulnerabilities are worth a huge amount of money, especially when targeting critical infrastructure.  

However firmware vulnerabilities in semiconductor manufacturing equipment, particularly ASML lithography systems and ARM-based architectures, are known to have been exploited in targeted attacks. 

Supply Chain Infiltration and Hardware-Level Attacks 

Threat researchers have identified instances where adversaries embed malicious firmware in chips before deployment. This has been a major concern for critical infrastructure sectors who could be relying on compromised semiconductor components. Attackers have also been known to compromise EDA (Electronic Design Automation) tools and semiconductor manufacturing software, injecting backdoors into fabricated chips. 

Darknet Recruiting and Credential Stealing 

Darknet forums have been observed offering payment in cryptocurrency for insider access or data leaks within semiconductor firms. Data leak and infostealer malware like RedLine, StealC, Raccoon, etc are widely used to harvest credentials that are resold and can be used for supply chain targeting or to target employees of semiconductor companies themselves. 

Real-World Attacks on Semiconductor Companies 

Several semiconductor firms have suffered high-profile cyberattacks in recent years, reinforcing the urgency of darknet threat monitoring. 

• NVIDIA Breach (2022) – Lapsus$ Group 
  • Stolen proprietary GPU designs and employee credentials. 
  • Attackers leaked code-signing certificates, enabling malicious driver development. 

• TSMC Supply Chain Ransomware Attack (2023) 
  • A third-party supplier was compromised by LockBit ransomware, exposing sensitive business data. 
  • Attackers demanded a $70M ransom. 

• Intel & AMD Firmware Leaks 
  • Engineering documentation and firmware signing keys leaked on underground forums. 
  • Exploited for BIOS and firmware-level rootkit attacks. 

Strategies to Mitigate Darknet Threats 

Semiconductor companies need proactive cybersecurity measures to mitigate darknet-driven threats. These companies and their partners should monitor the darknet to track mentions of company assets, stolen credentials, and exploit chatter. They should also actively monitor initial access brokers, ransomware leak sites, and private forums for early indicators of compromise. DarkOwl data can assist in conducting this monitoring and alerting on identified threats.  

Conclusion 

As semiconductor firms continue to drive technological progress, they will remain top-tier targets for darknet cybercriminals and state-sponsored attackers. A multi-layered security approach, incorporating darknet monitoring, access control, supply chain security, and proactive threat hunting, is crucial to mitigate evolving cyber threats. 

By understanding how attackers operate on the darknet, semiconductor companies can stay ahead of threats, safeguard intellectual property, and ensure business continuity in an increasingly hostile cyber landscape. 

---

Stay up to date with the latest from DarkOwl. Follow us on LinkedIn.

April 03, 2025

On January 6, 2021, supporters of President Donald Trump stormed the United States Capitol in an effort to prevent the certification of President Joe Biden’s 2020 election victory. In the lead up to Congress’ joint session, President Trump repeatedly made unfounded claims of voter fraud and, in a January 6 speech, encouraged his supporters to march towards the Capitol building and to “fight like hell.” Shortly thereafter, a crowd wielding flags and weapons gathered at the Capitol, quickly outnumbering police and starting a riot. Protesters forced their way into the Capitol building, breaking through doors and windows, and began to search for members of Congress and then-Vice President Mike Pence. As the riot continued, President Trump criticized Vice President Pence for presiding over the certification of the election; rioters were heard chanting “hang Mike Pence.”  

While the violent mob’s efforts to undermine the election certification were ultimately unsuccessful, approximately 140 law enforcement officers were injured in the attack and five people died during and soon after the riot. Following the attack, the Federal Bureau of Investigation launched the “largest criminal investigation in U.S. history” looking into the siege, which it identified as an act of domestic terrorism. As noted by NPR—which tracked all federal criminal cases pertaining to the attack—the FBI estimates that “around 2,000 people took part in criminal acts on Jan. 6.” In total, 1,575 individuals were charged. Among these were individuals with ties to far-right domestic extremist groups, including the Three Percenters, Proud Boys, and Oath Keepers.  

On January 20, 2025, the first day of his second term, President Donald Trump issued “complete and unconditional pardon to all […] individuals convicted of offenses related to events that occurred at or near the United States Capitol on January 6, 2021.” The order specifically named nine members of the Oath Keepers and five members of the Proud Boys—among them, Stewart Rhodes, the founder of the Oath Keepers who was sentenced to 18 years in prison. Since the pardoning, the previously publicly available dataset detailing convictions of January 6 rioters has been removed from the Department of Justice’s (DOJ) website. A complete database detailing all January 6 criminal cases remains available on NPR’s website. 

Since the January 20 pardoning, DarkOwl has observed violent rhetoric and conspiracy theories circulating within January 6-affiliated online groups (including those linked to the Proud Boys and Oath Keepers). This blog will explore the frequency and type of rhetoric observed on the surface, deep, and dark web as it pertains to the pardoning of the January 6 defendants. 

