Author: DarkOwl Content Team

August 29, 2024

Telegram’s CEO Pavel Durov was arrested by French police as he landed at a French airport in northern Paris on Aug 25, 2024, which was first reported by the BBC. Reporting indicated that he was arrested in relation to the messaging app, although it was initially unclear what the exact offense was. Early reports stated it was due to a “lack of moderation [and] failing to take steps to curb criminal used of Telegram.”

Figure 1: Pavel Durov; Source: BBC

Durov is a 39 year old Russian National who also holds citizenship in France, the UAE, and St Kitts. He founded the messaging app Telegram in 2013 after previously founding and creating the popular Russian social media app VK. Telegram has 950 million registered users worldwide. 

Telegram has long been criticized by law enforcement and security analysts for hosting extremist content, CSAM material, and other illicit content. It is renowned for not cooperating with law enforcement and has only been known to take action against ISIS affiliated channels in response to the terror attacks in France in 2015 – only after pressure – Durov had previously stated “IS would simply find another app if kicked off his, I don’t think we should feel guilty about this.”

However, further reporting did indicate that they were taking steps to remove Indonesian terrorist groups from the platform, but this was in response to the Indonesian authorities limiting the access to the app and threatening a total ban.  

Figure 2: Chat about history of Telegram; Source: DarkOwl Vision

Channels can be found on Telegram that sell illicit goods, share extremist rhetoric, and conduct financial fraud. 

More recently, the messaging app has been pivotal in both the war in Russia and Ukraine and the conflict between Hamas and Israel, with the app being used to spread propaganda, as a source of news as well as a hotspot for hacktivists and cyber attacks. Many argue it had been weaponized to share violent images, disinformation, and false narratives. 

After his arrest at Le Bourget Airport, flying from Azerbaijan, Durov was held for four days before appearing in court 28 August. Scant reporting/conspiracy theories have begun to circulate that Durov only flew to France at the invitation of President Macron.  

Durov was released from court and officially “placed under formal investigation as part of a probe into organized crime on the messaging app.”  Durov was required to pay 5 million euros to the French government, cannot leave French territory, and must visit a police station two times a week until the investigation concludes.

Durov’s arrest has received widespread criticism from Elon Musk, Edward Snowden, and the Russian Foreign Ministry as an attack on human rights and freedom of speech. Snowden called it “an assault on the basic human rights of speech and association.”

It does appear to be unprecedented for law enforcement to take action against the owner/founder of a social media platform and hold them accountable for what is posted by others on the site.  

Yesterday (28 August) it was reported that Telegram has repeatedly ignored outreach from the National Centre for Missing and Exploited Children (NCMEC) and the Internet Watch Foundation (IWF), who are dedicated to stopping the spread of CSAM (Child Sexual Abuse Material). Without joining these groups, they are not able to proactively identify and remove previously identified CSAM material.  

Other social media platforms like SnapChat, Facebook, Instagram, Threads, TikTok, Pornhub, and OnlyFans are all members of these organizations.

Yet, there is no legal obligation to join NCMEC for organizations outside of the US, although one could definitely argue a moral obligation. Telegram, along with Durov, is based in Dubai.  

Telegram continues to assert that they proactively moderate harmful content on the platform including child abuse material. The company insists that its moderation is “within industry standards and constantly improving.”

However, it does seem that Telegram’s continued reluctance to engage with law enforcement or other regulators to reduce the amount of illicit material on the site is the reason for the arrest.  

DarkOwl analysts located a copy of Durov’s official arrest record, the below highlights the charges against him. 

• Complicity – Administration of an online platform to allow an illegal transaction in an organized band, 

• Refusal to communicate, at the request of the authorized authorities, the information or documents necessary for the realization and exploitation of interceptions authorized by law, 

•  Complicity – Detention of the image of a minor of a child-pornographic nature, 

• Complicity – Dissemination, offer or making available in an organized tape of images of a minor of a pornographic nature, 

• Complicity – Acquisition, transport, holding, offer or disposal of narcotic products, 

• Complicity – Offer, assignment or making available without legitimate reason of equipment, an instrument, a program or data designed or adapted for the attack and access to the operation of an automated data processing system, 

• Complicity – Organized gang scam, 

• Association of criminals with a view to committing a crime or offence punishable by 5 years of imprisonment at least, 

• Money laundering of crimes or offences in organized gangs, 

• Provision of cryptology services to ensure confidentiality functions without a declaration of conformity, 

• Provision of a cryptological means not exclusively ensuring authentication or integrity control functions without prior declaration, 

• Import of a cryptology means that does not exclusively perform authentication or integrity control functions without prior declaration. 

Figures 7-10: Screenshots taken by DarkOwl analysts of Durov’s arrest record

It is clear from the levelled charges that Durov is being held accountable for supplying the means for criminals to communicate and operate on his platform, for the encryption the site provides and a lack of cooperation with law enforcement.  

Darknet Reactions 

Response on Telegram to the arrest has been swift. With most of the posts identified questioning why the arrest was made and asserting probably conspiracy theories about who was involved and what ties Telegram has.  

DarkOwl identified over 1300 mentions of Durov’s arrest. The bulk of the Telegram channels commenting on the arrest with negativity appeared to be primarily from right wing leaning political extremist channels. Some of the channel names that expressed outrage towards Durov’s arrest: 

• The Patriot Voice 

• God Wins! 

• QANON+ 

• Greek Trump Supporters 

Figure 11: Vision results for mention of Durov’s arrest; DarkOwl Vision

One user on another right wing leaning political extremist channel shared a link to a Russia Today article that focused on Elon Musk’s response to Durov’s arrest and the coinciding rise in popularity of the hashtag #FreePavel: 

Figure 12: Users share Elon Musk response to arrest; Source: DarkOwl Vision

Other channels have discussed the theory that as a result of the arrest, Telegram will be removed from at Apple App store and from individual’s devices. The post gave users instructions on how to prevent that from happening.  

