Author: DarkOwl Content Team

Jennifer Ewbank Joins DarkOwl Board of Directors

August 19, 2024

DarkOwl, the leading provider of darknet data and intelligence, announced today that Jennifer Ewbank, former Deputy Director of the CIA for Digital Innovation and founder of Andaman Strategic Advisors, has joined the DarkOwl Board of Directors.

Ewbank brings decades of experience spanning technological innovation, operating expertise, geopolitical risk management, strategic global engagements and public-private partnerships.  As Deputy Director of the CIA for Digital Innovation, Ewbank guided what was a start-up inside the organization to a fully operational global team. Ewbank also led her global workforce in developing a competitive digital strategy, realigning projects to mission partners’ top priorities, and promoting integrated technical development across organizational boundaries. She also named the CIA’s first Director for AI and sponsored an ambitious AI strategy to achieve competitive advantage over global adversaries.

“We are thrilled to have Jennifer join our Board.  She brings directly applicable experience to DarkOwl at a time when our business is growing significantly in serving clients around the world” said Mark Turnage, CEO of DarkOwl. “Her experience leading technology innovation is incredibly valuable at a time when the entire industry is being transformed, and our adversaries are becoming more sophisticated.”

“As the leading provider of darknet data and intelligence to cybersecurity companies and governments globally, I am delighted to join DarkOwl’s Board. Never has the mission of monitoring the darknet for emerging threats been more critical than today, and I am excited to support DarkOwl’s management team in furthering this important mission,” said Ewbank.

About DarkOwl
DarkOwl is the industry’s leading provider of darknet data and intelligence. We offer the world’s largest commercially available database of information actively collected from the darknet. Using machine learning and human analysts, we automatically, continuously, and anonymously collect and index darknet, deep web, and high-risk surface net data. Our platform collects and stores data in near real-time, allowing darknet sites that frequently change location and availability to be queried in a safe and secure manner without having to access the darknet itself. For more information, contact DarkOwl at www.darkowl.com

The Dark Side of AI

August 14, 2024

The speed and scale at which large language models (LLMs) have captured the attention of investors, the public, and tech startups cannot be overstated. This technology will undoubtedly revolutionize not only our personal interactions with technology but also business, analysis, medicine, and nearly every industry in some capacity. However, there is a dark side to this revolutionary technology. As the founder of Linux, Linus Torvalds, often stated, “With great power comes great responsibility.”

Bad actors have already begun leveraging these LLMs for nefarious purposes, and cybersecurity professionals have been highlighting proof-of-concepts to warn of various ways these models can be exploited. This blog will point out some of the early examples and known vulnerabilities of these LLMs and speculate on where they could lead us in the not-so-distant future.

Prompt Injection – Exploitation of LLMs for nefarious purposes has manifested in various forms. One prevalent method is prompt injection, which ranges from straightforward to sophisticated techniques. At its basic level, malicious users attempt to bypass security filters by presenting prompts in a manner that deceives the LLM into providing unintended responses. For instance, they might present multiple prompts where one is benign and the other malicious, hoping the model responds to the malicious one. This creates a continual challenge for developers and security experts who must constantly adapt to new tactics. On the more advanced end of prompt injection, techniques like encoding malicious questions in base64 can evade security measures by using encoded prompts to evade detection of harmful content. Developers are made aware of these types of obfuscations and appear quick to mitigate them in later releases.

JailbreakingJailbreaking GPT models and prompt injection share significant similarities. When bad actors successfully devise a sophisticated set of prompts that circumvent multiple security measures, such as crafting prompts to generate malware, and the LLM consistently responds, it qualifies as a “jailbroken LLM.” In this compromised state, the model retains these malicious prompts, enabling users to interact with it normally while evading security filters. These jailbroken models are actively traded on the dark web for various illicit purposes.

One notorious example is FraudGPT, prominently featured on the dark web. It purports to execute a wide range of malicious activities, including generating phishing emails, creating keyloggers, producing malware in multiple programming languages, obfuscating malware to evade detection, scanning websites for vulnerabilities, crafting phishing pages, and more. The below image was extracted from a dark web site selling subscriptions of their version of a jailbroken LLM. If you want to learn more about Jailbreak GPTs you should check our a previously written DarkOwl blog that dives deeper into these GPTs.

Training Data Poisoning – Emerging as a significant concern for cybersecurity professionals and LLM engineers, in this method, threat actors and black hat hackers introduce malicious data during the model training process. This tainted training data becomes embedded in the model’s algorithms, eliminating the need for prompt injection. Consequently, malicious or unsafe responses are ingrained in the model’s core functionalities. Depending on the nature of the maliciously infused data, this could potentially enable outputs ranging from the generation of malware to the production of deepfakes and dissemination of misinformation directly from the model’s core algorithm.

Leakage – Leakage refers to various methods that enable LLMs to return sensitive data inadvertently captured during training, which was not intended for redistribution to users. This includes access tokens, personally identifiable information, cookies, and other data types assimilated during the model’s training phase. Such leaks can happen through prompt injection or more advanced techniques. Below is an example posted on X of a user whose cell phone number was captured and used in the output of an OpenAI ChatGPT response. As these models get access to more and more user data, you can imagine the impact of these leakages becoming even more concerning.

AI Agents – This represents a slightly more sophisticated form of exploitation compared to our previous examples. With the rise of AI integration in programming and its accessibility via APIs, there is a burgeoning interest in “AI Agents.” These agents operate autonomously and sometimes possess special privileges on the host computer. For instance, a program could scan files, read data, copy logs, inspect system defenses like Windows Defender, and relay this information to an LLM. Each “agent” is tasked with retrieving specific information—such as scanning logs for leaked passwords or identifying vulnerabilities in a WordPress instance running on a server—using the LLM model. Finally, another agent might execute commands on the host computer based on the information gathered. These agents perform autonomous actions, resembling a sophisticated virus operating intelligently within your environment.

