Love is in the air and unfortunately, so are scams. With Valentine’s Day on the horizon, cybercriminals are preparing to exploit unsuspecting victims through a variety of deceptive tactics.Emotional vulnerability and digital trust often make this season especially appealing to scammers.
While threat actors continue to rely on familiar scams, this holiday uniquely lends itself to romance-based schemes. As people become more open to meeting and connecting with strangers online, cybercriminals gain new opportunities to exploit unsuspecting victims. The following provides an overview of prevalent scams and guidance on how consumers can protect themselves during the season of love.
Romance Scams & Fake Dating Profiles
Romance scams are designed to exploit emotions before finances. In these schemes, criminals deliberately build affection and trust with their victims to gain access to money or sensitive personal identifying information (PII). Scammers typically seek out targets on dating apps, social media platforms, and singles websites, often posing as someone they are not. Using a carefully crafted fake persona, they engage in tactics such as “love bombing,” overwhelming the victim with attention and affection to quickly create an emotional bond. Once trust is firmly established, the scammer begins to request money or financial help, frequently citing urgent or fabricated emergency situations.
Romance scams and other confidence schemes account for some of the highest financial losses among Internet-facilitated crimes. Data from the FBI’s Internet Crime Complaint Center indicate that in 2023, the most recent year for which statistics are available, approximately 18,000 victims reported losses totaling nearly $700 million.
How to Protect Yourself:
Research an individual’s profile and photos using open-source information techniques.
Proceed with caution when asked to send money. Never send money to anyone you have communicated with solely online.
Be wary of someone who declares love very quickly, tries to isolate you, or becomes evasive when discussing meeting in person
Fake Florist Sites
Like many fraudulent retail websites, fake floral sites are used by scammers to deceive consumers, particularly during holidays when demand for floral arrangements is high. These sites will capitalize on individuals making last minute purchases by mimicking legitimate sites and luring unsuspecting shoppers. To enhance their credibility, they frequently run fake social media ads that direct victims to counterfeit pages, adding a false sense of legitimacy to the scam.
Victims have reported that some sites will fulfill the order, but the quality will be lacking, or the items are damaged. While other victims claim the flowers were never delivered and the shop becomes unreachable.
How to Protect Yourself:
Double check website URLS.
Examine reviews on the website to see possible complaints from victims or unsatisfied customers.
If possible, use secure payment methods that offer fraud protection.
Event and Ticket Scams
Similar to fake websites, hackers use a variety of tactics to deceive individuals into purchasing counterfeit tickets. Scammers exploit the high demand and limited supply of live events by creating fake ticketing websites with legitimate-sounding names, advertising fraudulent tickets on social media marketplaces, and even offering “last-minute deals” outside event venues. These scams are often tied to genuine events taking place in the area, making them appear more credible and increasing the probability that unsuspecting buyers will be fooled.
The likelihood of falling for these scams rises when purchases are delayed until the last minute. Scammers are aware that urgency and stress can cloud judgment, making individuals more vulnerable during rushed situations.
How to Protect Yourself:
Purchase tickets from official sources.
Verify the legitimacy of the event prior to purchase.
Avoid purchases that require uncommon payment types.
Phishing Scams
In 2023, Checkpoint researchers claimed 1 in every 1,000 Valentine’s Day emails were found to be malicious/suspicious. Cybercriminals are skilled at creating enticing emails, messages, or social media posts that appear to come from a secret admirer or a long-lost love interest. These messages often feature subject lines such as “A Valentine’s Day Surprise for You” or “Someone Has a Crush on You.” Their purpose is to entice unsuspecting recipients into clicking malicious links or downloading infected attachments.
These scams can also include fake e-card messages and online shopping deals. Be aware of email ads promoting flowers, chocolates, and romantic getaways. The emails typically contain links to malicious sites that steal personal information and can infect your device with malware.
How To Protect Yourself:
Ensure the sender has a trusted email address, showing the correct domain.
Trust your instincts if the message seems “off” and possibly written by AI.
Use trusted websites for all online shopping and double check website URLs for any odd variations.
Conclusion
Cybercriminals demonstrate a strong capacity to exploit emotions, while scam tactics continue to evolve in sophistication. Research shows that new domains with ‘Love’ or ‘Valentine’ in their names more than double in January compared to the year-end months. Excluding consumer losses, romance scams have accounted for hundreds of millions of dollars in losses each year, with the total increasing annually.
While Valentine’s Day celebrates love, cybercriminals unfortunately see it as an opportunity to exploit unsuspecting victims. As always, it’s important to remain vigilant during any online activity, especially when shopping for the perfect gift or planning a romantic experience.
To see specific examples and screenshots from the dark web, check out our blogfrom last year.
Warfare has always gone hand and hand with technological innovation. Nuclear energy followed the nuclear bomb nearly a decade after the first atomic weapon was detonated. Before the World Wide Web, there wasARPANET, launched in 1969 by the U.S. Department of Defense to connect military and research installations through distributed computer networks, more than 20 years before the internet became public. Before commercial GPS, there was NAVSTAR, a U.S. military satellite program developed in the 1970s, originally designed for missile guidance, troop movements, and precision targeting—years before civilian GPS became available. Military jet engines preceded commercial aviation, military radar predated modern weather forecasting, military encryption existed long before public cryptography and e-commerce, and drones, satellites, and even mass-produced antibiotics were first developed to meet battlefield demands.
Once again, militaries are leveraging technology to redefine tactics and battlefield strategies. Nation-states are increasingly developing offensive cyber capabilities not merely as tools, but as a means to prepare and shape the battlespace before military action occurs. Power grids, communications infrastructure, air defenses, satellites, psychological, and command-and-control systems are now targeted before the first kinetic shots in anger.
In this blog, we’ll review some of the most impactful nation-state offensive cyber operations in the modern era and how they illustrate this escalating trend of warfare.
Operation Orchard – September 6, 2007
Eleven years after Operation Orchard, Isreal admitted it was responsible for an airstrike in Syria that targeted a suspected nuclear reactor which may have been capable of enriching nuclear weapons material. No jets were shot down during the operation and no surface to air defense missiles were deployed from the Syrian military. In other words, Israel entered Syrian airspace without resistance.
According to multiple sources, the failure of Syrian air defenses during the 2007 strike has been attributed to a proactive Israeli cyber and electronic warfare operation that temporarily disabled radar and surface-to-air missile systems. Although specific methods were never publicly disclosed, analysts have speculated that the operation may have involved advanced electronic jamming and a software capability known as Suter.
Suter, reportedly deployed aboard specialized aircraft, is believed to exploit radar and air-defense systems by detecting their emissions and injecting malicious signals back into the emitters. This can result in disrupted sensor feeds, conflicting or false target data, and, in some cases, complete loss of radar functionality, effectively rendering the air-defense network inoperable during the operation.
Russian Invasion of Georgia – August 8, 2008
One day before Russian military units entered Georgia in 2008, there were widespread cyberattacks targeting local media as well as governments websites. These attacks were primarily distributed denial of service (DDOS) and website defacements. Although less sophisticated than other types of nation state cyber operations, these attacks aimed to isolate and silence both Georgian officials, and the civilian population.
With government services offline, it became difficult for state officials to communicate and respond to the events that would take place the following day. And when local media was unable to broadcast, they too could not communicate to the public the impact of Russians invasion into their homeland. This strategic DDOS attack caused confusion and made disinformation more potent as Russia continue to take control of Georgian territory.
The next phase of the cyber operation broadened the scope and targeted financial services, institutions, and even launched anti-Georgian hacktivist websites to stir discontent and make civilian resistance to the Russian operation less attractive.
Russia – Ukraine – 2014
There is ongoing debate among experts regarding the strategic significance of cyber operations during Russia’s 2014 annexation of Crimea. While offensive cyber activity was present during and intensified after the invasion, it is difficult to argue that these operations played a decisive role in enabling Russia’s territorial gains or directly shaping battlefield outcomes for Russian forces on the ground.
More impactful cyber operations emerged after the annexation. The Sandworm campaign stands out as one of the most consequential post-Crimea cyber efforts, causing extensive disruption to Ukrainian networks and, in later operations, contributing to widespread power outages. Other destructive campaigns, including wiper-style malware such as NotPetya, similarly targeted Ukrainian institutions and critical infrastructure in the years following 2014, reinforcing cyber operations as a persistent element of Russia’s broader pressure campaign rather than a decisive pre-invasion enabler.
Russia invasion of Ukraine – 2022
By February 2022, it had become clear that Russian military strategists believed their prior cyber operations were worth leveraging again in the lead-up to a full-scale invasion of Ukraine. Many of the same cyber tactics observed in previous years were redeployed days—or even hours—before Russian troops crossed the Ukrainian border.