Figure 13: Telegram Channel Massachusetts Unified 

Further chatter was identified which pondered why Telegram had been targeted for using encryption techniques when other messaging apps used the same.  

Figure 14: Source: DarkOwl Vision

Others commented that Durov was not arrested but kidnapped and that Telegram was to be muzzled.  

Figure 15: Source: DarkOwl Vision

Other posts indicate that Telegram is connected to the Deep State, run by the CIA and wondered if Elon Musk would be targeted next and if the Biden administration was involved in the arrest. 

Figure 16: Source: DarkOwl Vision

Unsurprisingly, given the nature of our collection efforts, targeting illicit activities, extremists and fraud, we did not find many posts which were supportive of the arrest within our data.  

Conclusion 

The arrest of Durov has cause debate among many regarding freedom of speech, responsibility of CEOs of social media platforms and their perceived requirement to cooperate with law enforcement requests and remove harmful or illegal material. This debate is likely to continue as the investigation into Durov continues.  

Many users on Telegram and other dark web sites have shown support for Durov, although much of the rhetoric seems to target the state and provides little evidence for the views.  

Whatever the outcome of the investigation, this will have ramifications for privacy, security, social media, and the individuals responsible for them. It is still yet to be decided what impact if any the arrest will have on the operations of Telegram going forward. It is unlikely that a platform as large with so many users could be removed but remains to be seen if they will change their stance on helping law enforcement and other organizations to crack down on illicit activities. What is likely is that no more Telegram members of staff will be traveling to Europe any time soon! 

---

Stay up to date with DarkOwl. Follow Us on LinkedIn.

Interview with DarkOwl’s Irina and Bianca

August 26, 2023

For the third year in a row, in honor of Women’s Equality Day today, August 26^th, the DarkOwl Marketing team interviews our Finance Controller, Irina, and Analyst, Bianca. Last year, we chatted with our Director of Client Engagement, Caryn Farino, and Senior Darknet Analyst, Steph Shample – that blog can be found here. Two years, we sat down with Chief Business Officer, Alison Halland, and Director of Technology, Sarah Prime – check out that blog here. DarkOwl is very proud of our women leadership and workforce and strives to continue to build a balanced workforce with the most talented and effective team possible.

Interview: Thoughts on Being a Women in Cybersecurity from Two Members of DarkOwl’s Team

To commemorate Women’s Equality Day, we sat down for a candid interview about working in the cybersecurity industry with two women from our team.

Editors Note: Some content has been edited for length and clarity.

Globally, 14,865 people took part in the 2023 ISC2 Cybersecurity Workforce Survey. Of this, 17% of the respondents were women. While this is a worryingly low figure compared to other sectors like the legal profession (53% women) and the accountancy sector (46% women), we took a deeper look at the data and discovered a number of positive trends, including women’s pathways into the profession, the roles they play within cybersecurity teams and the career path similarities with men in many areas.

Tell me about your background and your journey to where you are now – did you know you always wanted to be in cyber? 

Irina: I came from Siberia, which at the time was part of the Soviet Union. I moved to New Mexico, U.S.A., when I was 14 years old, speaking very little English and quickly improved my language skills and had to learn Navajo and Spanish. Moving to the U.S. was a major culture shock! But with perseverance I was able to acquire the confidence to integrate into the American way of life.  

No. I had no idea I would be in cyber security. My background is in finance, having studied to get my M.B.A. I love numbers, but I also have a great appreciation for cutting-edge technologies. 

Bianca: I didn’t know that I wanted to go into cybersecurity either. My academic background was actually in international relations, and while my focus wasn’t on cybersecurity, I had the chance to take classes on topics adjacent to cyber. Then, after graduation, I found myself drawn to cybersecurity quite naturally in light of an increase in cyber threat actor activity associated with global conflicts. Seeing the ways conflicts like the Russia-Ukraine war can prompt the emergence of more cyber activity really interested me in particular, given my international relations background.  

Has working in this field dispelled any misconceptions you had about your own abilities or interests? 

Irina: Well, no, it would be my answer. As I previously mentioned, I love new and exciting technologies and to be able to help make these companies function well gives me great satisfaction and is a privilege. I enjoy the challenge of using my abilities to work with areas that are outside of my usual expertise. I found that my ability to speak fluent Russian has helped me on numerous occasions, to go above and beyond my usual responsibilities. 

Bianca: As someone with an international relations background in this field, I would say yes. My background isn’t in coding or software development, and while I was in university that’s what I associated with cybersecurity. And now, being in it, I’ve realized that it’s a multifaceted field that ultimately requires a wide variety of skills, especially analytical skills and critical thinking skills. Many may assume that having a liberal arts background might not help you in the cybersecurity field, but, in reality, I think it provides the essential ability to think critically and solve problems and approach issues from multiple viewpoints. 

Can you both talk a little bit about your professional development? Have there been any specific courses or certifications that you would recommend for somebody trying to get into cybersecurity? And then for you, Irina, anything finance specific on top of that? 

Irina: I’m a finance person having an MBA, as I mentioned earlier, that’s my love and that’s my training. I wish to use this to help cybersecurity companies and other companies to succeed. I have no professional experience in the dark web, but I can help and enhance the use of their finances! 

Bianca: Well, I can’t speak to finance at all, so I’m glad you’re here!  