As we explore the realm of Large Language Models, their rapid advancement offers promising potential across diverse industries—from streamlining business processes to advancing medical diagnostics. However, alongside these opportunities, there are significant challenges. Malicious actors exploit vulnerabilities such as prompt injection and training data poisoning, utilizing these powerful tools for cyber threats and manipulation. It’s crucial to remain vigilant and aware of potential misuse of these tools and mitigate the risk—from potential data breaches to orchestrated misinformation or even AI agent malware.


QR Code Fraud

August 07, 2024

As hands-free, low/no-contact trends exploded in popularity during the pandemic, QR code technology became more prevalent. So, too, do the ways to take advantage of the technology and turn a QR code into a phishing operation, or worse. QR codes are appearing in public places such as parking areas, restaurants, and hospitals. Their convenience is a no-touch way to pay for or order a service. However, the accessibility of QR codes extends not just to patrons looking for a simple, germ-free way to get things done. Unfortunately, malicious actors are taking advantage of QR codes in public places, as well as sending them via phishing campaigns via email and SMS messages.

At the end of 2023, the Federal Trade Commission published a warning about an uptick and tactics used by scammers and fraudsters to disseminate QR codes that stole personally identifiable information (PII) or directed unsuspecting victims to fraudulent websites that would do so. QR codes can also install malware onto personal devices, such as laptops and mobile phones. The dark web and its adjacent platforms, such as Telegram, offer tutorials and services to empower cyber criminals to steal not only information but in some cases, finances of victims, using QR codes:

Figures 1 and 2: On an onion forum, malicious actors discuss QR code fraud sales and cashing out on them using cryptocurrency, as well as possibly accessing Discord; Source: DarkOwl Vision

The easiest method to spread QR code fraud is simply placing a sticker over a QR code located in an open, public place. Criminals can do this outside of the range of security cameras in many instances. These cover-up QR codes can send victims to fraudulent websites.

Alternatively, if QR codes are sent via email, embedding them as an image in the email does not trigger security or scanning software, so the malicious link of the embedded QR code will function and lure victims to the malicious website. This tactic is called “Quishing” – a portmanteau of QR code and phishing.

Both of the above scenarios rely on people using personal devices as they travel out and about, running errands. Personal devices often see lower security protections as opposed to a corporate or employee-sponsored device. Criminals also take advantage of the fact that people are often in a hurry when conducting errands or going to a leisure event, so they don’t take the time to inspect URLs, ensuring no typos or suspicious looking links. To maximize their financial gain, online tutorials offer QR code fraud guides of all types:

Figure 3: A Telegram user advertises for all kinds of malicious services, including QR code fraud; Source: DarkOwl Vision

Since QR code fraud is similar to phishing operations, the same protective measures apply:

  • Always investigate URLs closely, and ensure there aren’t typos, or a possible misdirection located in the code, or the URL provided with the code.
    • This includes ensuring the URL provided uses a secure HTTPS protocol, and not just HTTP.
  • Do not click on or scan QR codes from strangers, only open QR codes from trusted sources.
  • Don’t download any files from a QR code or permit auto-downloads from any websites related to QR code use.
  • Ask employees in places where QR codes are located publicly to verify the website the code takes you to, so that no fraud or information stealing occurs.

Questions for our analyst team of darknet experts? Contact us.

Darknet Marketplace Snapshot Series: Ares Market

August 06, 2024

In DarkOwl’s Darknet Marketplace Snapshot blog series, our researchers provide short-form insight into a variety of darknet marketplaces: looking for trends, exploring new marketplaces, examining admin and vendor activities, and offering a host of insights into this transient and often criminal corner of the internet. This edition features Ares market.

Don’t forget to subscribe to our blog at the bottom of this page to be notified as new blogs are published.


Dark web marketplaces are synonymous with the dark web where users can buy and sell illicit goods. It began with Farm Market, followed by the more prolific Silk Road. Ever since Silk Road was taken down by law enforcement, different markets have jostled for supremacy. As such, dark web markets are perhaps one of the more recognized things to appear on the dark web and they operate just like surface web marketplaces with reviews, escrow services and reputations.  

However, in recent years law enforcement have become more and more successful at shutting down these marketplaces, meaning that the vendors have to move to new areas. There have also been a number of exit scams from marketplaces with the admins closing down the site and taking the funds in escrow. 

DarkOwl analysts will write a series of blogs reviewing the most popular marketplaces of today after recent seizures of once popular markets like Kingdom, Incognito, and Bohemia Marketplaces. We will explore the various sorts of products regularly sold and well as how much the prices of products can vary within or between product categories.  

Ares Market

The first market we will explore is Ares Marketplace. Originally established in 2021, it is a well-known marketplace that offers a variety of products, from illicit substances and pharmaceutical substances to digital fraud products ranging from credit card fraud, cryptocurrency fraud, malware source code as well as a robust variety of counterfeit products like currency and IDs. Below is a screenshot of the homepage, which is what one would see after a successful log in:

Figures 1 and 2: Ares Market Home Page 

Cocaine and ketamine seem to be the most popular drug products boasting over 1600 listings. Pricing varies considerably listing by listing and vendor by vendor. It’s a challenge to determine which vendors might be legitimate or which vendors could be scammers. Although vendors work on the principle of reputation, and purchasers will quickly leave reviews if they think something is a scam. DarkOwl analysts regularly see ketamine sold by the gram on Ares Market with prices varying drastically: 26 USD for 1 gram all the way to 482 USD for 25 grams: 

Figure 3: Ketamine for sale on Ares Market 

As stated above, reputation is very important for dark web market vendors. The vendors will have profiles on the markets which provide details of how long they have been on the site, how many successful sales they have had and details of the reviews they have received. The below screenshot shows a product listing from a vendor who seemingly has a high reputation, has been a member since 2021, and allegedly has successfully completed 216 sales:  

Figure 4: Profile of Ketamine seller on Ares Market 

Credit card fraud, aka carding, is also a popular product category on Ares with well over 500 listings. Again, prices range dramatically as well as the types of products offered.  