In the days preceding the invasion, WhisperGate targeted Ukrainian government websites and servers. Disguised as traditional ransomware, WhisperGate was in fact wiper malware designed to destroy data and render systems inoperable. Shortly thereafter, coordinated DDoS attacks disrupted Ukrainian banks and temporarily took multiple government websites offline.
Just hours before the ground invasion commenced, a synchronized campaign deploying HermeticWiper and IsaacWiper further targeted Ukrainian government networks with wiper malware. These attacks appeared aimed at degrading communications, slowing coordination, and complicating defensive responses.
As wiper malware was overwriting disks across Ukraine, a separate cyberattack targeted satellite communications infrastructure. Ukraine’s ViaSatKA-SAT system was taken down, disrupting satellite connectivity used by civilian networks as well as certain Ukrainian military assets. This attack demonstrated a deliberate effort to impair command, control, and situational awareness at the critical opening phase of the invasion.
United States – Venezuela – 2025
The recent operation in Caracas demonstrates the capabilities that emerge when cyber warfare is integrated with real-world troops in combat. Although few details, means, or methods have been made public, there is still a significant amount of evidence highlighting the impact the United States Cyber Command made during Operation Absolute Resolve.
According to American officials, cyberweapons were used in Venezuela to disable power in regions near military bases in Caracas, as well as to shut down radar defense systems and even handheld radios used by the Venezuelan military (see image below). Unverified reports from soldiers and security personnel in Caracas claim to have experienced “intense sound waves, severe physical distress, and bleeding during the operation”. United States President Trump spoke to NewsNation after the operation and stated that a “sonic weapon” had been used during the raid.
Final Summary – The Cyber Battlespace Comes First
Modern warfare is no longer defined solely by armies, aircraft, and armor. As history has repeatedly shown, military necessity drives technological innovation, often before those capabilities reach the civilian world. Today, offensive cyber operations represent the latest evolution of this pattern—an invisible means of shaping conflict before the first kinetic action occurs.
The cases examined in this blog demonstrate a clear trend: nation-states now treat cyberspace as a domain of warfare. From Israel’s alleged disabling of Syrian air defenses during Operation Orchard, to Russia’s coordinated cyber disruptions preceding invasions of Georgia and Ukraine, cyber operations are used to blind sensors, sever communications, disrupt civilian infrastructure, and undermine public trust. These actions are not isolated technical events; they are strategically timed efforts designed to degrade an adversary’s ability to detect, decide, and respond under pressure.
On 28 January 2026 a seizure notice appeared on the notorious darknet forum RAMP4U. The notice stated the FBI had seized the site. Both the clear net and onion domains showed this notice.
RAMP4U
In July 2021, Russian-speaking threat actors on the darknet forums XSS and exploit.in began advertising a new ‘ransomware’ specific discussion forum called RAMP. This appeared to be in response to XSS and Exploit banning the advertising of ransomware on their respective sites. RAMP was advertised to be a ‘safe space’ where ransomware-related discussions and coordination could freely and openly be discussed.
Figure 2 – Post on XSS banning the advertising of ransomware
DarkOwl assess that RAMP originated with members or affiliates of the Babuk ransomware gang. Babuk launched their operation in January 2021 and quickly received notoriety for their cyber campaigns. In early April 2021, the group successfully compromised and allegedly exfiltrated over 250GB of sensitive data from the Washington, DC Metropolitan Police.
Figure 3 – Historic view of RAMP4u forum
Seizure
While the FBI are yet to make a formal statement in relation to the seizure of RAMP4U, the domains now point to domain servers which are used by the FBI when seizing infrastructure.
Furthermore, the alleged administrator of RAMP4U appeared to confirm the seizure on a post via XSS.
Figure 5 – DarkOwl Vision post on XSS confirming seizure of RAMP4U
This current activity highlights a continued trend in Law Enforcement seizure of darknet forums, with BreachForums and XSS being notable takedowns in the last 6 months. However, it remains to be seen the effect that this will have, where will the users of RAMP4U move to and or will the site reappear under a new guise. Time will tell.
Make sure to register for our weekly newsletter to get the latest updates.
Every January, organizations roll out security initiatives, refresh slide decks, and announce new tools. This happens every year because breaches continue to happen every year. More often than not through the same well-known traps.
The uncomfortable truth is that most cyber incidents aren’t caused by a lack of technology or understanding of said technology. They are caused by inconsistent or poor habits.
As we head further into 2026, the most effective cybersecurity resolution isn’t by signing up for or buying another platform, it is institutionalizing repeatable behaviors that reduce risks every day.
Below are five cyber habits that can combat how attackers operate today.
Habit 1: Threat Identity as the Primary Security Perimeter
The network perimeter is gone. The device perimeter is shrinking. Making ‘Identity’ what attackers target first. Credential theft.
Credential theft through infostealers, phishing kits, MFA fatigue, and token hijacking remains the fastest path to initial access. If identity controls fail, everything else becomes irrelevant. A safer 2026 begins by treating authentication as critical infrastructure rather than a convenience feature.
That shift means moving beyond basic MFA (multifactor authentication) toward phishing-resistant options such as FIDO2 keys, WebAuthn, and passkeys, particularly for privileged and external-facing accounts. It requires eliminating shared credentials and reducing service account sprawl that quietly accumulates over time. OAuth grants and long-lived tokens must be reviewed regularly, as attackers increasingly rely on them for persistence that survives passwords resets. Most importantly, authentication monitoring needs a focus on behavioral anomalies rather than simple success failure.
Attackers don’t need to waste their time with malware if they can use your credentials to log in. Make authentication harder to abuse than to bypass.
Habit 2: Assume Logs are Evidence, Not Telemetry
Most organizations have gotten the memo to collect logs, however, few treat them like the forensic evidence they are.
When an incident occurs, defenders often discover too late that critical data has already been overwritten, was never retained, or lacks the context required to reconstruct attacker activity. These gaps don’t just slow investigations, they make accurate timelines impossible.
A mature security habit is logging with intent. That means deliberately retaining the artifacts you may need, because if you can’t quickly answer What happened first?, attackers already have the advantage.
At a minimum, that includes:
Identity and authentication logs retained long enough to reconstruct timelines
Endpoint telemetry with process linage and command execution context
DNS, proxy, and network logs that reveal how systems communicate
Cloud control plane and audit logs that are enabled to centrally stored
Normalized timestamps and identity fields across all sources
Without this foundation, even well-detected incidents turn into partial stories rather than defensible investigations.
Habit 3: Patch What Attackers Actually Exploit
Not all vulnerabilities are equal, and attackers know it… even if organizations don’t.
While many organizations still prioritize patching based on severity scores alone, real-world threat actors focus on systems that provide leverage and persistence. Edge devices, exposed management interfaces, and internet-facing services continue to dominate initial access pathways, particularly when public proof-of-concept exploits accelerated attacker timelines.
A safter approach isn’t patching everything immediately but patching the right things first. Perimeter and identity infrastructure should be treated as endgame assets, with exploit availability and evidence of active abuse prioritized over theoretical risk. In some cases, the most effective remediation is not another compensating control, but the removal of legacy services altogether. Attackers move faster than patch cycles, and defensive prioritization must reflect that reality.
Habit 4: Reduce Signal-to-Noise Before an Incident
Burned-out analysts miss early warning signs just as overloaded detection systems bury real threats.
Many security programs accumulate alerts and tools without revisiting whether those signals still provide value. Over time, if everything becomes high priority then genuine threats blend into the background noise.
Operational discipline is a security habit, in its own right. Alerts should map cleanly to response actions, detections should be tuned to the environment they protect, and enrichment should be automated, so analysts spend their time making decisions rather than gathering context. Security teams rarely fail because they lack data, they fail because they cannot prioritize data effectively under pressure.
Habit 5: Practice the Boring Parts of Incident Response
Many incident response plans look excellent on paper but collapse like a house of cards under real-world pressure.
Teams often understand what they are supposed to do, but they don’t always understand who is supposed to do it, how to quickly make decisions, or what authority is required to act. Organizations that recover faster teat response as a practiced skill, not a “theoretical” exercise.
That practice includes realistic tabletop exercises, rehearsing difficult trade-offs between containment and continuity, and pre-approving actions that would otherwise stall response efforts while leadership is looped in. Clear escalation paths outside normal business hours matter just as much as technical controls. When something goes wrong, muscle memory matters more than documentation.
The Takeaway
Cybersecurity resolutions in 2026 won’t be met by throwing around buzzwords or buying new tools. Resolutions will be met by organizations that turn good security theory into daily practices.
Identity-first controls, intentional logging, threat-informed patching, operational clarity, and practiced responses aren’t flashy. However, they are effective.
Make these five habits your new year’s resolution and keep them long after January fades into a distant memory.
As we enter 2026, the story of cyber risk continues to evolve. At the same time, there are consistencies we have seen growing for some time. Attackers don’t need unique or specialized skills anymore – the world of hacking is much more accessible, especially when they [threat actors] can log in like you or convince you to log in on their behalf. Automation is making that easier, faster, and cheaper than ever, especially with the development of AI.