J6 Community’s Online Ecosystem 

Analysts have observed an extensive online community consisting of individuals indicted and/or sentenced for the January 6 (J6) attack, their family, and J6 apologists. Dozens of Telegram channels are dedicated to sharing J6-related news and updates, including information about releases and the few who remain in prison. The J6 Telegram landscape also consists of channels belonging to J6 defendants who have been released and are now sharing their stories, spreading mis- and disinformation, and corralling support for the few January 6 defendants who have not yet been released. Many of these individuals have also been observed calling for retribution through investigations into, and prosecutions of, the “criminals walking free who did this.” While many J6-related Telegram channels have dozens or hundreds of followers, others have as many as 10,000, reflecting the scale of the community and the extent of its reach.  

Additional activity has also been identified on surface web-level video-sharing social media platforms, particularly Rumble, which remains especially popular among right-wing creators and is often referred to as “right-wing YouTube.” Some channels on Rumble are exclusively dedicated to J6 news; however, prominent content creators—some with nearly 200,000 followers—are also providing J6 defendants with a platform. Multiple J6 defendants—among them, Stewart Rhodes, founder of the Oath Keepers—have been invited to popular Rumble channels as special guests since their pardoning, where they actively shared mis- and disinformation and claim that the FBI “manufactured narratives” regarding the January 6 attack. Henry “Enrique” Tarrio—former head of the Proud Boys—was also interviewed by Sean Spicer on his YouTube channel, where similar misinformation was shared. Both Rhodes and Tarrio had been convicted of seditious conspiracy for their roles in the January 6 attack. 

Similar activity has been observed on other surface web social media platforms, most notably Twitter. In posts observed following the pardoning of the January 6 defendants, pro-J6 Twitter posts frequently received even more views than those on Telegram. The reach of these posts is consistent with the increase in harmful and extremist content seen on the platform since it was acquired by Elon Musk in 2022. Some Telegram channels made by and tailored to J6 defendants were also found to have matching accounts on Twitter.    

Rhetoric Observed Post-J6 Pardons 

Following the Trump Administration’s pardoning of those indicted for the January 6 attack, analysts observed a wide variety of rhetoric, including continued efforts by J6 supporters to release the remaining prisoners, extensive conspiratorial rhetoric, calls for retribution, and—in some cases—calls for violence against the federal employees who investigated the attack on the U.S. Capitol.  

Notably, J6 participants and supporters on the surface, deep, and dark web—from Telegram to Twitter—are coming together to call for the release of the few remaining rioters who are in prison. Emboldened by the administration’s pardons, numerous Telegram channels and Twitter accounts appear to be intensifying efforts to release the remaining J6 defendants. Many channels and accounts make nearly daily posts encouraging supporters to call President Trump, U.S. Attorney General Pam Bondi, and other officials within the Trump Administration to request the release of the J6 “hostages.” Several of these accounts are administrated by recently pardoned J6 defendants who, in addition to calling for the release of all J6 defendants, are also encouraging those who have been pardoned to share “testimonial videos” to “expose the truth.”  

Conspiracy theories are at the heart of many of these discussions being held in J6 communities on the surface, deep, and dark web. The overarching, unfounded conspiracy theory observed across multiple platforms is the belief that the January 6 attack was orchestrated by the U.S. government. J6 supporters have been observed referring to the attack as the “J6 Fed-surrection,” and have shared conspiratorial articles claiming that FBI agents participated in the insurrection. One of the posts sharing this unfounded claim on Twitter gained 170,000 views, reflecting how this type of misinformation is gaining traction and becoming a part of the dominant discourse.    

These conspiracy theories have further fueled J6 campaigns for retribution, as notably observed in a January 30, 2025 Telegram post calling for the creation of a “J6 Taskforce” intended to “document the abuses of power and overreach demonstrated by the justice department, DC jail, DC courts, and Bureau of Prisons.” The post discussed a letter sent to President Trump to request such a taskforce, which would specifically be composed of “J6ers, J6 family members and advocates.” Indeed, DarkOwl has observed a pattern of J6 supporters interested in participating in the administration of “justice” against those who they believe have wronged them.  Immediately following their release, both  Stewart Rhodes and Enrique Tarrio vowed retribution and called for the prosecution and imprisonment of those who investigated the January 6 attack or testified against them.  

The majority of the rhetoric observed by DarkOwl in J6-affiliated Telegram channels since the pardons has not been violent in nature. This is not to say, however, that there has been a total absence of concerning or violent rhetoric. In response to articles about the House Select Committee on the January 6 Attack, DarkOwl saw Telegram users calling for acts of violence against those who participated in the committee. One user suggested “send Luigi [Mangione] to [their] homes,” while another added: “could always just have them ‘commit suicide.’”  

Significantly, there appears to be even more violent rhetoric directed at the J6 Committee on Twitter than on Telegram. In response to a tweet sharing an article about unfounded claims that the FBI participated in the January 6 attack, numerous individuals called for violence against the mentioned FBI officials. Users in the comment section mentioned firing squads and hangings, with one individual making an indirect threat by encouraging “traitors and liars” to “RUN!!” DarkOwl also located instances of similar rhetoric on Rumble, where users insisted on prison or the death penalty for “the entire J6 committee, Schiffs of the World, Fauci’s, Bill Gates, etc.” This language is consistent with the type of rhetoric that has been observed since the results of the 2024 presidential election, with individuals specifically calling for violence against former members of the Biden Administration.  