 While Visa, Mastercard, and Amex tend to be the most popular credit card company targets on this site, it is also common to see Credit Unions (CUs) because threat actors consider CUs to be easy targets with the assumption that they don’t always have the same budget to combat fraud. The below screenshot is a good example of a well-known carding threat actor, johnnywalker1, selling bank accounts with active balances from Robins Credit Union, which is a Georgia based credit union. The user is selling these accounts for roughly 136 USD and allegedly will gain full access to an account with an active balance ranging from 3 – 5,000 USD in addition to relevant personal identifiable information (PII) to access the account online: credentials, SSN, DOB, address, etc.  

Figure 5: Credit Union Credit cards for sale 

 Johnnywalker also regularly sells accounts and cards affiliated with larger banking/credit card companies like Amex. This user is allegedly selling one American Express account for roughly 13.50 USD, which is significantly cheaper than the above example of the credit union:  

Figure 6: American Express Credit Card for sale 

The seller does not make clear how they are obtaining these cards, but threat actors are known to clone cards, or access banking information from stole credentials, particularly through Stealer Logs.  

Counterfeiting is also a popular section on Ares Market. The two most popular product categories are counterfeit currency follower by counterfeit IDs.  

 The below examples are from the currency category. The user, CounterKing, seems to have a verified reputation of 5 stars, level 9, and over 120 sales since they first registered in March 2023.  

CounterKing is selling 20,000 Euros of counterfeit currency for roughly 2,284 USD. The post goes into excruciating detail of the product description as well as their Terms & Conditions. Counterfeit cash products are expensive, and it is common to see a price range anywhere from 300 USD to above 3,000 USD.  

  Figure 7: Counterfeit Cash for Sale 

Marketplaces are operated by admins, who ensure that the market is used in the way that they want and that the rules are followed. Some admins will also manage escrow services and a responsible for banning members who do not follow the rules. The admins of Ares Market are do a decent job of quality control on these listings because they are all related to credit card fraud. It is not uncommon to see less quality control and random products listed under the wrong categories on other marketplaces that are less reputable.  


Subscribe to email to receive the latest research directly into your inbox every Thursday and don’t miss our next Darknet Marketplace Snapshot.


  1. Select Ares Market from the lexicon 
  1. Then add in the vendor/username you are interested in monitoring, for this example I chose “counterking,” which returned 354 results related to this user 
  1. Next let’s create a monitor on future posts from this actor:  
  1. Simply go over and click the star highlighted in blue on the right-hand side of the search bar.  
  1. Followed by entering in the information to save your alert, choose your alert frequency and alert criticality and then clicking the box to receive email notifications and finally hitting the save button.  
  Figure 8: Ares Alert in DarkOwl Vision

Threat Intelligence RoundUp: July

August 01, 2024

Our analyst team shares a few articles each week in our email newsletter which goes every Thursday. Make sure to register! This blog highlights those articles in order of what was the most popular in our newsletter – what our readers found the most intriguing. Stay tuned for a recap every month. We hope sharing these resources and news articles emphasizes the importance of cybersecurity and sheds light on the latest in threat intelligence.

1. AT&T Confirms Data Breach Affecting Nearly All Wireless Customers – The Hacker News

On July 12th, AT&T confirmed that it had suffered a data breach affecting “nearly all” of its wireless customers between April 14th and April 25th, 2024. The leaked files contain records of customers’ calls and texts which occurred on January 2nd, 2023, and between approximately May 1st and October 31st of 2022. The leak also included customers of mobile virtual network operators (MVNOs). The data was stolen from the company’s workspace and on a cloud platform. This data does not appear to have been made publicly available at this time. Full article here.

2. GuardZoo Malware Targets Over 450 Middle Eastern Military Personnel – The Hacker News

Military personnel in the Middle East have been targeted by GuardZoo malware, an Android data-gathering tool. Over 450 victims across Egypt, Oman, Qatar, Saudi Arabia, Turkey, the U.A.E., and Yemen have been impacted by the surveillanceware operation, with the majority of victims located in Yemen. GuardZoo is a modification of Dendroid RAT malware which targets Android OS and was first discovered in 2014. Read more.

3. 4 FIN9-linked Vietnamese Hackers Indicted in $71M U.S. Cybercrime Spree – The Hacker News

Four Vietnamese Fin9 actors were indicted for cybercrime activity between May 2018 and October 2021. They conducted phishing campaigns, social engineering and supply chain attacks that resulted in data theft. In some instances, FIN9 used personally identifiable information (PII) to create fake accounts “tied” to victims from the first stage of their operations, conducting cybercrime from assumed identities.. Article here.

4. US disrupts AI-powered bot farm pushing Russian propaganda on X – BleepingComputer

On July 9th, the U.S. Department of Justice announced the disruption of a Russian, AI-powered information operation devised to spread Russian propaganda in the United States and abroad. The DOJ operation involved the seizure of two domains used to issue emails for the bot accounts, as well as the search of nearly 1,000 social media bot accounts which were subsequently suspended on X (formerly Twitter). According to the DOJ press release, the bot farm was developed by the deputy editor-in-chief of RT (formerly Russia Today), the state-controlled news organization. Court documents also reveal the use of artificial intelligence to enhance the Russian bot farm, reflecting the increasingly normalized use of AI in disinformation operations. Read article.