In terms of cyber, there’s, of course, Michael Bazzell’s work, which is an amazing resource for building out those foundational skills. He has a guide on leaks and breaches that’s very helpful for data collection specifically. But ultimately, what’s helped me the most is getting hands-on experience. I think that at the end of the day, no matter how many guides you read, nothing’s going to prepare you more than actually applying those skills in the real world. Before getting that experience, I would also say that it’s really helpful to have a mentor in the field who can provide tips and answer questions. There’s also a great resource called NatSecGirlSquad, which is a network of individuals that work in the broader security field, many of whom are in cybersecurity, so it’s a good way to connect with people. 

What’s it like being a woman in the cybersecurity industry? And Irina, you’re just not in cybersecurity but finance as well, another male dominated industry and profession. What are the challenges or advantages that you guys have experienced? 

Irina: For me, it’s always difficult being a woman in a man’s world. But I have found with time, my male colleagues grew to appreciate my understanding of not only financial world, but of their problems and be able to help solve these problems. 

Bianca: I have to say that I feel incredibly lucky being here at DarkOwl because I feel like, unlike the broader cybersecurity industry, it’s such an inclusive environment and there are women in leadership positions who serve as role models here. Unfortunately, the same can’t be said for the broader cybersecurity industry; I know recent data from ISC2 showed that at least three out of four cybersecurity professionals are male. So in terms of inclusion, cybersecurity is still behind as a field, even when compared to other male-dominated industries. 

How do you feel about the representation of women in cybersecurity, and have either of you seen it change since you started your careers? 

Irina: My experience with women in cybersecurity has very much been down to my enjoyable and productive relationships with women in DarkOwl, and I really feel ill equipped to comment on how the industry in general treats women. 

Bianca: Yeah, I can relate in the sense that as someone relatively new to the field, I can’t personally speak to how it has changed over the years. But looking at the number of women I know going into this field, it feels like we may finally be moving in the right direction, slowly but surely. And certainly, here at DarkOwl, we have a lot of women in leadership positions, and I think that makes a huge difference. You know, seeing women in public leadership positions really plays a huge role in challenging stereotypes and inspiring people to follow similar paths. 

And what steps do you think organizations can take to promote gender equality and inclusion in cybersecurity roles? 

Bianca: I would say definitely identifying, first and foremost, any gender pay gaps and rectifying those is a vital first step. And then also, harkening back to the point about women in leadership, ensuring that there are women in the field in public leadership positions. Again, it’s important to have those role models to challenge stereotypes and facilitate similar paths for current and future generations. I know that I wouldn’t have been able to enter this field without incredible female role models that inspired me and set the stage for other women to pursue similar paths. And that kind of representation is key to moving towards workspaces that are diverse not just in terms of gender, but also in terms of race, ethnicity, sexual orientation, etc. 

Irina: I think companies should allocate more resources for training and invest in women in cybersecurity to give the industry a broader perspective. I’m thrilled we have a new Board member, who is an accomplished woman joining DarkOwl’s Board. 

Bianca: That’s such a great point, it’s such an exciting development and really stands out compared to many cybersecurity companies. Most organizations in this field don’t have the gender ratio that DarkOwl has, and certainly not for leadership positions, so this is really such exciting news.  

What do we not understand about cybersecurity as a field in its job opportunities. And what does cybersecurity mean to each of you? 

Irina: To me cybersecurity means protection. This is protecting my family, my community and my country; protecting their identities, their finances, their privacy, their future. Job opportunities are massive as cyber terrorism is becoming a greater threat day by day. My concern is so many companies and organizations do not understand the threat in a sufficient way and do not allocate the necessary resources for cybersecurity. This is a major threat to our collective future. 

Bianca: I agree completely. I think that’s a great point–summarizing cybersecurity as being about protection. And I think a common perception among people who aren’t familiar with the field, myself included before I entered it, is that cybersecurity is this coding-heavy, technical field that doesn’t have room for non-technical skills. And of course, that’s not the case at all, right? Because what’s brilliant about cybersecurity is that it’s so interdisciplinary. Cyber threats don’t exist in a vacuum; so, for instance, having an international relations background and an understanding of global conflicts can shine a light on the calculus behind cyber attacks. Cyber threats are often situated in a geopolitical context, so having individuals who can approach them from that perspective and provide a 10,000-foot view can be valuable. So overall there’s really a wide variety of opportunities in the field, ranging from software development to analysis to, as Irina can speak to, finance as well. I think that’s wonderful. 

Are there any specific projects or accomplishments in your cyber careers that you’re particularly proud of? 

Irina: I have two specific accomplishments in which I take pride in. Salespeople can be very focused on acquiring new customers and not always spend time looking after them. I was proud to be able to save a valuable customer and help to expand the business opportunities with this particular client. To also build up new relationships, which to this day has been proven to be fruitful. And on my second project, in which I’m particularly proud of, was working with a government agency that required a top executive of DarkOwl to attend a critical meeting, and needed a lot of personal input to guarantee an entry Visa, so that this executive could attend the meeting. This relationship opened up new and exciting opportunities and to this day they come back to me for a rapid and constructive responses. 

Bianca: Broadly, I’d say that I’m proud to have the opportunity to help people. Going back to Irina’s point about cybersecurity being about protection, that’s what I’m most proud of, especially when it comes to protecting vulnerable communities. I went into this field because I wanted to try to make a difference, as small as it may be, and I feel like I’ve been lucky to have the chance to contribute to that in some way. But I think most of the time there’s really this… this sense of “there’s so much more to be done and I’m not doing enough.” Especially when we see how much hate there is on the deep and dark web, and even the surface web. Being exposed to that hatred every day is disheartening, on the one hand, but on the other hand, it serves as a constant reminder of why we’re in this field and why we do the work we do and the fact that there’s still so much work to be done. 

How can the cybersecurity community better support and empower women, especially those just entering the field? 

Irina: This is not my expertise as I’m a financial expert. However, I do feel women are highly suited to this industry as it involves a range of skills that can often fit into a broader skill set that is usually found with women’s education and experience. 