Here we explore some of the cyber security and crime trends that look most defining for 2026, based on what major incident and law-enforcement reporting has been showing through 2024–2025.
Identity is the “New” Perimeter
Identity-based attacks have been on the rise for some time, and we expect this to continue throughout 2026. These types of attacks remain one of the primary paths attackers take to compromise corporate networks. This is due to the fact that credential information is readily available on the dark web, and it remains one of the simplest ways to gain access, not requiring specialized hacking skills. Therefore, expect 2026 to be the year more organizations stop treating identity as a feature of IT and start treating it as a core security control.
Verizon’s 2025 DBIR notes that Basic Web Application Attacks commonly involve stolen credentials, and credential abuse remains a dominant initial access method across multiple attack patterns.
Because of this, you should expect to see more phishing-resistant authentication being implemented across systems as well as continuous verification.
Social Engineering
Threat actors don’t only have the ability to steal credentials; they can also coerce them from unwitting employees through social engineering. A common target in 2025 was to trick the help desk into resetting MFA and it is expected this will continue into 2026.
With the continued development of AI, it is likely that social engineering attacks will improve with the ability to create deepfakes to fool people into believing they are providing a legitimate person access. DarkOwl analysts started exploring this trend in 2024 here.
Infostealers Keep Feeding the Credential Economy
Infostealer malware isn’t new but in the last year they have appeared to be more widespread and relied upon to conduct real-world intrusions.
Mandiant highlights infostealers as an ongoing pipeline for initial access, where stolen creds from “logs” enable follow-on compromises that end in data theft and extortion.
In 2026 we expect more stealer log compromises that start outside the enterprise – meaning employee personal devices, unmanaged browsers, and reused passwords. As well as the use of stolen cookies/tokens, not just passwords.
As Telegram continues to be a source for both free and paid stealer log subscriptions, they remain relatively easy for threat actors to access, again lowering the threshold for the sophistication that actors need to have to gain access to systems.
Ransomware Keeps Evolving into “Extortion-as-a-Service”
Ransomware has been around for a long time, and it doesn’t show any signs of slowing down as we head into 2026. However, it has developed over the years with ransomware groups operating like mature businesses with specializations, supply chains, affiliate programs, PR, and negotiation playbooks.
In addition, their techniques have also developed, although we commonly refer to these attacks and groups as ransomware, data theft is common, and data theft extortion events where no ransomware is deployed are becoming increasingly common.
In 2026 we expect more “no-encryption” extortion attacks where actors steal data, threaten to leak on a dark web site and do so if the extortion payment is not paid – without ever encrypting the data.
AI
In 2026, AI isn’t just “writing better phishing emails” – it’s enabling highly targeted, multilingual scams at scale, voice cloning for “CEO fraud” and synthetic identities, and deepfake-driven coercion.
European law enforcement has been explicit that AI is accelerating organized crime and enabling impersonation and scalable fraud. ENISA’s 2025 Threat Landscape also notes criminal abuse around AI tooling, including fraudulent AI tool sites used to deliver malware and concerns about AI supply chain risks.
Generative AI will also make it cheap to produce high quality lures for cyberattacks, and it can do this at scale meaning that threat actors can use AI to industrialize phishing attacks as well as other methods of attack.
As highlighted above, social engineering is an attack vector which is likely to increase in 2026, and AI will be at the forefront of enabling that growth. AI-assisted social engineering will include voice cloning for “urgent CFO calls,” fake candidates in hiring funnels, vendor payment diversion among many other techniques – some probably not yet thought of.
However, AI can and will also be a useful tool in defending against threat actors. AI can be used to automate and triage vulnerabilities and risk indicators for faster detection and investigation.
Online Fraud Keeps Growing
Cybercrime isn’t only “breaches.” In raw victim impact, fraud dominates, and it’s increasingly industrialized. The FBI’s Internet Crime Report for 2024 reported record losses and flagged investment fraud, often crypto-related, as a major driver of dollar losses. This is likely to continue to rise.
Dark web marketplaces continue to be a hot bed of activity when it comes to financial crime, with credit cards, bank account information, and access to payment apps being traded routinely.
Geopolitics, Hacktivism, and Disruption Campaigns Stay Loud
Since the invasion of Ukraine by Russia in 2022, hacktivist groups have been particularly vocal and active. This only grew after the October 7 attacks in Israel. The groups primarily conduct DDOS (distributed denial of service) attacks but have also conducted many defacement attacks and in recent times have been more likely to leak data and dox individuals.
This threat is not likely to diminish in 2026, with geopolitics continuing to remain strained throughout the world. It is likely that more groups will emerge in response to real world events and political affiliations.
Conclusion
Many of the cybercrime and cyber security trends of 2025 will continue into 2026, but it is likely to become more difficult to keep up with the speed and scale of attacks due to the use of AI.
It is important for organizations and individuals to remain vigilant and ensure that they are using appropriate precautions to protect themselves.
This podcast features DarkOwl Regional Director and OSINT expert, Lindsay Whyte, and Jennifer Woodard, Chief Product & Technology Officer at Logically.ai who discuss how AI is accelerating cybercrime by powering malicious large language models that generate phishing emails, malware, and ransomware with little user skill required. These tools dramatically scale attacks, leading to everything from personal account takeovers to multimillion‑dollar business email compromise and widespread ransomware incidents. While the threat is growing, Lindsay emphasizes that awareness, simple verification practices, strong security culture, and international cooperation can still meaningfully reduce risk — offering some optimism amid an increasingly complex cyber landscape.
Jennifer: Welcome back to AI on the Record, the podcast that brings together voices from media, policy, enterprise and civil society to explore where influence is heading, how AI is being governed and what decision makers should be paying attention to next. I’m Jennifer Woodard, your host.
Now, today, we’re going somewhere most of us don’t often go – into the darker side of technology, the shadowy corners of the internet and the world of cyber. And we’ll be looking at how AI is now intersecting with these spaces in ways that are both fascinating and, frankly, alarming. With me today is Lindsay White of OSINT UK. He’s an expert in open-source intelligence and cybercrime investigations. Let’s get into it.
So, with me today is Lindsay Whyte of OSINT UK. He’s an expert in open-source intelligence and cybercrime investigations. Lindsay, welcome to the show.
Lindsay: It’s a pleasure to be here. Thank you, even if the topic is somewhat a bit dark.
Jennifer: Indeed. Indeed, it is a little bit dark but thank you so much for being here. Could you just give us a quick intro into a little bit about your background and what you do?
Lindsay: Sure thing. So, I’m a former British soldier and now I’m the co-founder of the UK community, which is a volunteer run, not for profit seeking to bolster the UK’s intelligence capabilities by reintroducing in-person interactions into the world of security, but also at the same time crowdsourcing, new innovations in the rapidly growing world of open-source intelligence technology. My day job is working for DarkOwl, which is a leading darknet intelligence collections company, which was actually founded by the same person that founded the Tor Project itself. So, we illuminate darknet data for governments and security professionals around the world.
Jennifer: That’s very interesting. It’s incredible to hear. And, you know, as you’ve explored these spaces, I’m assuming you’ve seen technology evolve and now that we’re kind of in the age of AI. AI is coming into its own. AI is now part of this kind of cybercrime dark web story. Could you help us understand a little bit about how cyber criminals are using AI, and whether that’s something that we should actually be worried about?
Lindsay: Absolutely. I think it’s a great place to start because, you know, you and I know ChatGPT. I think most people have at least heard of ChatGPT by now. And that’s what, you know, we call a large language model. Basically, it’s a very sophisticated AI that can understand and generate human like text. Now, big companies like OpenAI and Anthropic, they build things which you call guardrails. So, these are rules that prevent their AI from helping you do bad things.
So, if you ask ChatGPT to hack someone’s bank account, it will politely refuse. But malicious large language models (LLMs) – they are the sort of evil twins and they’re built from scratch or modified specifically to remove those sorts of guardrails. They’ll happily help you craft phishing emails, write malware, generate ransomware code, ransomware notes, you name it. Really. So, what’s interesting, of course, is that already this sort of malicious LLM ecosystem, they’re already selling their software in subscription form, so you’ll be able to buy malicious LLM’S on a monthly plan, on an annual plan, a lifetime. I mean, there’ll probably be Christmas discounts, you know, before long. So, it’s basically cybercrime as a service, as the security industry have always known it. But now with that AI superpower. Yeah, I wish I was joking, but that’s the real reality of it.
And, I guess to understand how this matters, we need to talk about the dual use dilemma, which I know, Jennifer, you probably know a lot more about from that sort of policy perspective. But, you know, fundamentally, this dual use dilemma in AI is about, how you use the exact same technology for both good, but also for, you know, for harm and how it can get sort of weaponized for harm. You know, a little like nuclear physics. It’s something which can power a city for, for free and transform a society. But it can also be used in weapons to sort of level a city. So, AI kind of has to be thought of, I think, in the same kind of same kind of way. You know, it gives us the same capabilities, allow a company to automate customer support for the good, or help students, write better essays at university, but it also helps criminals scale up their tax. So even if the technology is neutral, the intent is not.