5. Fake CrowdStrike fixes target companies with malware, data wipers – BleepingComputer

On July 19, the cybersecurity company CrowdStrike distributed a faulty software update to its customers; the update affected devices running Windows, and an estimated 8.5 million computers worldwide were disabled. The incident—which grounded thousands of flights and affected a variety of industries, including the healthcare sector—is believed to be one of the worst cyber incidents of all time. Threat actors quickly took advantage of the worldwide disruptions by impersonating CrowdStrike in phishing emails to distribute malware. Full article here.

6. LockBit lied: Stolen data is from a bank, not US Federal Reserve – BleepingComputer

At the end of June 2024, LockBit ransomware group claimed they hacked the US Federal Reserve. However, further analysis of the data, which LockBit published on their website, proved that in reality, LockBit hacked Evolve Bank and Trust, an entity not at all tied to the US Federal Reserve. When approached, Evolve Bank and Trust admitted they were investigating a cybersecurity incident, but provided no additional details or confirmation. Full article.

7. Ukrainian Institutions Targeted Using HATVIBE and CHERRYSPY Malware – The Hacker News

Ukraine’s Computer Emergency Response Team (CERT-UA) revealed that a Ukrainian research institution has been targeted by HATVIBE and CHERRYSPY malware distributed in a spear-phishing campaign. CERT-UA has attributed the attack to UAC-0063, which it previously identified as targeting state bodies in Ukraine. CERT-UA shared that it is aware of multiple cases of HATVIBE infections. According to previous research, the threat actor UAC-0063 has been linked with moderate confidence to APT28, the Russian GRU-backed threat actor. Read more.

8. U.S. indicts Russian GRU hacker, offers $10 million reward – BleepingComputer

The U.S. indicted 22-year-old Russian national Amin Timovich Stigal for allegedly assisting Russia’s military intelligence service’s “WhisperGate” cyberattack by distributing malware to Ukrainian government computer networks a month prior to the invasion of Ukraine. Stigal targeted non-military systems and attempted to sow doubt in the Ukrainian government by publishing citizen data. According to the federal indictment, Stigal also targeted countries that supported Ukraine, including the United States. The U.S. Department of State’s Rewards for Justice program is offering $10 million to locate the GRU hacker, who remains at large. Read here.

According to Microsoft, the cybercrime group Scattered Spider has added RansomHub and Qilin ransomware to its arsenal and has begun utilizing them in its attacks. Scattered Spider was identified in early 2022 and is also known as Octo Tempest, UNC3944, and 0ktapus. RansomHub ransomware was first observed in February of 2024 and is believed to be a rebrand of the ransomware strain “Knight.” Qilin ransomware, meanwhile, first emerged in August of 2022 and was initially referred to as “Agenda.” Read more.


Make sure to register for our weekly newsletter to get access to what our analysts are reading on a weekly basis.

DarkOwl and Maltego Partner To Enhance Cyber Investigations with Darknet Intelligence

July 31, 2024

Seamlessly access and visualize dark web intelligence to stay ahead of emerging threats and safeguard your digital landscape.

DarkOwl, the leading provider of darknet data and intelligence, and Maltego, a leading all-in-one intelligence platform for complex cyber investigations, are excited to announce their partnership to bring access and visualization of dark web intelligence to Maltego customers worldwide.

This strategic partnership brings together DarkOwl’s unparalleled expertise in darknet data intelligence with Maltego’s robust and powerful data visualization and analysis tools. By integrating DarkOwl’s comprehensive darknet database with Maltego’s user-friendly interface, users will now have the ability to delve deeper into the darknet. This integration empowers them to uncover critical insights, identify emerging threats, and conduct comprehensive investigations with a level of efficiency and accuracy previously unattainable. This collaboration ensures that security analysts and investigators can seamlessly correlate and visualize data, enhancing their ability to track illicit activities, identify threat actors, and uncover hidden connections, ultimately leading to more effective and proactive cybersecurity measures.

“We are thrilled to announce the integration of DarkOwl into Maltego, providing our joint clients and Maltego Data Pass customers with seamless and visual access to DarkOwl’s comprehensive darknet data,” shares Rebecca Köhler, Head of Data Hub at Maltego, “This partnership allows investigators to combine DarkOwl’s valuable insights with other Threat Intelligence and OSINT sources, enhancing their ability to uncover and analyze critical information with greater efficiency and depth.”

Mark Turnage, CEO and Co-founder of DarkOwl shares the same sentiment, “Partnering with Maltego to provide our darknet data to their user community is an exciting step forward in making sure all investigators and analysts have access to darknet data. Because the darknet serves as a sanctuary for illicit activities, insight into its activities is essential for a comprehensive view of cyber risk, digital footprints, and robust cyber investigations. This integration will empower security analysts with unparalleled visibility into the darknet, and Maltego provides the tools to easily visualize and analyze that data.”

About Maltego
Maltego empowers investigators to speed up and increase the precision of their investigations through easy data integration in a single interface, aided by powerful visualization and collaborative capabilities to quickly zero in on relevant information.