Bianca: Yes, as someone relatively new to the field, again, I have felt very welcomed and empowered here at DarkOwl. I think cybersecurity organizations and the community broadly can learn a lot from what DarkOwl has done. I’ve felt empowered thanks to being included in key conversations, feeling like my voice is being heard, and having supportive colleagues. Of course, I think, again, having female leadership across the organization has played a huge part in feeling supported, because it really is direct evidence of how much DarkOwl values all of its staff. I think those are all steps that organizations across the cyber security community can take to empower women, as well as providing training opportunities, as Irina noted.  

---

Follow us on LinkedIn to keep up with us!

August 23, 2024

Introduction

In the enigmatic world of cybersecurity, where the dark web lurks just beyond the surface of the internet, DEF CON stands as a beacon of insight and innovation. Held annually in the neon-lit heart of Las Vegas, this iconic convention is more than just a conference—it’s a high-stakes playground where hackers, cybersecurity experts, and technology enthusiasts converge in a whirlwind of creativity and intrigue.

For those navigating the murky depths of the dark web, DEF CON provides a crucial window into emerging threats, new technologies, and the shifting landscape of cyber threats. Whether you’re a experienced attendee or a first-time visitor, DEF CON offers an unparalleled glimpse into the future of cybersecurity and the thrill of digital exploration.

A Different Look and Feel

An ongoing joke within the DEF CON community is that “DEF CON is Canceled.” This year, the 32nd iteration of the convention, the joke almost became a reality. With just three months to spare, DEF CON Global Coordinators and Department Leads were scrambling to secure a new location after their long-time venue canceled.

DEF CON 32 found a new home at the Las Vegas Convention Center. This was a significant shift from the previous years where attendees roamed multiple casinos to find their desired villages or talks. This year, everything was housed under one roof – a major change that simplified navigation. Many villages and groups were housed in a large open space separated by curtains but still using loudspeakers. While not ideal, this setup did not dampen the laid-back spirit of the crowd, eager to quench their curiosity.

Another notable change in DEF CON 32 was the increase of minor attendees. What was once considered the “Frat Party” of cyber conferences is now adopting a more “Family Friendly” vibe. Various villages incorporated Capture the Flag (CTF) competitions and other contests for younger participants, including the dedicated DCNEXTGEN village.

The Experience for First-Time Attendees

What to Expect: Be prepared for an overwhelming influx of information.

Initial Impressions: DEF CON can be daunting for newcomers. The sheer volume of attendees, the sprawling layout, and the wealth of information can be overwhelming.

3 Essential Tips:

1. The line for Hacker Jeopardy IS worth it.
2. Don’t try to do everything your first year. Focus on the villages or talks that align with your current expertise or future aspirations.
3. Network actively. You might find yourself next to a fellow newbie or in line behind the CISO of a Fortune 500 company.

Insights from Experienced Attendees

Uniqueness of DEF CON: DEF CON serves as a melting pot for industry professionals and aspiring hackers. One experienced attendee shared; despite attending for many years, he still marvels at the opportunity to debate policies with influential figures he wouldn’t typically interact with in his role at a small cybersecurity firm in Arizona.

The Best of the Best: Experienced attendees at DEF CON often feel reassured knowing that those who speak at Official DEF CON talks are among the top professionals in the industry. At DEF CON 32, this included prominent figures like Jen Easterly, Jeff ‘The Dark Tangent’ Moss, InfoSec celebrities such as Neil ‘Grifter’ Wyler and Jayson Street, as well as Bug Bounty experts STÖK Fredrik and Joona Hoikkala (DEF CON 31). These six names represent just a small fraction of the distinguished individuals who attended DEF CON 32.

Must Do: The unanimous recommendation from experienced attendees was “DFIU” (Don’t F&*^ It Up) and not attend Hacker Jeopardy at least once.

Hacker Jeopardy

Despite many changes at DEF CON 32, Hacker Jeopardy remained a constant favorite. Attendees still enjoyed bouncing large and small beach balls during the wait for entry and during the show. Beer still flowed on stage for contestants (bananas for the one pregnant contestant), and Miss Kitty, a DEF CON staple, made her usual appearance. The crowd eagerly chanted “DFIU,” and opportunities to win elite swag abounded. Thankfully the categories, while comically titled, still showcased the skills needed to be a hacker…or poked fun at recent cybersecurity mishaps

Hacker Jeopardy celebrated its 30th birthday at DEF CON 32, drawing the largest crowd on record. The event featured star-studded teams, guest hosts, and a special appearance by Jeff Moss, who wished Hacker Jeopardy a happy 30th birthday.

The first night included a category dedicated to Darknet Diaries, with answers read by Jack Rhysider himself (while standing behind a privacy screen). The excitement peaked on the second night when Jeff Moss announced through a text message to ‘Grifter’, that for the first time, winners of Hacker Jeopardy would receive a Black Badge, granting them lifetime free admission to DEF CON.

Election Year Insights: A Hacker’s Perspective

Jake Braun – DEF CON Franklin Project –

DEF CON’s unconventional approach offers invaluable insights. Many villages compile data from contests and talks into reports on emerging trends and new vulnerabilities, often presented to government officials or find their way in front of Congress.

In the context of the 2024 U.S. election, the Voting Machine Hacking Village, spearheaded by Jack Braun, stands out. In 2017 Braun, former Acting Principal Deputy National Cyber Director for the White House, recognized the need for more than academic vulnerability testing of voting machines. By leveraging DEF CON’s hacking expertise, Braun created a village that ultimately led to the replacement of vulnerable voting machines in several states.

In 2024 at DEF CON 32 Braun and Jeff Moss launched “DEF CON Franklin”, focusing on creating “The Hackers’ Almanack” and organizing the “Franklin Cyber Volunteer Task Force.” Their goal is to harness the DEF CON hacker community’s skills to enhance the cybersecurity of critical infrastructures and K-12 school districts.