So, I guess this is where it gets pretty interesting because, you know, the same linguistic precision that makes AI great at, you know, university essays and helping write emails can also make incredibly convincing phishing emails. So, the same coding ability that helps developers debug software, can actually customize malware in the same amount of time, and that’s kind of what makes it tricky from a regulatory perspective. I guess for me, what really concerns me is the way that AI is now democratizing cybercrime, because it used to be that attacks required a certain level of skill. So, you know, language skills, a certain amount of coding knowledge, a deeper understanding of like social engineering per culture in which you’re trying to action this, this attack. This is now available to anyone. So, you know, we’re talking about a skill level between someone who maybe knows how to use Google and understands basic computer concepts. That’s all you need now. So, the days of being an expert coder or a wizard of some description to run a sophisticated attacker are over, you know, and that’s kind of the reality that we’re living with. You know, would you rather face, as someone said it to me once, you know, would you rather face one expert swordsman or a thousand people with guns and you know, these malicious LLMS, they are giving everyone a gun. It’s scale over skill, and from a perspective of cyber defense, that’s pretty terrifying because now attacks that used to take days of research, maybe weeks of research and hours of coding can now be done in minutes by someone who has no prior experience in the field.
Jennifer: Wow, that’s really jarring. And like you said, that’s the reality that we’re living in right now. These aren’t even hypothetical risks anymore. I mean, I remember years ago people talking about this might be on the horizon. What we’re actually living with this right now. It seems like it almost snuck up on us in some cases. So, the tools that you’re talking about to develop these, you know, types of malignant actions, they’re actively in use. Could you walk us through some examples of what those tools look like? I mean, what are they actually called. Are they methods. Could you just kind of walk us through that?
Lindsay: Yeah, yeah. Tragically, that is the case that these already do exist. So, two big names have emerged in the last few weeks are WormGDP, GPT, sorry, and KawaiiGPT. That’s actually wrong. Uh, WormGPT has been around for a while, but I’ll talk about WormGPT specifically because I think it really opens up everyone’s eyes because this is something that appeared, I think it was sort of summer 2023 on underground forums, like hack forums. For those who don’t know, hack forums is pretty much exactly as it sounds, not like friendly Reddit threads. These are places where cyber criminals congregate and share ideas. And WormGPT was being hawked, a bit like the latest smartphone. So, the marketing, I think, even included like a creepy little character with red eyes, it was like the most unsubtle kind of thing, but basically what they were advertising is an uncensored alternative to mainstream ChatGPT – no ethical boundaries whatsoever.
And it was built on open-source model. It was fine-tuned specifically against malicious data sites so malware code phishing email templates, exploit write ups and that sort of thing, and it directly trained itself on that model. So, it was mainly being used for business email compromise. So, that’s where criminals basically impersonate a CEO or a company supplier or something like that. And it tricks employees into sending sensitive information or wiring money outside of the company as part of a scam and normally with these business email compromise emails and messages that we receive, there were telltale signs that it was a scam. So, there would be weird grammar, it would be awkward phrasing, and that would sort of tip us off. But with WormGPT, it could, and it can, generate perfectly fluent professional sounding messages, which even the most savvy employee could fall for. And, and I guess, you know, ironically, WormGPT became a bit of a victim of its own success because the media exposure it got was so big that the creator actually shut it down quite soon after setting it up because it got so much heat. But of course, the problem with that is that the cat was already out of the bag, and it meant that a lot of copycat GPT appearing on the market and other versions started coming out. And, you know, currently you’re looking at sort of WormGPT4, which is more commercialized. It’s got a really slick website.
Remember, I’m talking about a malicious piece of technology here. They have a subscription pricing model. I think it’s like 50 bucks a month, a hundred bucks a year and 200 bucks for, like, lifetime access. So, it’s very affordable. It becomes very problematic. It’s got a big sort of telegram ecosystem that’s growing. It’s like running itself like a legitimate software company. And, you know, people have tested this. It can spit out ransomware notes, ransomware script, with encryption to infect computers. I think the ransomware note that it can generate gives you, it provides the level of detail where it’s instructing a victim how to buy Bitcoin to pay the ransom if they don’t already know how to do it and what sites to use. It’s very smart.
As I mentioned, there’s another one called Kawaii. I think I’m pronouncing that right – KawaiiGPT, basically just Google KawaiiGPT. And that takes a slightly different approach. It markets itself as like a friendly, playful chatbot but it’s, you know, it’s completely free. It was on GitHub until very recently. It may still be there and basically allows people to download it for free. Some security researchers have started to ask it to like, as in legitimately to see its power, test if it can write script for lateral movement. So lateral movement is where an attacker basically goes into one computer in a network and then crab walks into other computers on that network like dominoes falling. It’s able to do all of these things and is pretty terrifying, really, because all of this can be generated in a few seconds. So, yeah, I think overall, what’s worrying about both of these tools is that they’re creating, like any professional tool these days, an ecosystem of developers, of communities, of people, you know, giving feedback and then the product being improved. It’s like these telegram channels, they read a bit like LinkedIn for criminals. It’s pretty surreal.
Jennifer: Yeah, it’s democratization and the worst possible sense. Right? I mean, it’s really the ability to scale this like, never before. And the barrier to entry being so low that just about anybody has access to these types of tools. Anyone who wants to do, do harm. When you lay it out like that, it’s really, I mean, it’s really scary how big this impact is. So, you mentioned a little bit about the victims. You know, you referenced kind of like corporation CEOs. What happens to the victims of these types of attacks? What’s the aftermath of something like this happening?
Lindsay: Well, I mean, the impact does kind of range between, you know, the corporates that you mentioned, right down to sort of like individuals, who fall for this. It can be anything from just being really annoying to completely devastating and life destroying.
I mean, at the lower end, a successful phishing attack that compromises an individual account, you know, an email gets hacked or someone’s social media gets taken over. It’s embarrassing. It’s potentially financially damaging. It might be recoverable but, you know, people can lose their accounts for a while. They might lose their identity. So, it can be a real hassle. It may not necessarily be life destroying, but when you scale up the chain and you start then looking at business email compromise, which I said is the main focus initially of WormGPT, for example. That’s when it gets very serious because a company employee can get tricked into wiring money to a scammer’s account. We’re talking six, seven figures. I’m not exaggerating. I mean, companies have literally gone bankrupt because of successful business email compromise attacks. And imagine you’re the CFO and you get what looks like a legitimately urgent request from the CEO to wire funds for like, an acquisition or something else. That money is then gone. It’s irretrievable and you’re left kind of explaining to the Board how you just wired all of that money out of the business.
And then at the top end, you’ve got ransomware attacks where all of the cybercrime sort of focuses, I’d say right now, where an attacker gets into a network, they spread through the system, they encrypt everything, and demand payment to unlock it. And we’ve seen this happen to hospitals, you know, doctors not being able to access patient records, manufacturers shutting down operations for weeks and for manufacturers, operations being shut down is millions and millions of pounds lost in production. School districts not being able to access their pupil records or that kind of thing before exams. You know, the impact then isn’t just financial. It’s actually emotional as well. And that’s pretty immense. So, I mean, LMS (language models) are making all of these things easier – the sort of the improvements in how it generates convincing language for phishing emails, instant code generation for malware. These tools are accelerating every single phase of an attack. And as I said, what used to take a team, a skilled team, days and weeks can now be done by one person in a matter of hours. Again, imagine someone who is maybe a disgruntled former employee or a, I don’t like to say teenager stuck in their bedroom because that’s such a stereotype, but you don’t need much to trigger someone to then pay that $50 monthly subscription for one of these malicious GPTS. You know, you just need a fraction of these people paying and getting access, and then suddenly you’ve got an enormous, enormous problem on your hands. These aren’t, you know, the companies behind them, of course, you know, they’re not hobbyists themselves, that they are themselves very professional business operations with customer support and engineers and all this sort of thing. Just because you and I could use it and people without much knowledge can use it that does not reflect the level of sophistication on the other side of the fence. They are professional businesses. Right. That’s something that people often forget. These people really know what they’re doing. They’re very well organized. You know, they learn how businesses work. They’ve worked in legitimate businesses in the in the past more often than not.
Jennifer: And cutting edge, it sounds like cutting edge technology developers as well. They’re not just a mom-and-pop shop. Wow. That’s hard to hear, quite alarming. But, you know, in spite of all this, I assume that something is being done to mitigate these risks, right? This is a risk to every sector, every part of the globe. It’s risk to economies worldwide. What is happening on that front? Can these tools actually be stopped, or is this kind of a new reality that we need to adapt to?