Since its development in 2008, Maltego has empowered millions of investigations worldwide. Maltego is used by a broad audience, from security professionals and pen testers to forensic investigators, investigative journalists, and market researchers. Headquartered in Munich, Germany, Maltego has grown to over 150 employees worldwide and works with customers including the Federal Bureau of Investigations, INTERPOL, and major tech and service companies including half of the DOW 30. For more information, visit: www.maltego.com

About DarkOwl
DarkOwl is the industry’s leading provider of darknet data. We offer the world’s largest commercially available database of information collected from the darknet. Using machine learning and human analysts, we automatically, continuously, and anonymously collect and index darknet, deep web, and high-risk surface net data. Our platform collects and stores data in near real-time, allowing darknet sites that frequently change location and availability to be queried in a safe and secure manner without having to access the darknet itself. Customers are able to turn this data into a powerful tool to identify risk at scale and drive better decision making. For more information, contact DarkOwl.

Identifying the Vulnerabilities in Your Closest Circles

July 23, 2024

While the concept of humans being the weakest link in cybersecurity is undeniable, it is not always YOU or your employees that are that weakest link. Often, it’s your family or your employees’ families. The mother-in-law who uses your personal or work email to sign you up for a special deal. The grandfather who passes along your contact information to help you reconnect with an old school pal. The significant other who overshares on social media. The friend who wants to help you land a great job. Or worst of all, the child who likes to play video games and watches YouTube. 

It’s no secret that children and the elderly are often targeted in cyberattacks, primarily due to their lack of awareness and education in cybersecurity safety. One alarming trend in 2024 is the exploitation of popular platforms like YouTube to deceive and steal from unsuspecting users. 

While the videos themselves may appear harmless, the real danger lies in the links embedded in descriptions or comments, which can lead to malware downloads or phishing attempts. YouTube has emerged as a hotspot for malicious software such as Vidar, Lumma Stealer, Redline, and Racoon. For more information on StealerLogs and the dangers they pose to your system, as well as how they function, check out our previous blog posts, here and here.

A notable investigation conducted by ProofPoint in April 2024 uncovered multiple compromised YouTube channels. These channels, although appearing legitimate, were used as conduits for distributing malware or collecting sensitive information from viewers. 

So, how are these threats specifically targeting children and youth? Cybercriminals often exploit children’s trust and curiosity by embedding malware in content related to popular games or offering seemingly enticing freebies like game upgrades or cracks. Children, eager for new games and unaware of online risks, are more likely to fall victim to these deceptive tactics. 

Even if your child’s device does not store personal information directly, it still poses a significant risk if connected to the same network as other devices that do. Malware infiltrated through one device can potentially compromise the entire network, putting all connected devices— including those containing payment information or personal identifying information (PII)— at risk. 

Not only can your children compromise your personal network, but they can also inadvertently jeopardize your business or the business you work for. If young children who don’t have their own devices play on your phone and accidentally compromise it or your home network, the consequences can extend to your workplace. Bringing compromised devices to work or accessing corporate networks remotely could unwittingly upload malicious files, endangering sensitive corporate data or infrastructure. 

Parents and professionals alike must remain vigilant and educate themselves and their children about cybersecurity best practices. Establishing safe browsing habits, monitoring online activities, blocking click-through links, and restricting unsupervised access to platforms like YouTube can significantly mitigate these risks. 

So, remember, the next time you’re out to dinner in that crowded restaurant with a fussy child, YOU can easily become the weakest link in cybersecurity by queuing up that favorite YouTube video and handing your phone over to your child just to entertain them. Your kid’s entertainment could also be the entertainment of threat actor.


Q2 2024: Product Updates and Highlights

July 18, 2024

Read on for highlights from DarkOwl’s Product Team for Q2, including new exciting product features.

User Activity + User Profile

The team launched a new User Settings section, which includes user profile management and an Activity page. The Activity page will display information about a user’s individual work in Vision UI, which for now includes Searches, Saved Searches, and Search Blocks. 

Figure 1: Example of User Activity Screen

The DarkOwl Lexicon continues to grow and this quarter, it more than doubled the number entries. In addition to Forums, Markets, and Ransomware Sites, we added two new sections: Chans and Paste Sites. DarkOwl Vision’s Lexicon is an easy-to-use tool intended to help you find interesting content from hacking forums, marketplaces, and other darknet sites. You can make suggestions for sites you’d like us to add here

  • The team added several new actors into the Actor Explore dataset, taking the number of actors in our dataset to 315. Some of the new actor profiles include USDoD, Dmitry Yuryevich KHOROSHEV, and IntelBroker. Entries such as ShinyHunters and Scattered Spider have been updated based on these actors’ recent activity. 
  • We enabled search by CVE or Industry on the main landing page and made it easy to copy contact or entity information from an actor dossier. Enabling search by CVE or industry makes it easier to find and compare actors of interest.
Figure 2: Selecting an item from the Industries screen
  • We launched the first set of our in-app Onboarding Guides in our Vision UI assistant! These self-paced tours are great for new users of the platform, or for those who need a refresher and review of new features. 
  • Analyst-friendly Search Result features: We’ve added additional pivoting from search result metadata, as well as a “copy defanged URL” option to quickly add sanitized URLs to reports.  
  • Our Feed system has been updated to make all of the forum features – and other newer fields – available in our feeds.

Highlights

This quarter was another one of growth in data collection. The team had 32% growth quarter over quarter in ZeroNet documents, 17% growth in records from Telegram and nearly 300 Telegram channels, and 5% growth in paste documents, just to highlight a few. 

When your search results are from data leaks, users can review additional information curated by DarkOwl analysts, giving you enrichment on the data leak. The descriptions below are all available in our Leak Context product feature.

Shell

Data purported to be from Shell was posted on BreachForums, a hacking forum, on May 28, 2024. According to the post, this breach affected the following countries: Australia, Canada, France, India, Malaysia, Netherlands, Philippines, Singapore and United Kingdom. Data exposed includes customer shopper code, full names, mobile numbers, email addresses, physical addresses and payment site details. Analyst Note: According to the original post, the leak contains 80 thousand rows of data and occurred in May 2024. 