A Dark Web Perspective

4 Insights from DEF CON 32 for DarkOwl

1. Advanced Threat Detection Techniques

• Machine Learning and AI: DEF CON 32 highlighted the growing role of AI and machine learning in threat detection. Leveraging these technologies can improve DarkOwls ability to identify and categorize emerging brand threats in the darknet. Implementing advanced algorithms to analyze patterns and anomalies in our data can enhance predictive capabilities and automate collections.
• Behavioral Analysis: Develop models that focus on the behavior of actors within the darknet to enhance DarkOwls Threat Actor Profiling. This includes monitoring changes in patterns, language, and interaction dynamics that may signal emerging threats or new trends.

2. Enhanced Data Collection Methods

• Automated Crawling Tools: Sessions at DEF CON 32 emphasized the use of sophisticated crawling tools for more efficient data collection. DarkOwl is always striving to enhance or implement automated tools to better navigate the complexities of the darknet, such as handling various encryption and obfuscation techniques, that will improve the depth and accuracy of our data processing.
• Use of Open-Source Intelligence (OSINT): Combining darknet data with OSINT can provide a more comprehensive view for DarkOwls Darknet Risk Analysis. Incorporating data from open sources helps in cross-referencing and validating information found on the darknet.

3. Privacy and Ethical Considerations

• Ethical Collection Practices: The Policy Village at DEF CON 32 discussions often revolve around the ethics of cybersecurity practices. DarkOwl is passionate about ensuring that our methods of data collection and analysis adhere to ethical standards. This includes respecting privacy laws and obtaining data without compromising the security and anonymity of individuals. As well as displaying our data without exposing CSAM and SEIM.
• Secure Data Handling: As a leading provider of darknet data DarkOwl strives for robust data protection measures to safeguard the information we collect. Learning latest techniques for implementing strong encryption and access controls helps in maintaining the integrity and confidentiality of our data.

4. Improving Investigation Tools

• Enhanced Search Capabilities: The Recon Village at DEF CON 32 touched on the need for powerful search tools. Invest in or develop advanced search functionalities that allow for more nuanced queries and deeper insights which is easily applicable to darknet data.
• Focused Techniques: DarkOwls Data Acquisition services collect darknet data from various darknet forums, markets and blogs. At DEF CON 32 the Recon Village had a talk on “Tapping the OSINT potential of Telegram”. This is by no means a new concept at DarkOwl, however, some of the new Telegram features and updates presented during this talk highlighted new avenues for DarkOwl to explore to enrich our data collections.

Relevance to Dark Web Professionals

Most DEF CON villages relate to dark web activities. Not all dark web actors are lurking in basements; some are active professionals analyzing and exploiting network vulnerabilities. DEF CON offers valuable insights into these activities.

While dark web markets are rich in digital information, they also feature physical items that require traditional methods to obtain. This is why villages focused on physical security, like Lock Pick and Physical Security Villages, are so valuable. They provide more than just thrilling experiences; they offer practical skills that are applicable in various security contexts.

Conclusion

As we emerge from the shadows of DEF CON 32, it’s clear that the conference offers far more than a glimpse into the future of cybersecurity—it provides a roadmap for navigating the complex and ever-evolving landscape of the dark web. The insights and innovations unveiled at DEF CON 32 empower us to refine our strategies, enhance our tools, and approach our mission with renewed vigor. For those of us on DarkOwl Darknet data collection team, these revelations are not merely academic; they are actionable strategies that can redefine how we detect, analyze, and respond to emerging threats against our clients.

In a realm where information is power and the stakes are high, staying ahead of the curve is imperative. DEF CON’s blend of cutting-edge technology and real-world application strengthens our abilities to turn the dark web’s complexity into a manageable and insightful asset.

---

Check out where the team will be next! Upcoming Events.

August 21, 2024

DarkOwl analysts are monitoring deep and dark web actors for mentions of the Democratic National Convention being held this week at the United Center and McCormick Place in Chicago from August 19-22. Analysts have observed an increase in chatter pertaining to the DNC, with numerous extremist channels, boards, and forums discussing the convention and in many cases amplifying misinformation pertaining to the DNC and planned protests.

Notably, since the start of the DNC on August 19, DarkOwl has located false claims of “chaos” erupting at the convention, often in conjunction with Islamophobic rhetoric directed at pro-Palestinian protesters. Multiple individuals and groups on the deep and dark web are contributing to fueling fear and panic by misrepresenting protests scheduled to be held throughout the week and exaggerating risks. Far-right, white supremacist groups are actively amplifying this rhetoric by spreading misinformation claiming that an “insurrection” and “civil war” is occurring in Chicago this week. In contrast to these false claims gaining traction online and being promoted on the dark web, the protests held on the opening day of the DNC remained predominantly peaceful.

In addition to protest-related chatter, according to open sources, on August 20, bomb threats mentioning the DNC were reportedly received by four Chicago hotels hosting convention attendees. Police are investigating and several dark web channels have since picked up on the news, sharing the headline. The incident comes amid an increase in false bomb threats and swatting incidents targeting a variety of facilities over the past two years.

Ultimately, at this time, DarkOwl has not located any credible threats directed at the DNC, but is continuing to closely monitor threat actors for concerning rhetoric. The DNC has been designated as a “National Special Security Event,” and the U.S. Secret Service is responsible for securing convention venues with assistance from the Bureau of Alcohol, Tobacco, Firearms and Explosives (ATF), Federal Bureau of Investigation (FBI), and other agencies. Chicago residents have been encouraged by emergency officials to subscribe to DNC alerts by texting “DNC” to 226787. 