Lindsay: This is the problem, I suppose, is that, it does get complicated because there is no silver bullet. If we look to the sort of legal and regulatory side of things, we are sort of in murky waters and you’ll probably know this, that – okay, the original say, WormGPT, this malicious LM was shut down voluntarily by its creator but then we do have other GPT’s, you know, on GitHub and still running. So, you’re going to have to ask like legitimate website, the hosting code that they have to police what kind of code people can share. And that opens up a whole can of worms, to pardon the pun because, you know, here’s the thing. You know, these exact same tools are crucial for legitimate penetration testing.
Penetration testing is an absolutely vital part of cybersecurity posture because essentially what penetration testers do, these are the good guys who are hired to break into a system to find vulnerabilities so that you can bolster your defenses. So again, we’re into that dual use dilemma. The tool itself is neutral and that makes regulatory regulation incredibly difficult in my opinion. Because how do you ban something that has a legitimate use. But I guess there are other approaches that need to happen. I mean, again, I’m not an expert on it, but developers of mainstream API models need to continue with their safety measures. So, making it harder to jailbreak these systems and that sort of thing. Law enforcement needs to get better at tracking the financial flows – so identifying the people behind these cryptocurrency flows, and pursuing them, because as part of my day job at DarkOwl, that’s what we spend our time doing is illuminating dark web forums and crypto currency. And then, I guess, most importantly, is promoting international cooperation on these subjects, because this means absolutely nothing if we don’t have some global approach to countering this because cybercrime is, in its nature, just borderless. You know, you’re always going to attack the jurisdiction that is far away from your own as possible, right? That’s just that’s just common sense if you’re a criminal. So that’s pretty important. Obviously, there’s other things on the side of sort of like the EU AI act, which I’m not quite as familiar with.
But for individuals, there’s quite a bit you can do. I want to be positive here and this is where I get optimistic because even the most convincing phishing email fails if people are trained to verify requests through secondary channels. If your CEO sends you an email asking for an urgent wire transfer, picking up the call, picking up the phone and calling them is what you need to do, and that’s where, you know, the AI model kind of fails because simple practices like this will defeat AI generated attacks in person and face to face options as well to kind of do this, you know, companies specifically. Yes, there’s sort of layered defenses. So, there’s various cybersecurity practices you can put in place good security practices, a healthy amount of skepticism. These are all things that will help. I mean, fundamentally, this is an ongoing arms race. Attackers are going to develop new tools, defenders are going to attack. Attackers are going to evolve. Defenders respond. It’s just going to keep going on and on. It’s been like that in cybersecurity forever. And so, nothing’s really changed.
Jennifer: Right? It’s about staying one step ahead of the bad guys. It’s the same type of a situation as in cyber, for the past, you know, 20, 30 years. Yeah. I’m glad that you bring a little bit of optimism into this, because I’d like to hear, you know, from a technology perspective, given how difficult this is, it sounds almost insurmountable. What is it? What is something that actually gives you hope? Something that makes you think from a technology perspective that we can actually kind of make a difference here?
Lindsay: Yeah, I think there is some hope. And just to sort of flesh out, you know, my optimism on this. Increased awareness does help things tremendously. You know, conversations like this where we’re educating people about these threats do make a real difference. As someone said, an informed public is the best defense. So, when people understand that emails can be generated by AI, you know that perfect grammar is no longer the guarantee of legitimacy, that verification is essential and that sort of thing. This really does change the game. You can have the most sophisticated technical defenses in the world, but if your employees know to pick up the phone and verify a wire transfer request you have just defeated there, and then a multi-billion-pound AI powered attack with a 30 second phone call.
It’s not necessarily about blocking specific tools. I think that’s a losing game. It’s about building systems and cultures to be resilient at scale, and understand the speed of how AI evolves. You know, bringing back human interactions. I’m a big believer in this, whether we do this with, with government or with our own companies – nothing can beat that human interaction to verify something 100%. I think one of the things I’ve always worried about is the way in which and, you know, one thing we haven’t really spoken about is the way in which nation state actors are and governments are actually funding and promoting a lot of this malicious LLM use. Sometimes I think democracies look to the digital world as a form of efficiency, and I think we’re entering into that, and that is right. I mean, it’s changed everything. It’s been revolutionary. But we may be entering into a period where it’s giving us diminishing returns, and we need to return to more in-person interactions, in-person verification. What that looks like, I’m not entirely sure, but you always have that. And I think, you know, understanding that and recognizing that we can’t just rely on digital systems for everything could be counterproductive.
There’s things that are sort of keeping me up at night. I think the accessibility, you know, something that used to need a lot of skill, doesn’t need a lot of skill. There aren’t those barriers anymore. But I think, you know, there is something that we can rely on. And that’s the sort of human element as both the, the biggest weakness, but also the greatest strength that we have.
Jennifer: Yeah, that is actually encouraging, reassuring. You brought up some topics that kind of bring back the optimism to the conversation. So, before we go, I’d like to ask our guests if listeners could take one thing away from today’s conversation about AI and cybercrime, you know what they really, really need to remember? What should it be?
Lindsay: What I would suggest people do is that they start to really think in a hybrid mindset when building technology, managing people, improving society. Don’t rely on technology to save you. Don’t rely and think likewise that technology is going to ruin you. The fact is, it is just another tool. Are we building a society and are you building a business I suppose that takes into account all of these various facets? Sorry, I can’t be more specific than that. I’m still learning a lot about AI. I can’t claim to know everything about how AI is being used within the cybercrime world. It is evolving every second but I think we need to understand and appreciate more the benefits of thinking holistically when talking about even the most digital of phenomena.
Jennifer: And that is a great way to end it, because that’s something that’s in our hands. It’s all about understanding awareness, educating ourselves, and kind of staying ahead of the curve. So, thank you so much, Lindsay Whyte, for joining me today on AI On the Record. It was a pleasure having you here. Even though the topic was a little bit dark, there is some hope for the future, it sounds like. And thank you so much for joining us.
Lindsay: It’s a pleasure, Jennifer. Thank you very much indeed.
Jennifer: That’s it for AI on the record. Thanks so much to Lindsay Whyte for scaring us a little but also adding a little hope in the struggle of good versus bad in the world of AI. If you found this conversation valuable, share it with someone who thinks deeply about tech, trust, and the future of information. Until next time, I’m Jennifer Woodard. Thanks for listening.
Scattered Lapsus$ Hunters, is reported to be a hybrid threat actor group forged from three separate groups, who collectively emerged onto the scene in 2025 and quickly made their mark on the cybersecurity world. Announcing their existence following ShinyHunters alleged social engineering campaign that purportedly resulted in the theft of 1.5 billion Salesforce records, the group consists of threat actors from ShinyHunters, Scattered Spider, and Lapsus$ extortion members.
The three factions were all heavily active in 2024, resulting in a series of arrests of members of the group Scattered Spider in 2024. The group remerged in April 2025 with an attack on UK retailers Marks and Spencer. Due to the significant attacks carried out by the individual groups in recent years, the convergence of their members has introduced even greater chaos into an already volatile landscape.
Salesforce October Deadline
On October 03, 2025,Scattered Lapsus$ Hunters launched a data leak site extorting 39 companies that were impacted by the Salesforce breaches. The companies extorted in the link include Disney/Hulu, FedEx, Google, McDonald’s and more. A separate entry on the site requested that Salesforce pay a ransom to prevent impacted customers (approximately 1 billion records containing personal information) from being released. The group set an October 10 deadline for Salesforce to pay the ransom, or for potentially affected companies to contact the group to secure their data. Salesforce refused to negotiate with the threat actors, believing their threats were unsubstantiated and offered support to any of their affected clients.
While the group had threatened to release all information if their demands were not met, eventually they only leaked data from six companies. The victims included Albertsons, Engie Resources, Fujifilm, Gap, Qantas, and Vietnam Airlines. Qantas and Vietnam Airlines each had more than five million customer records exposed. The group later announced on its Telegram channel that it would not release any additional information until 2026, stating that it was unable to leak further data, though no specific reason was provided. The limited amount of victim information leaked during the October extortion attack led some individuals to question the extent of the data the group possesses. This behavior appears to indicate the group believes it can still extract a substantial payment from Salesforce or the affected individuals.
Following the partial leak, Scattered Lapsus$ Hunters posted a Telegram announcement threatening the remaining victims and Salesforce. The statement urged Salesforce to “put down your pride/ego” or their next campaign will be more “destructive” and they have the time and resources to ensure this fate. They warn against policies that mirror Australia’s “Cyber Security Act of 2024” which introduced mandatory reporting of ransomware and cyber extortion payments, as well as strongly discouraging complying with threat actors demanding ransom. The group identified themselves as businesspeople and rejected the label of terrorists or attackers.
The post was signed “We will never stop, see you all in 2026” indicating the group will return with further activity in the new year.