Conclusion 

Ultimately, the network of J6 participants and supporters online—both on the surface and dark web—remains extensive and robust. It is a community characterized by the active propagation of conspiracy theories, misinformation, and disinformation. Perhaps more importantly, however, it is a collective of individuals bound by anger and a desire for retribution, as is evidenced by repeated calls for vengeance, whether through prison sentences or executions.  

Research across these J6-related online spaces—whether on Telegram, Twitter, Rumble, or others—reveals an overarching sentiment: the veneration of those convicted for participating in the violent attack on the U.S. Capitol. The defendants are portrayed as heroes—a misrepresentation that is only further bolstered by the administration’s pardons and President Trump’s description of the rioters as “patriots.” Based on the rhetoric seen across numerous platforms, the J6 community’s goals appear clear: release the remaining prisoners and push for the persecution of members of the J6 Committee. Whether or not—and how—the group is able to achieve the latter, however, remains unclear. 

---

Don’t miss anything from DarkOwl analysts. Subscribe to email.

April 01, 2025

Our analyst team shares a few articles each week in our email newsletter which goes every Thursday. Make sure to register! This blog highlights those articles in order of what was the most popular in our newsletter – what our readers found the most intriguing. Stay tuned for a recap every month. We hope sharing these resources and news articles emphasizes the importance of cybersecurity and sheds light on the latest in threat intelligence.

1. This Data Could Destroy The FBI—Russian Crime Gang Warns Kash Patel – Forbes

In a February 25 post on their dark web leak site, the Russian ransomware gang LockBit claimed to have stolen data from the Federal Bureau of Investigation (FBI). The post directly addresses new FBI Director Kash Patel and claims that the ransomware gang has “an archive of classified information” that would “negatively affect the reputation of the FBI [and] destroy it as a structure.” The message prompts FBI Director Patel to contact LockBit personally in order to gain access to the password-protected file included in the post. Read full article.

2. Police arrests 300 suspects linked to African cybercrime rings – Bleeping Computer

In a March 24 press release, INTERPOL announced the arrest of 306 suspects and the seizure of 1,842 devices as part of the INTERPOL-led operation “Red Card,” which aims to “disrupt and dismantle cross-border criminal networks.” The arrests were carried out in Benin, Côte d’Ivoire, Nigeria, Rwanda, South Africa, Togo, and Zambia. Operation Red Card, which took place between November 2024 and February 2025, specifically targeted “mobile banking, investment, and messaging app scams,” which involved more than 5,000 victims. Article here.

3. X hit by ‘massive cyberattack’ amid Dark Storm’s DDoS claims – Bleeping Computer

On March 10, X (formerly known as Twitter) suffered multiple worldwide outages. The hacktivist group Dark Storm has claimed responsibility for the distributed denial-of-service (DDoS) attacks which caused the outages. Specifically, the group made posts on their Telegram channel the same day the attacks took place and shared screenshots from check-host.net as proof of the attack. Tens of thousands of users were impacted by the outages. Read more here.

6. Cyberattack takes down Ukrainian state railway’s online services – Bleeping Computer

On Sunday, March 23, Ukraine’s national railway operator Ukrzaliznytsia was targeted in a “systematic, complex, and multi-level” cyber-attack. The attack disrupted the company’s online services, preventing users from purchasing tickets. Railway operations themselves were not impacted by the intrusion, however the hit to online systems resulted in long waiting times, delays, and overcrowding. Read full article.

7. Vo1d Botnet’s Peak Surpasses 1.59M Infected Android TVs, Spanning 226 Countries – The Hacker News

According to researchers at Xlab, nearly 1.6 million Android TV devices have been infected with a new and improved variant of the Vo1d malware botnet. 226 countries have been targeted in the campaign, with Brazil, South Africa, and Indonesia accounting for the largest number of infections (24.97%, 13.6%, and 10.54% respectively). Xlab has been tracking the campaign since November, 2024, and has reported that the botnet peaked on January 14, 2025. The new variant currently encompasses 800,000 daily active IP addresses. Read full article.

8. BADBOX 2.0 Botnet Infects 1 Million Android Devices for Ad Fraud and Proxy Abuse – The Hacker News

Over 1 million devices have been impacted in a fraud operation dubbed “BADBOX 2.0,” an expansion of the previous BADBOX operation discovered in 2023. As noted in the Satori Threat Intelligence report, “BADBOX 2.0 is the largest botnet of infected connected TV (CTV) devices ever uncovered.” Satori researchers assess that it is likely that the same threat actors are behind both operations. Four different threat actor groups have been identified: SalesTracker Group, MoYu Group, Lemon Group, and LongTV. Learn more.

---

Make sure to register for our weekly newsletter to get access to what our analysts are reading on a weekly basis.