The Post Millennial

Data purported to be from The Post Millennial was posted on Internet Archive, a digital library, on May 3, 2024. According to the post, the leak contains copies of the users.json and editors.json files from thepostmillennial.com. The page title is indicative of the files originally being released by “Angelina Ngo.” Data exposed includes names, usernames, passwords, email addresses, password hints, phone numbers, genders, and physical addresses. Analyst Note: Research in DarkOwl Vision indicates the leak was reposted on BreachForums. According to that post, the website was hacked by an individual claiming to be “Angelina (Andy) Ngo” and the leak includes a mailing list containing over 39 thousand rows of user data. A copy of the defacement message is included, which indicates the motive of the attack against the conservative publication is in support of the LGBTQ community. 

Okta

Data purported to be from Okta was posted on BreachForums, a hacking forum, on March 9, 2024. According to the post, the breach occurred in September 2023, and exposed data on 3.8 thousand customer support users. Data exposed includes user ID numbers, usernames, full names, company names, physical addresses, phone numbers, mobile numbers, email addresses. Analyst Note: According to the original post, the threat actor Ddarknotevil shared the breach on behalf of IntelBroker (Cyber Niggers). Analyst Note 2: A high level review of the data indicates that account details such as account status, last login, notes, and role groups were also leaked. 


Curious how these features can make your job easier? Get in touch!

😈 The Dark Side of Emojis: ☠️ Exploring Emoji Use in Illicit and Underground Activities 😈 

July 17, 2024

Did you know that there are 3,664 emojis available in the United States alone? Emojis, the small digital icons used to express emotions, ideas, or objects, continue to be an integral part of modern digital communication. And while their innocuous appearance is often benign, there continues to be a growing body of evidence that bellies a darker side. A darker side that supports illicit and underground activities. Criminals continue to exploit emojis to communicate covertly, conducting illegal transactions and targeting innocent victims all while evading law enforcement and text-based detection systems.  

To celebrate World Emoji Day, this blog highlights some of the emojis used in illicit and underground activities. We will dive into how emojis are evading law enforcement and text-based detection systems. This is by no means an exhaustive list of contributing factors but merely an analysis of common overlapping gaps. 

Most traditional detection methods rely heavily on textual analysis which often fails to account for accurately interpreting the context and meaning of emojis in various communication channels. Emojis are graphical symbols and therefore can be bypassed by filters and detection. Technology may be able to flag emoji use but ultimately requires an analyst to infer the meaning. 

Emojis have multiple meanings beyond what was intended, or how they are labelled, and their use can be very subjective. This ambiguity makes it difficult for law enforcement professionals and detection systems to discern whether an emoji is being used as intended or with malicious meaning. 

Text Combination 

Emojis can often be used in combination with text to create coded messages. The combination makes it difficult for law enforcement professionals and detection systems to infer meaning, contributing to a critical gap between detection and prevention.  

Evolution, Adaptation, and Variations 

Emojis are constantly being evolved and adapted to stay ahead of law enforcement and detection systems. As law enforcement and detection strategies are being developed, illicit emoji users are capitalizing on the gap by adapting and creating new variations. 

Drug Trafficking Emojis 🍁

Emojis play a significant role in drug trafficking. They enable buyers and sellers to communicate discreetly and covertly across the surface, deep and dark web. Common drug emojis include symbols like the pill 💊, maple leaf, 🍁 and crystal ball 🔮 emojis to represent various types of drugs.  

A standardized contextual meaning for each emoji allows dealers to display messages accurately, regardless of the reader’s device or operating system. The strategic use of emojis to communicate detailed information allows dealers to often sell drugs in plain sight. These symbols contribute to quick and obfuscated exchanges of information, such as pricing, quantities, and meeting locations.  

Emoji use to sell drugs is so problematic in the United States that the United States Drug Enforcement Administration (DEA) produced and released an “Emoji Drug Code.” These same drug-inferred emojis are still seen in dark web markets, forums, and chat platforms specializing in the illicit sale of narcotics today. 

Figure 1: DEA Emoji Drug Code Cheat Sheet 
Figure 2: Drug Sale Using Emojis 

Human traffickers have also adapted to using emojis to facilitate illicit activities. Emojis such as the high heels, 👠 and crown 👑 are often used as advertisements for sex trafficking primarily on social media and online marketplaces. Emoji symbols like the rose 🌹 emoji is often commonly used to indicate availability and seen accompanied with other emojis. Access to the worldwide internet provides traffickers with high-speed communication over large distances thereby eliminating traditional geographical barriers. This means that traffickers no longer always need to physically meet with trafficking victims. Traffickers are also able to use emojis to communicate internally, and coordinate logistics like transportation, routes, and meeting points. Unfortunately, emoji use by traffickers continues to complicate law enforcement and non-profit efforts to combat human trafficking.

Cybercrime Emojis 💻

Cybercriminals also use emojis to obfuscate messages and avoid detection by cybersecurity professionals and technology. Phishing emails, ransomware communications, and many other malicious tactics often incorporate emojis to bypass text-based detection. One such example is the DISGOMOJI malware that uses emojis like to execute local commands and communicate with a command and control (C2).

Figure 3: DISGOMOJI Emoji Cheat Sheet 

Forums and chatrooms often use emojis to shorthand discussions. Common emojis include, but are not limited to, the alien 👾, robot 🤖, tech worker 🧑‍💻, spy🕵️‍♂️, world🌐, laptop 💻, monitor 🖥️, and 🔓. 