Forecast
In November 2025, the group announced the development of a Ransomware-as-a-Service (RaaS) platform named, ShinySp1d3r. On a Telegram channel used by the group, they claimed the ransomware was in development and will be led by ShinyHunters but operated under the “Scattered Lapsus$ Hunters” brand. Previously, these threat actors have used ransomware encryptors such as Qilin, RansomHub, and DragonForce. Victims of ShinySp1d3r will receive a note that they have “three days to begin negotiations before the attack is made public on the data leak site”.
Samples of the ransomware have been uploaded to VirusTotal and show a mix of common features and new features developed by the group. The encrypted files will contain “information on what happened to a victim’s files, how to negotiate the ransom, and a TOX address for communications”.
ShinyHunters claims that organizations in the healthcare sector, including pharmaceutical companies, hospitals, clinics, and insurance providers, are excluded from being targeted by its encryptor. However, researchers report that many groups have made similar assurances in the past, only for those self-imposed restrictions to be routinely ignored or violated.
Conclusion
Scattered Lapsus$ Hunters are expected to remain active this year, leveraging both new and familiar tactics to cause disruption across the cyber landscape. The combination of the three groups demonstrates the shift for cybercriminal branding, appearing to highlight credibility and visibility. Given their broad range of targets, effective information sharing between organizations will be critical to countering this threat actor. To mitigate the risks posed by Scattered Lapsus$ Hunters and similar groups, organizations must prioritize monitoring these dark web activities.
To ensure your organization is taking the necessary steps to mitigate threats from these groups, contact us.
If you watched the dark web ecosystem in 2025, like DarkOwl does, you may have noticed that it seemed very unstable. While the dark web is notorious for being unstable with onion sites often going up and down, this year felt different – with more permanent changes to mature and established sites and a seemingly revolving door of admins.
Long-running drug markets vanished overnight in coordinated international operations. Fraud and hacking forums were seized and marked with law enforcement seals. Others simply went dark in classic exit scams, taking millions in crypto with them.
The most notable sites to be impacted this year were XSS – a long-standing Russian-language hub for exploits, access, and ransomware affiliates and BreachForums – the English-language epicenter of data breach leaks and credential trading, which has been subject to changes over many years but always seems to come back.
But they were only part of a much larger story that included major markets like Archetyp and Abacus, plus “shadow markets” on platforms like Telegram.
As 2026 begins, we wanted to delve into what happened in 2025: XSS, the ongoing BreachForums saga as well as review some of the major marketplace hits and exit scams, how exit scams and takedowns reshape trust in the underground and what all of this means for defenders and analysts.
XSS
For years, XSS (formerly DaMaGeLaB) was one of the most influential Russian-language cybercrime forums. It served as a marketplace for exploits, stolen access, and malware as well as a recruiting ground for ransomware crews. A well-established site, it fostered a high-trust environment among its users, who were able to trade tools and services. The site had been operating since 2013 and was estimated to have over 50,000 registered users.
However, in mid-2025, the XSS era effectively ended. Law enforcement agencies in France and Ukraine, supported by Europol, targeted XSS after a multi-year investigation which began in 2021. This led to the arrest of a 38-year-old suspect alleged to be the main XSS administrator in Kyiv. Shortly after, the XSS domain displayed a classic law enforcement seizure banner, signaling that authorities had taken control of infrastructure and likely obtained access to backend data and communications. This marked a change for law enforcement who have typically targeted English-speaking sites on the dark web with Russian sites usually being more difficult to infiltrate.
Figure 1: XSS Seizure Notice
For a forum that catered to serious actors, including affiliates of major ransomware groups, this was a significant blow. The value of the takedown wasn’t just the shutdown, but the potential intelligence gathered, thought to include database content, private messages, transaction details, and operational. It also initially appeared to leave a void of where these actors could interact and advertise.
However, as usual, the community did not vanish with the domain, which did reappear. Some members migrated to other Russian-language forums such as Exploit or RAMP. Exploit another well-established forum appeared to be the primary forum of choice. Others attempted to relaunch XSS under slightly different branding, trying to keep the reputation and user base intact. However, the registration for new users proved challenging, and many commentators online felt that XSS was now a honeypot run by law enforcement. It appeared that many in the community were reticent to continue using the updated site.
The net effect, XSS as a brand is fractured, but the underlying actors remain active and mobile on other forums. For cyber security analysts, the center of gravity moved, but the threat did not disappear. The game of wack-a-mole continues.
BreachForums
On the English-speaking side, BreachForums has been the high-profile home for many years, having launched around 2022 in the aftermath of the RaidForums seizure. The site was known primarily for selling and sharing data breach leaks, trades and giveaways of credential dumps as well as the discussion of hacks, access sales, and “clout” postings.
Since then, BreachForums has been stuck in a loop.
BreachForums v1 (breached / breached.vc, etc.) – launched after RaidForums was seized, was itself later taken offline after the arrest of its founder “Pompompurin” (Conor Fitzpatrick). Fitzpatrick was subsequently charged, and rumors swirled that the site was operating as a honeypot.
In September 2025, founder Conor Fitzpatrick was re-sentenced to a longer prison term after an appeals court deemed the original sentence too lenient. That move signaled that U.S. courts view BreachForums as a serious, high-impact cybercrime platform, not just a “kids swapping databases” site.
Subsequent versions of BreachForums followed the same pattern. New domains and infrastructure spun up (e.g., breachforums[.]st) quickly, claiming to be the successor and controlled by affiliates of previous versions. The community reconvened, often with familiar staff and leak actors (including groups like ShinyHunters). However, law enforcement seized infrastructure again, posting FBI banners on front-end domains and, in some cases, gaining access to backend data and user logs.
However, in 2025, a few milestones stood out as different to the pattern, and the activity appeared to occur much more rapidly than it had with previous iterations.
One BreachForums instance announced it was closing after operators claimed law enforcement had exploited a 0-day in MyBB (their forum software) to gain access. Whether this was accurate or an excuse, the result was the same: another dead forum, more scattered users. Yet another BreachForums-branded domain displayed an FBI seizure notice, underscoring that law enforcement was tracking the brand as much as the infrastructure.
Honeypot or Home?
Every new BreachForums revival faces the same dilemma, If it’s real, it’s a prime target. If it’s not real, it might be a honeypot or undercover operation. This creates a deep trust problem inside the community.
So, while BreachForums keeps coming back in some form, each iteration is more paranoid, more fragmented, and less trusted than the last. Because of that, similar to XSS we have seen the community seek other sites as refuge from the law enforcement action and fear of honeypots. In 2025, a clear front runner has been Dark Forums. However, this site has also already experienced changes in management as well as technical issues leading to downtime as well as changes in domains.
Seizures vs. Slow-Motion Exit Scams
Beyond forums, darknet marketplaces remain a central pillar of the underground economy, especially for drugs, fraud services, and stolen data. In 2025, they were hammered from both sides.
Archetyp Market
Archetyp Market was first seen in May 2020 and quickly became one of the largest drug markets operating. It specialized in the sale of drugs, including high risk substances such as fentanyl. The site required registration and accepted funds via the “privacy” cryptocurrency Monero. With over 600,000 users and 3,200 vendors, the market facilitated transactions involving cocaine, meth, MDMA, and other narcotics. By its final days, it had moved an estimated $250–290 million in illicit goods, making it a titan among darknet marketplaces.
From June 11–13, 2025, Operation Deep Sentinel, led by Germany’s BKA and supported by Europol, Eurojust, Homeland Security Investigation (HSI) and law enforcement from five other countries, executed a coordinated takedown. Servers were seized in the Netherlands, digital assets frozen, and the suspected site administrator, a 30-year-old German, was arrested in Barcelona. In addition, authorities confiscated millions in cryptocurrency, luxury vehicles, phones, and drugs in sweeping raids.
This followed a familiar pattern from earlier eras: Silk Road, AlphaBay, Hansa, Hydra. Each time, a flagship market becomes large and visible enough international law enforcement teams invest the time and resources to take it down.
Abacus Market
In contrast to Archetyp’s law enforcement takedown, Abacus Market appears to have chosen the exit-scam route. An exit scam occurs when the administrators of a site close it down and, in the process, steal funds that they are holding in escrow from their customers and vendors.
Abacus had, by many accounts, become one of the highest-earning Western darknet markets in 2025. Then the warning signs started; users began reporting withdrawal delays and stuck balances. At the time admins blamed technical problems, DDoS attacks (distributed denial of service attack), and onboarding chaos from refugees fleeing other shut-down markets.
However, over time, more evidence pointed to a classic rug pull: no seizure banner, no official statement—just vanished infrastructure and a lot of missing crypto.
By mid-2025, most analysts agreed Abacus had exit-scammed, likely taking a substantial share of user balances and escrowed payments with it.
Takedowns vs. Exit Scams
From the average user’s perspective, the result of both scenarios looks the same; one day the site works, the next day it doesn’t—and your coins are gone. However, the implications are very different.