---

DarkOwl will continue monitoring darknet activity around the upcoming election. Follow us on LinkedIn to keep up with the latest!

August 14, 2024

The speed and scale at which large language models (LLMs) have captured the attention of investors, the public, and tech startups cannot be overstated. This technology will undoubtedly revolutionize not only our personal interactions with technology but also business, analysis, medicine, and nearly every industry in some capacity. However, there is a dark side to this revolutionary technology. As the founder of Linux, Linus Torvalds, often stated, “With great power comes great responsibility.”

Bad actors have already begun leveraging these LLMs for nefarious purposes, and cybersecurity professionals have been highlighting proof-of-concepts to warn of various ways these models can be exploited. This blog will point out some of the early examples and known vulnerabilities of these LLMs and speculate on where they could lead us in the not-so-distant future.

Types of LLM Exploitation

Prompt Injection – Exploitation of LLMs for nefarious purposes has manifested in various forms. One prevalent method is prompt injection, which ranges from straightforward to sophisticated techniques. At its basic level, malicious users attempt to bypass security filters by presenting prompts in a manner that deceives the LLM into providing unintended responses. For instance, they might present multiple prompts where one is benign and the other malicious, hoping the model responds to the malicious one. This creates a continual challenge for developers and security experts who must constantly adapt to new tactics. On the more advanced end of prompt injection, techniques like encoding malicious questions in base64 can evade security measures by using encoded prompts to evade detection of harmful content. Developers are made aware of these types of obfuscations and appear quick to mitigate them in later releases.

Jailbreaking – Jailbreaking GPT models and prompt injection share significant similarities. When bad actors successfully devise a sophisticated set of prompts that circumvent multiple security measures, such as crafting prompts to generate malware, and the LLM consistently responds, it qualifies as a “jailbroken LLM.” In this compromised state, the model retains these malicious prompts, enabling users to interact with it normally while evading security filters. These jailbroken models are actively traded on the dark web for various illicit purposes.

One notorious example is FraudGPT, prominently featured on the dark web. It purports to execute a wide range of malicious activities, including generating phishing emails, creating keyloggers, producing malware in multiple programming languages, obfuscating malware to evade detection, scanning websites for vulnerabilities, crafting phishing pages, and more. The below image was extracted from a dark web site selling subscriptions of their version of a jailbroken LLM. If you want to learn more about Jailbreak GPTs you should check our a previously written DarkOwl blog that dives deeper into these GPTs.

Training Data Poisoning – Emerging as a significant concern for cybersecurity professionals and LLM engineers, in this method, threat actors and black hat hackers introduce malicious data during the model training process. This tainted training data becomes embedded in the model’s algorithms, eliminating the need for prompt injection. Consequently, malicious or unsafe responses are ingrained in the model’s core functionalities. Depending on the nature of the maliciously infused data, this could potentially enable outputs ranging from the generation of malware to the production of deepfakes and dissemination of misinformation directly from the model’s core algorithm.

Leakage – Leakage refers to various methods that enable LLMs to return sensitive data inadvertently captured during training, which was not intended for redistribution to users. This includes access tokens, personally identifiable information, cookies, and other data types assimilated during the model’s training phase. Such leaks can happen through prompt injection or more advanced techniques. Below is an example posted on X of a user whose cell phone number was captured and used in the output of an OpenAI ChatGPT response. As these models get access to more and more user data, you can imagine the impact of these leakages becoming even more concerning.

AI Agents – This represents a slightly more sophisticated form of exploitation compared to our previous examples. With the rise of AI integration in programming and its accessibility via APIs, there is a burgeoning interest in “AI Agents.” These agents operate autonomously and sometimes possess special privileges on the host computer. For instance, a program could scan files, read data, copy logs, inspect system defenses like Windows Defender, and relay this information to an LLM. Each “agent” is tasked with retrieving specific information—such as scanning logs for leaked passwords or identifying vulnerabilities in a WordPress instance running on a server—using the LLM model. Finally, another agent might execute commands on the host computer based on the information gathered. These agents perform autonomous actions, resembling a sophisticated virus operating intelligently within your environment.

Summary

As we explore the realm of Large Language Models, their rapid advancement offers promising potential across diverse industries—from streamlining business processes to advancing medical diagnostics. However, alongside these opportunities, there are significant challenges. Malicious actors exploit vulnerabilities such as prompt injection and training data poisoning, utilizing these powerful tools for cyber threats and manipulation. It’s crucial to remain vigilant and aware of potential misuse of these tools and mitigate the risk—from potential data breaches to orchestrated misinformation or even AI agent malware.

---

Curious about trends on the darknet? Don’t miss any of our research! Follow us on LinkedIn.

August 07, 2024

As hands-free, low/no-contact trends exploded in popularity during the pandemic, QR code technology became more prevalent. So, too, do the ways to take advantage of the technology and turn a QR code into a phishing operation, or worse. QR codes are appearing in public places such as parking areas, restaurants, and hospitals. Their convenience is a no-touch way to pay for or order a service. However, the accessibility of QR codes extends not just to patrons looking for a simple, germ-free way to get things done. Unfortunately, malicious actors are taking advantage of QR codes in public places, as well as sending them via phishing campaigns via email and SMS messages.

At the end of 2023, the Federal Trade Commission published a warning about an uptick and tactics used by scammers and fraudsters to disseminate QR codes that stole personally identifiable information (PII) or directed unsuspecting victims to fraudulent websites that would do so. QR codes can also install malware onto personal devices, such as laptops and mobile phones. The dark web and its adjacent platforms, such as Telegram, offer tutorials and services to empower cyber criminals to steal not only information but in some cases, finances of victims, using QR codes:

Figures 1 and 2: On an onion forum, malicious actors discuss QR code fraud sales and cashing out on them using cryptocurrency, as well as possibly accessing Discord; Source: DarkOwl Vision

The easiest method to spread QR code fraud is simply placing a sticker over a QR code located in an open, public place. Criminals can do this outside of the range of security cameras in many instances. These cover-up QR codes can send victims to fraudulent websites.