Romance Scam Emojis 💋

Emojis play a critical role in maintaining the illusion of a romantic relationship. Romance scammers strategically use emojis to help reinforce emotional connections with victims. The use of romantic and loving emojis helps scammers to create a sense of intimacy and trust with victims. Using hearts 💕, kisses 💋, and other affectionate symbols 😘 makes victims more susceptible to manipulation. Pig butchering and extortion is a darker side of these scams where victims suffer beyond just petty financial loss including emotional distress, mental health breakdown, and even suicide. 

Emojis are used by scammers to maintain a consistent and engaging communication style across various platforms without having to account for a significant language curve. Whether interacting on dating applications, social media, or a messaging service, the use of emojis helps scammers to appear more authentic and relatable to victims. The cross-platform consistency enhances the scammer’s ability to manipulate and deceive, ultimately increasing the success rate of fraudulent schemes. 

Fortunately, there don’t appear to be any adaptations, variances, or hidden messages behind the use of romance emojis in romance scams. 

Financial Fraud Emojis 💸

Financial fraudsters use emojis to disguise communications regarding fraudulent activities, including laundering and debit/credit card fraud. Emojis like the credit card 💳, money 💸, and package 📦 to emphasis the illicit business model. Emojis help fraudsters obscure content and messages to perspective clients. It’s often easy for fraudsters to manage multiple shop fronts on different platforms since emoji encoding is standardized. Emojis allow fraudsters to reach a bigger audience without having to develop unique or customized content for each platform.  

Figures 4,5, and 6: Fraudster Posts Containing Emojis; Source: DarkOwl Vision

After writing about the bad, it’s also good to point out the positive use of emojis beyond illicit and underground use to rebalance. Emojis are a powerful tool seen being used to bridge linguistic barriers, particularly in non-verbal, multicultural families and migrant communities. Since the small digital icons convey emotions, ideas, and everyday activities in a visual representation, emojis-based conversations often transcend spoken or written words. For families with non-verbal speakers or members who speak different languages, emojis provide a universal means of communication that can simplify interactions and enhance understanding. A simple smiley face 😄 often expresses happiness where a thumbs-up 👍 can signify approval or agreement, regardless of the language barrier. 

Emojis are commonly seen significantly enhancing communication capabilities for non-verbal individuals, and friends and family of non-verbal individuals, by offering a visual language that effectively conveys emotions, needs, and responses without the need to speak or type. Expressing feelings such as happiness 😃, sadness ☹️, or confusion 😕 can be extremely challenging or impossible for non-verbal people. But emojis like the smiling face 😊, crying face 😢, or thinking face 🤔 provides a clear and immediate way for non-verbal people to process and communicate emotions. 

For multicultural families, where parents and children are fluent in different or often time multiple languages, emojis offer a way for family members to connect and share experiences without the need for extensive verbal explanations. Family members can use the heart emoji ❤️ to express love or the pizza emoji 🍕 to convey a dinner option regardless of a language proficiency. The visual shorthand helps bridge gaps and foster closer family relationships. 

Language barriers often create social angst amongst migrant families as they integrate into new communities or navigate migrate-unique situations. Emojis often ease this transition by providing a simple and effective way to communicate basic needs and emotions. The visual cues emojis provide can help overcome language limitations and facilitate smoother interactions in various social and professional settings. 

The ambiguity and contextual use of emojis presents significant challenges for law enforcement and cybersecurity professionals in the fight against illicit and malicious criminals. The ability to discern benign from malicious is a critical task. Resources list Smart Social does a good job at keeping an updated list of Emojis in circulation today but understanding and discerning general use from illicit is a significant intelligence gap. Articles, blogs, and white papers that dig into the illicit and malicious use of emojis provides just enough to emphasize the need for deeper understanding, but more times than not contributes to the emoji enigma staking law enforcement and professionals from the shadows. There is a present need to understand the hieroglyphs phenomenon of today so that law enforcement, researchers, and detection systems can identify and, hopefully, prevent digital users from becoming yet another victim. 


Actor Spotlight: ShinyHunters

July 11, 2024

DarkOwl analysts regularly follow threat actors on the darknet who openly discuss cyberattacks and disseminate stolen information such as critical corporate or personal data. Such analysis helps DarkOwl’s collection team direct crawlers and technical resources to potentially actionable and high-value content for the Vision platform and its clients.

For fans of Pokémon, the name ShinyHunters refers to a practice of seeking out, capturing and collecting shiny Pokémon. However, on the dark web the term has a much more nefarious meaning.  

ShinyHunters is a cybercriminal group known for their high-profile data breaches and relentless pursuit of sensitive information, and has carved out a reputation as one of the most prolific and dangerous actors in the cybercrime arena.  

In this blog, we will take a deeper dive into their activities and their association with the dark web forum BreachForums.  

Although it is unclear exactly who is a part of ShinyHunters, although at least one member was sentenced to three years in prison by a US court, they are assessed to be an international cyber threat group who first emerged in 2020 and quickly became associated with large-scale data breaches targeting both small and large organizations.  

They are known to infiltrate company databases, exfiltrating sensitive information, and then selling this data on underground forums or using it for extortion purposes. They are not shy about sharing this information on dark web sites created to share exfiltrated data.  

The group were known to be active on the site RaidForums, which was succeeded by BreachForums, selling data they had stolen from companies for a profit. 

Figure 1: ShinyHunters RaidForums Profile

ShinyHunters utilize advanced hacking techniques to gain unauthorized access to company systems. They often exploit vulnerabilities in web applications, engage in credential stuffing attacks, and use phishing campaigns to steal login credentials. 

The groups primary focus is on stealing large datasets, which often include personally identifiable information (PII) such as names, email addresses, phone numbers, and passwords. In some cases, they have also accessed financial information and proprietary corporate data. After obtaining data, ShinyHunters typically monetize their efforts by selling the information on dark web marketplaces and underground forums. They have also been known to attempt to extort companies by threatening to release the stolen data unless a ransom is paid. 