In a Law enforcement takedown scenario. Agencies aim to identify operators, seize servers, and collect evidence. This means that you will often see official seizure banners on the site, indicating that it has been taken down and by who. Law enforcement wants the users of the site to know that they have acted and view it as a warning to others. Increasingly, law enforcement has accessed the registered users of these sites to warn them that they are participating in criminal activity to try and dissuade users from continuing this activity.
For participants, that means risk doesn’t end when the site goes down; it may only be starting. Data recovered in 2025 can fuel cases and investigations for many years.
In an exit scam, the admins’ primary objective is to take as much money as possible and disappear. Early warning signs can include:
“Temporary” withdrawal freezes
Sudden policy changes around escrow and wallet management
Increasingly vague or aggressive communication from staff
Unlike with law enforcement action, there is no public banner and usually no immediate arrests—just silence.
Legally, the admin’s exposure doesn’t change much: they were already running an illegal market. But for users, the fallout is more about financial loss and fractured trust, rather than immediate deanonymization through seized databases.
In both cases though, the users of the sites will have to find a new home to conduct their illegal trades and communities.
Beyond Tor: Platform Crackdowns and Shadow Markets
While Tor-based marketplaces and forums grab headlines, 2025 also highlighted another front, shadow markets built on mainstream platforms. DarkOwl will often refer to these sites as dark web adjacent, as they are used by the same actors for illegal activity but don’t actually exist on the dark web technology.
A notable example was the crackdown of channels associated with the underground ecosystem on Telegram. After the arrest of Telegram’s CEO in late 2024, the platform began to increase its moderation of the app, actively banning and suspending channels which it alleged were breaking their terms and conditions. This was not solely focused on markets on Telegram but was wide ranging.
These bans have had an impact on the market side of telegram particularly fraud services, laundering, and illicit financial services which were run via channels and bots.
Telegram’s enforcement actions—including mass bans and account purges—disrupted what analysts described as a multi-billion-dollar illicit economy.
This illustrates a broader trend – crime is platform-agnostic. When Tor markets are unstable, actors move to, encrypted messaging apps (Telegram, Signal, Threema), private Discord servers and niche forums and invite-only groups or even surface web sites. As TOR becomes more unstable and more likely to be disrupted by law enforcement action many actors favor a simpler way of setting up their businesses.
For cyber security analysts, focusing solely on .onion sites risks missing a big slice of activity that’s happening on “regular” platforms. This is why DarkOwl monitors not just the dark web but also dark web adjacent sites.
Is the Dark Web Still Important?
Given all the takedowns and scams, is the dark web actually shrinking?
The short answer is no, not really. There is still a huge amount of criminal activity taking place on the dark web and it is important to track and monitor this activity to protect yourself and your organization and to combat crime. However, it is also important to acknowledge that the dark web is becoming more fragmented, less stable, and much harder to trust and therefore harder to track.
Some key trends DarkOwl noted in 2025:
Shorter Lifespans
Long-lived giants like XSS and Archetyp are being removed or compromised. New markets and forums:
Launch quickly
Hit critical mass
Either get seized or exit-scam once the risk feels too high
That constant churn makes it harder to operate large-scale, long-term criminal infrastructure.
Exit Scams Are “Priced In”
Vendors and buyers increasingly assume every market will die. Meaning that they
They keep smaller balances in market wallets.
They distribute activity across multiple platforms.
They rely more heavily on out-of-band communication (e.g., direct contact over Telegram) and reputation that travels across sites.
Exit scams hurt, but they are no longer surprising.
Forums Are Critical—and Dangerous
Forums like XSS and BreachForums played a key role in:
Announcing new markets
Arbitrating disputes
Establishing trust and reputations
But this made them and sites like them prime targets for:
Seizure and infiltration
Undercover operations
Intelligence collection on active and prospective offenders
By 2025, many actors treat high-profile forums as necessary but risky.
Investigators Are Playing the Long Game
The XSS takedown and BreachForums sentencing are reminders that investigations often span multiple years before going public. Sentencing can be revisited and made harsher as courts and prosecutors recalibrate how serious digital crimes are. And that Law-enforcement agencies are increasingly comfortable with crypto tracing, infiltration, and complex international joint operations.
The underground can adapt quickly, but investigators are learning and iterating too.
Takeaways for Investigators, Researchers, and Policy Makers
If you follow this space for security, research, or policy, 2025 offers some clear lessons:
1. Follow Actors, Infrastructure and Money, Not Just Sites
Names like “XSS,” “BreachForums,” or “Abacus” come and go. But what does persist is the actors that are active on these sites, they are often working on multiple sites, and it is important to track how and if they continue to operate and what networks the operate within. One way of doing this is following the money and monitoring any wallet addresses shared and how these transactions operate across the blockchain. It is also possible to identify new an upcoming site by monitoring other sites and adjacent sites for chatter from actors, as well as identifying infrastructure patters such as hosting choices and tools used.
2. Treat Every Major Seizure as an Intelligence Event
Takedowns come with positives and negatives for investigators; on the one hand a source of intelligence has been removed. Sometimes we lose access to sites for which we have good access and are able to obtain a large amount of information that can assist with our investigations. Furthermore, the users of these sites tend to scatter, and it is a race to find the next site and where the actors we are most interested in have moved to.
On the other hand, it is great that illegal activity has been thwarted, usually leading to arrests and the seizure of infrastructure which decreases the activity. While we sometimes have to scramble to maintain oversite, the actors also have to scramble to find a new home which can really slow them down, plus they have the fear that they are now on the radar of law enforcement which may deter them fully from the activity. Furthermore, newly unsealed indictments can reveal OPSEC failures and tradecraft which can assist in future investigations, seizure notices and infrastructure details can feed your detections, and you can update risk assessments for actors tied to seized forums and markets.
3. Understand How Exit-Scam Risk Shapes Behavior
As exit scams become more common offenders tend to gravitate toward smaller, more “community-focused” markets. More trading moves into semi-closed spaces like invite-only Telegram channels and some actors may experiment with more robust escrow, multisig, and reputation mechanisms—but trust remains fragile. This means it can be more difficult to infiltrate and track the activity that is occurring. That has implications for everything from undercover operations to intelligence collection.
4. Look Beyond Tor
Serious illicit trade often uses a mix of different platforms, and it is important to have oversight of all of them which can include:
A defensive strategy that stops at Tor is going to miss much of the real activity.
Conclusion
2025 didn’t “end” the dark web. But it did accelerate a shift that’s been visible for years:
Big, stable, centralized markets and forums are increasingly unsustainable.
Law enforcement is better at seizing infrastructure and tracing crypto.
Admins are quicker to pull the plug and disappear with user funds.
Users are more paranoid, more fragmented, and more willing to move between platforms.
For analysts, this is both good and challenging news. The chaos slows down some criminal operations—but it also pushes activity into smaller, harder-to-observe corners of the ecosystem. DarkOwl can assist in making sure you are able to monitor all areas where illicit activity is occurring and help you track actors as they react to takedowns and exit-scams. The dark web will continue but it will evolve and to mitigate risk it is important to closely track these changes.
Four Inc. has been named a public sector technology provider for DarkOwl, the industry’s leading provider of darknet data. Under this agreement, DarkOwl will improve cybersecurity defense for the public sector through Four Inc.’s NASA Solutions for Enterprise-Wide Procurement (SEWPV), Information Technology Enterprise Solutions – Software 2 (ITES-SW2), and its network of channel partners. This collaboration combines Four Inc.’s expertise in delivering innovative solutions to the public sector with DarkOwl’s unique capability to identify, monitor, and analyze hidden online threats.
DarkOwl empowers public sector organizations with advanced darknet intelligence to support informed decision-making and rapid response. Its flagship platform, DarkOwl Vision, provides access to one of the world’s largest available databases of information collected from the darknet. DarkOwl automatically, continuously, and anonymously collects and indexes darknet, deep web, and high-risk surface net data, enabling agencies to uncover exposed credentials, monitor threat actor activity, and identify emerging risks before they impact operations. Supporting critical missions across national security, infrastructure protection, and law enforcement, DarkOwl delivers comprehensive data and powerful analytics to help public sector teams reduce exposure, strengthen defenses, and maintain operational readiness in an increasingly complex cyber threat environment.
DarkOwl’s Vision platform is available immediately via Four Inc.’s SEWPV & ITES-SW2 Contract Vehicles. For more information, contact Four Inc. at [email protected]
About DarkOwl
DarkOwl, founded in 2009, is the industry’s leading provider of darknet intelligence, delivering the world’s largest commercially available index of darknet, deep web, and high-risk surface web content.The company enables government and enterprise organizations to identify exposed data, monitor emerging threats, and assess risk using continuously collected data, advanced analytics, and scalable intelligence tools. Supporting defense, national security, law enforcement, and critical infrastructure missions, DarkOwl helps organizations strengthen cybersecurity posture, respond more effectively to threats, and protect mission-critical operations.