Alternatively, if QR codes are sent via email, embedding them as an image in the email does not trigger security or scanning software, so the malicious link of the embedded QR code will function and lure victims to the malicious website. This tactic is called “Quishing” – a portmanteau of QR code and phishing.

Both of the above scenarios rely on people using personal devices as they travel out and about, running errands. Personal devices often see lower security protections as opposed to a corporate or employee-sponsored device. Criminals also take advantage of the fact that people are often in a hurry when conducting errands or going to a leisure event, so they don’t take the time to inspect URLs, ensuring no typos or suspicious looking links. To maximize their financial gain, online tutorials offer QR code fraud guides of all types:

Figure 3: A Telegram user advertises for all kinds of malicious services, including QR code fraud; Source: DarkOwl Vision

How to Protect Yourself

Since QR code fraud is similar to phishing operations, the same protective measures apply:

• Always investigate URLs closely, and ensure there aren’t typos, or a possible misdirection located in the code, or the URL provided with the code.
  • This includes ensuring the URL provided uses a secure HTTPS protocol, and not just HTTP.

• Do not click on or scan QR codes from strangers, only open QR codes from trusted sources.

• Don’t download any files from a QR code or permit auto-downloads from any websites related to QR code use.

• Ask employees in places where QR codes are located publicly to verify the website the code takes you to, so that no fraud or information stealing occurs.

---

Questions for our analyst team of darknet experts? Contact us.

August 06, 2024

In DarkOwl’s Darknet Marketplace Snapshot blog series, our researchers provide short-form insight into a variety of darknet marketplaces: looking for trends, exploring new marketplaces, examining admin and vendor activities, and offering a host of insights into this transient and often criminal corner of the internet. This edition features Ares market.

Don’t forget to subscribe to our blog at the bottom of this page to be notified as new blogs are published.

---

Dark web marketplaces are synonymous with the dark web where users can buy and sell illicit goods. It began with Farm Market, followed by the more prolific Silk Road. Ever since Silk Road was taken down by law enforcement, different markets have jostled for supremacy. As such, dark web markets are perhaps one of the more recognized things to appear on the dark web and they operate just like surface web marketplaces with reviews, escrow services and reputations.  

However, in recent years law enforcement have become more and more successful at shutting down these marketplaces, meaning that the vendors have to move to new areas. There have also been a number of exit scams from marketplaces with the admins closing down the site and taking the funds in escrow. 

DarkOwl analysts will write a series of blogs reviewing the most popular marketplaces of today after recent seizures of once popular markets like Kingdom, Incognito, and Bohemia Marketplaces. We will explore the various sorts of products regularly sold and well as how much the prices of products can vary within or between product categories.  

Ares Market

The first market we will explore is Ares Marketplace. Originally established in 2021, it is a well-known marketplace that offers a variety of products, from illicit substances and pharmaceutical substances to digital fraud products ranging from credit card fraud, cryptocurrency fraud, malware source code as well as a robust variety of counterfeit products like currency and IDs. Below is a screenshot of the homepage, which is what one would see after a successful log in:

Figures 1 and 2: Ares Market Home Page 

Drugs  

Cocaine and ketamine seem to be the most popular drug products boasting over 1600 listings. Pricing varies considerably listing by listing and vendor by vendor. It’s a challenge to determine which vendors might be legitimate or which vendors could be scammers. Although vendors work on the principle of reputation, and purchasers will quickly leave reviews if they think something is a scam. DarkOwl analysts regularly see ketamine sold by the gram on Ares Market with prices varying drastically: 26 USD for 1 gram all the way to 482 USD for 25 grams: 

Figure 3: Ketamine for sale on Ares Market 

As stated above, reputation is very important for dark web market vendors. The vendors will have profiles on the markets which provide details of how long they have been on the site, how many successful sales they have had and details of the reviews they have received. The below screenshot shows a product listing from a vendor who seemingly has a high reputation, has been a member since 2021, and allegedly has successfully completed 216 sales:  

Figure 4: Profile of Ketamine seller on Ares Market 

Financial Fraud 

Credit card fraud, aka carding, is also a popular product category on Ares with well over 500 listings. Again, prices range dramatically as well as the types of products offered.  

 While Visa, Mastercard, and Amex tend to be the most popular credit card company targets on this site, it is also common to see Credit Unions (CUs) because threat actors consider CUs to be easy targets with the assumption that they don’t always have the same budget to combat fraud. The below screenshot is a good example of a well-known carding threat actor, johnnywalker1, selling bank accounts with active balances from Robins Credit Union, which is a Georgia based credit union. The user is selling these accounts for roughly 136 USD and allegedly will gain full access to an account with an active balance ranging from 3 – 5,000 USD in addition to relevant personal identifiable information (PII) to access the account online: credentials, SSN, DOB, address, etc.  

Figure 5: Credit Union Credit cards for sale 

 Johnnywalker also regularly sells accounts and cards affiliated with larger banking/credit card companies like Amex. This user is allegedly selling one American Express account for roughly 13.50 USD, which is significantly cheaper than the above example of the credit union:  

Figure 6: American Express Credit Card for sale 

The seller does not make clear how they are obtaining these cards, but threat actors are known to clone cards, or access banking information from stole credentials, particularly through Stealer Logs.  

Counterfeiting 

Counterfeiting is also a popular section on Ares Market. The two most popular product categories are counterfeit currency follower by counterfeit IDs.  