It has been reported that ShinyHunters adopt a range of techniques as part of their hacking efforts including reviewing company Github repositories, exploiting unsecured cloud buckets (online storage spaces) targeting developer repositories accessing credentials and API keys as well as phishing campaigns.

ShinyHunters have also been observed collaborating with other cybercriminal groups. This trend of collaboration has enabled them to expand their reach and increase the sophistication of their attacks. Joint operations have led to more coordinated and devastating breaches, affecting a wider range of sectors and organizations. 

ShinyHunters’ initial wave of attacks in 2020 was characterized by a series of high-profile breaches. They claimed responsibility for infiltrating multiple companies and leaking vast amounts of user data. Some of their most notorious breaches include: 

Tokopedia

In May 2020, ShinyHunters allegedly breached the Indonesian e-commerce giant, Tokopedia, stealing data of over 91 million users. This breach included sensitive information such as usernames, emails, and hashed passwords. 

Microsoft

The group also claimed to have accessed private GitHub repositories belonging to Microsoft, exposing portions of the tech giant’s source code. Although Microsoft quickly responded, the incident highlighted the group’s capability to target even the most secure organizations. 

BigBasket

In October 2020, ShinyHunters reportedly breached the Indian online grocery delivery service, BigBasket, leaking data of over 20 million users. The stolen data was later found being sold on the dark web. 

AT&T

In August 2022, the group claimed to have successfully breached AT&T obtaining more than 70 million records. They sold this information for $200,000. The data was then leaked on Breach Forums in early 2024 for free.  

Pizza Hut Australia

In September 2023 they claimed to have 30 million customer order records from Pizza Hut Australia as well as customer data.  

ShinyHunters have not slowed down since their initial wave of attacks. In 2023 and 2024, their activities have continued to evolve, showcasing their adaptability and persistence in the cyber threat landscape.  

ShinyHunters have maintained their focus on the retail and e-commerce sectors. In late 2023, they targeted several online retail platforms, stealing customer data and payment information. This not only led to financial losses for the companies involved but also compromised the security of millions of users. 

Furthermore, recognizing the value of healthcare data, ShinyHunters have shifted some of their focus to this sector. In early 2024, they breached a major healthcare provider, exposing sensitive patient information, including medical records and insurance details. This breach underscored the critical need for enhanced cybersecurity measures in the healthcare industry. 

Most recently ShinyHunters have claimed to have access to LiveNation/Ticketmaster data which they made available for sale on BreachForums.  

Figure 2: ShinyHunters advertise Ticketmaster data on BreachForums 

ShinyHunters have been active participants in dark web forums, leveraging these platforms to sell the data they steal. By listing stolen datasets on these forums, they can reach a broad audience of potential buyers, maximizing their profits. The forums also provide a degree of anonymity, making it more challenging for law enforcement agencies to trace transactions back to the perpetrators. 

As well as making their data available for sale, they will often release the data at a later date for free, meaning that some of this data can be widely distributed and used by a range of threat actors to conduct further attacks.  

ShinyHunters were active on Raid Forums when they first emerged and then moved to BreachForums when it succeeded RF after law enforcement action. Since then, BreachForums has been the target of multiple law enforcement operations leading to the seizure of the site. However, each time this has occurred to date the site has re-emerged.  

Figure 3: Seizure notice for BreachForums 

After the seizure of BF in June 2023 ShinyHunters partnered with a previous administrator, Baphomet, to relaunch the site and they managed the site with Baphomet until it was seized again in May 2024.  

Figure 4: Timeline of RaidForums and BreachForums 

With the latest seizure, it was not just the forum itself that was targeted, but also Telegram channels associated with the site. It was also reported that Baphomet was arrested, but this has not been confirmed by Law Enforcement officials.  

In response ShinyHunters relaunch the site, although many in the community feared that it was a honeypot. The site continued to come under attack with ShinyHunters releasing updates on the. Issues that they were dealing with.  

Figure 5: Message from ShinyHunters to BF community 

However, soon after the return on June14th the account on Breach Forums for ShinyHunters announced their retirement stating that they were burned out by all the accusations of being a honeypot and the constant attacks. They stated that they would be handing off control of the site to a user named Anastasia.  

Figure 6: Post on BreachForums retiring as admins 

Their profile on the site is now showing as “banned” due to retirement.  

Figure 7: Current BF profile page for ShinyHunters 

It remains to be seen what this means for the group ShinyHunters and if they will remain active in stealing data and making it available for sale online. It is possible that data could be shared under another alias, or they could return. The communitys’ faith in BreachForums has also diminished with several threat actors claiming to be launching a new site which will replace BreachForums without fear of Law Enforcement involvement.  

ShinyHunters represent a significant and ongoing threat in the world of cybersecurity, as we await what their next steps will be. Their activities on BreachForums illustrate the symbiotic relationship between cyber criminal groups and the underground marketplaces that facilitate their operations. To mitigate the risks posed by ShinyHunters and similar groups, organizations must prioritize monitoring these dark web activities to ensure they are taking the necessary steps to mitigate against threats from these groups.  


Don’t miss any updates from the DarkOwl team. Follow us on LinkedIn.

Copyright © 2024 DarkOwl, LLC All rights reserved.
Privacy Policy
DarkOwl is a Denver-based company that provides the world’s largest index of darknet content and the tools to efficiently find leaked or otherwise compromised sensitive data. We shorten the timeframe to detection of compromised data on the darknet, empowering organizations to swiftly detect security gaps and mitigate damage prior to misuse of their data.