Four Inc. is a respected Public Sector IT distributor and has earned a place on Washington Technology’s Top 100 Government Contractors list for ten consecutive years. With deep expertise in the federal IT contracting landscape and a well-established network of technology manufacturers and partners, Four Inc. consistently delivers the right solutions and services to meet government needs. Through their proven experience and dedication towards their core values, they have earned the IT community’s respect and trust.
The darknet is a hidden part of the internet that operates beyond the reach of traditional search engines and mainstream platforms. Within this space, darknet marketplaces have emerged as virtual bazaars where anonymous buyers and sellers trade goods and services, often illicit, using privacy-focused technologies like Tor and cryptocurrencies such as Monero and Bitcoin. These markets are structured much like legitimate e-commerce sites, featuring product listings, vendor ratings, customer reviews, and even dispute resolution systems.
DarkOwl collects data from a wide range of marketplaces, capturing the breadth of listings, vendor activity, and community interactions. In this blog, we explore the state of darknet markets in 2025, highlighting which platforms lead in listings and vendor count, how products are distributed across categories, the flow of shipments around the world, and patterns of user engagement through reviews.
By examining these factors, we aim to provide a window into the scale, structure, and dynamics of this hidden economy, revealing both the major players and the underlying trends shaping the market landscape.
Top Darknet Marketplaces in 2025
In 2025, we collected unique listings from the leading darknet marketplaces, summarized in Figure 1(a). Vendor activity is shown separately in Figure 1(b).
Based on listing volume, the most active markets in our dataset were Black-Pyramid, Ares, Dark-Matter, Zelenka-Lolzteam, Nexus-Market, and Drughub. These platforms consistently generated high volumes of product posts across a wide range of categories, from narcotics and fraud services to digital goods and hacking tools. However, when ranking markets by the number of distinct vendors rather than total listings, a slightly different picture emerges. Zelenka-Lolzteam, Archetyp, Drughub, Dark-Matter, Blackopps, and Black-Pyramid attracted the largest number of sellers overall, illustrating how some markets excel at breadth of vendors even if they generate fewer listings per seller.
Market stability in 2025 remained a challenge, as several high-profile platforms experienced abrupt shutdowns. MGM-Grand, Archetyp, Abacus, and Elysium-Market all disappeared mid-year, either due to law enforcement intervention or suspected exit scams. Their closures caused sudden shifts in vendor migration patterns and contributed to the overall volatility of the ecosystem. These dynamics highlight the importance of tracking not just market size but also operational longevity, resilience, and community trust.
Figure 1: Top Markets by (a) Unique product listings and (b) unique vendors
Market reviews
Reviews play a crucial role in darknet marketplaces because they are one of the few publicly visible indicators of community engagement, trust, and transaction legitimacy. In environments where users operate anonymously and traditional reputation systems are absent, reviews help buyers gauge vendor reliability, product quality, and the likelihood of receiving what they paid for. They also offer insight into vendor longevity and buyer satisfaction—information that listing counts alone cannot provide.
On these markets, review activity becomes a broader marker of community health. Reviews show that buyers are active, transactions are taking place, and vendors are accumulating reputational signals that others can verify. When users take the time to leave feedback, it fosters a shared sense of accountability within an otherwise anonymous ecosystem. Markets with consistent review activity tend to feel more dynamic and trustworthy: buyers rely on collective experience to avoid scams, vendors depend on feedback to differentiate themselves, and the community becomes more informed and resilient. In this way, engagement acts as a stabilizing force, shaping user behavior and contributing to the long-term viability of a market. Measuring review activity, therefore, offers more than a participation metric—it provides a window into the social dynamics that influence market stability, consumer decision-making, and the overall trust architecture of the darknet ecosystem. Although it must also be considered that the reviews may be created by the vendors to make it appear as if they are active and deliver good services.
To quantify these dynamics, we examined review activity across markets. Overall, 68% of the markets we collected included some form of user review or feedback mechanism. Among those markets, 23% of listings had at least one review; across all markets (including those without review systems), 16% of listings received reviews. On markets that supported reviews, listings averaged 7 reviews per post, rising to 16 reviews when considering only listings that had reviews. Notably, ten of the fourteen top markets discussed above offered review functionality. Figure 2 shows the percentage of listings with reviews across these top markets, illustrating the varying levels of community engagement.
Figure 2: Markets with the highest customer engagement based on percentage of listings with reviews
Category Breakdown
In addition to examining overall activity and community engagement, we conducted a category-level analysis across the full DarkMart dataset, not just the top markets. Whenever markets provided category labels, we extracted and normalized them into 11 high-level categories to create a consistent taxonomy across platforms. For listings without explicit category metadata, we applied a clustering-based classification approach to assign them to the most likely category based on listing text and semantic similarity. This allowed us to produce a unified view of the thematic composition of the ecosystem.
Figure 3 presents the distribution of these categories across all markets in our dataset. The landscape is dominated by Drugs and Chemicals, which account for 68% of all listings. This aligns with longstanding trends in darknet commerce, where narcotics represent the bulk of transactional activity. The next largest categories are Fraud (13%) and Counterfeit Items (7%). The Fraud category encompasses offerings such as stolen payment-card data, phishing kits, account takeovers, and forged or altered identification documents. Counterfeit items include fake currency, imitation branded goods (e.g., luxury watches, designer bags), and various forged certificates or documentation.
Because drugs and chemicals dominate the darknet marketplace landscape, we took a closer look at the different types of products within this category. The right side of Figure 3 shows the distribution of subcategories, offering insight into the variety of goods vendors specialize in.
Cannabis leads the subcategories, accounting for 41% of listings, and includes traditional cannabis as well as THC-infused products. Following cannabis are opioids (14%), including powerful painkillers like Fentanyl and Heroin, which act on the body’s opioid receptors. Psychedelics (11%), including LSD, psilocybin mushrooms, and Ketamine, also make up a significant portion, designed to alter perception, mood, and cognition.
Stimulants (12%), including Methamphetamine, Cocaine, and other “speed” drugs, increase alertness and energy, while depressants (3%), such as Xanax and GHB, slow brain activity and are often prescribed for anxiety or sleep disorders. Party drugs (7%), such as MDMA and Ecstasy, are designed to enhance sociability and create feelings of empathy, often used in recreational settings. Finally, miscellaneous drugs (3%) cover a variety of specialized items, from hormonal treatments and sexual enhancement products to vaping-related substances.
Taken together, this subcategory breakdown illustrates not just the sheer volume of drug-related listings, but also the diversity of products and specialization among vendors. It shows how darknet marketplaces cater to a wide range of consumer needs, from medical and recreational to niche and experimental.
Figure 3: DarkMart category and subcategory breakdown (Drugs and Chemicals)
Shipping Breakdown
We also examined the shipping data available for our 2025 product listings. Figure 4 illustrates the flow of shipments from source countries to destination countries. For clarity, we excluded listings where the source or destination was listed as “worldwide” and aggregated countries into broader continents or regions.
Unsurprisingly, the bulk of shipments occur within North America. Europe follows a similar pattern, with many shipments staying within the continent, but European vendors also reach a wide range of international destinations. North America, too, sends products across the globe, including to regions like Africa—even though Africa itself contributes very few listings as a point of origin.
Some patterns are particularly striking. A small subset of products reportedly ships from and to Antarctica, highlighting the unusual and niche nature of certain listings. Asia exhibits a more modest version of Europe’s international reach, with most shipments staying regional but a smaller proportion traveling worldwide.
Overall, the shipping data reveals that while most transactions remain regional, darknet markets are capable of supporting truly global commerce. The map also underscores the asymmetry of trade: some regions are primarily exporters, others primarily importers, and a few see very limited activity despite being part of the network. These flows offer a window into how products, and by extension, vendors, connect distant parts of the world in a complex, global ecosystem.
Figure 4: Shipping flows within DarkMart
Conclusions
Our 2025 analysis of darknet marketplaces paints a picture of a highly active and evolving ecosystem. Some markets dominate in listings, while others attract the largest communities of vendors. Drug-related listings continue to account for most of the activity, with fraud and counterfeit items forming significant secondary categories. Shipping data highlights both regional concentration and surprising international reach, while review metrics reveal the importance of community engagement in fostering trust and reliability in an otherwise anonymous environment.
Taken together, these insights offer a comprehensive snapshot of the darknet economy, one that shows both the scale of activity and the social dynamics that sustain it. As markets rise, fall, and adapt, ongoing monitoring is essential to understand the forces shaping this hidden corner of global commerce.
DarkOwl is a Denver-based company that provides the world’s largest index of darknet content and the tools to efficiently find leaked or otherwise compromised sensitive data. We shorten the timeframe to detection of compromised data on the darknet, empowering organizations to swiftly detect security gaps and mitigate damage prior to misuse of their data.