 The below examples are from the currency category. The user, CounterKing, seems to have a verified reputation of 5 stars, level 9, and over 120 sales since they first registered in March 2023.  

CounterKing is selling 20,000 Euros of counterfeit currency for roughly 2,284 USD. The post goes into excruciating detail of the product description as well as their Terms & Conditions. Counterfeit cash products are expensive, and it is common to see a price range anywhere from 300 USD to above 3,000 USD.  

  Figure 7: Counterfeit Cash for Sale 

 Administrators 

Marketplaces are operated by admins, who ensure that the market is used in the way that they want and that the rules are followed. Some admins will also manage escrow services and a responsible for banning members who do not follow the rules. The admins of Ares Market are do a decent job of quality control on these listings because they are all related to credit card fraud. It is not uncommon to see less quality control and random products listed under the wrong categories on other marketplaces that are less reputable.  

---

Subscribe to email to receive the latest research directly into your inbox every Thursday and don’t miss our next Darknet Marketplace Snapshot.

---

 Setting up DarkOwl Vision alerts on Ares Market

1. Select Ares Market from the lexicon 

2. Then add in the vendor/username you are interested in monitoring, for this example I chose “counterking,” which returned 354 results related to this user 

3. Next let’s create a monitor on future posts from this actor:  

1. Simply go over and click the star highlighted in blue on the right-hand side of the search bar.  

4. Followed by entering in the information to save your alert, choose your alert frequency and alert criticality and then clicking the box to receive email notifications and finally hitting the save button.  

  Figure 8: Ares Alert in DarkOwl Vision

August 01, 2024

Our analyst team shares a few articles each week in our email newsletter which goes every Thursday. Make sure to register! This blog highlights those articles in order of what was the most popular in our newsletter – what our readers found the most intriguing. Stay tuned for a recap every month. We hope sharing these resources and news articles emphasizes the importance of cybersecurity and sheds light on the latest in threat intelligence.

1. AT&T Confirms Data Breach Affecting Nearly All Wireless Customers – The Hacker News

On July 12th, AT&T confirmed that it had suffered a data breach affecting “nearly all” of its wireless customers between April 14th and April 25th, 2024. The leaked files contain records of customers’ calls and texts which occurred on January 2nd, 2023, and between approximately May 1st and October 31st of 2022. The leak also included customers of mobile virtual network operators (MVNOs). The data was stolen from the company’s workspace and on a cloud platform. This data does not appear to have been made publicly available at this time. Full article here.

2. GuardZoo Malware Targets Over 450 Middle Eastern Military Personnel – The Hacker News

Military personnel in the Middle East have been targeted by GuardZoo malware, an Android data-gathering tool. Over 450 victims across Egypt, Oman, Qatar, Saudi Arabia, Turkey, the U.A.E., and Yemen have been impacted by the surveillanceware operation, with the majority of victims located in Yemen. GuardZoo is a modification of Dendroid RAT malware which targets Android OS and was first discovered in 2014. Read more.

3. 4 FIN9-linked Vietnamese Hackers Indicted in $71M U.S. Cybercrime Spree – The Hacker News

Four Vietnamese Fin9 actors were indicted for cybercrime activity between May 2018 and October 2021. They conducted phishing campaigns, social engineering and supply chain attacks that resulted in data theft. In some instances, FIN9 used personally identifiable information (PII) to create fake accounts “tied” to victims from the first stage of their operations, conducting cybercrime from assumed identities.. Article here.

6. LockBit lied: Stolen data is from a bank, not US Federal Reserve – BleepingComputer

At the end of June 2024, LockBit ransomware group claimed they hacked the US Federal Reserve. However, further analysis of the data, which LockBit published on their website, proved that in reality, LockBit hacked Evolve Bank and Trust, an entity not at all tied to the US Federal Reserve. When approached, Evolve Bank and Trust admitted they were investigating a cybersecurity incident, but provided no additional details or confirmation. Full article.

7. Ukrainian Institutions Targeted Using HATVIBE and CHERRYSPY Malware – The Hacker News

Ukraine’s Computer Emergency Response Team (CERT-UA) revealed that a Ukrainian research institution has been targeted by HATVIBE and CHERRYSPY malware distributed in a spear-phishing campaign. CERT-UA has attributed the attack to UAC-0063, which it previously identified as targeting state bodies in Ukraine. CERT-UA shared that it is aware of multiple cases of HATVIBE infections. According to previous research, the threat actor UAC-0063 has been linked with moderate confidence to APT28, the Russian GRU-backed threat actor. Read more.

8. U.S. indicts Russian GRU hacker, offers $10 million reward – BleepingComputer

The U.S. indicted 22-year-old Russian national Amin Timovich Stigal for allegedly assisting Russia’s military intelligence service’s “WhisperGate” cyberattack by distributing malware to Ukrainian government computer networks a month prior to the invasion of Ukraine. Stigal targeted non-military systems and attempted to sow doubt in the Ukrainian government by publishing citizen data. According to the federal indictment, Stigal also targeted countries that supported Ukraine, including the United States. The U.S. Department of State’s Rewards for Justice program is offering $10 million to locate the GRU hacker, who remains at large. Read here.

9. Microsoft links Scattered Spider hackers to Qilin ransomware attacks – BleepingComputer

According to Microsoft, the cybercrime group Scattered Spider has added RansomHub and Qilin ransomware to its arsenal and has begun utilizing them in its attacks. Scattered Spider was identified in early 2022 and is also known as Octo Tempest, UNC3944, and 0ktapus. RansomHub ransomware was first observed in February of 2024 and is believed to be a rebrand of the ransomware strain “Knight.” Qilin ransomware, meanwhile, first emerged in August of 2022 and was initially referred to as “Agenda.” Read more.

---

Make sure to register for our weekly newsletter to get access to what our analysts are reading on a weekly basis.