Author: DarkOwl Content Team

Understanding the Difference Between Scams and Fraud

May 09, 2023

Many times we use the words “scam” and “fraud” interchangeably. Fraud is an umbrella term, legally referring to various types of chargeable criminal offenses. Scams, on the other hand, are a particular segment of fraud. 

One way to think about the difference between these two is from a legal perspective. Fraud is serious criminal business, while scams are considered more minor offenses in comparison. Many types of fraud are classified as felonies, versus scams which are typically charged as misdemeanors.

Another way to look at it is from a banks’ perspective. Financial institutions differentiate the two as such: scams are theft of funds with your permission or knowledge, while fraud is financial theft without your permission or knowledge.

Figure 1: Example of a dark web site offering a combination of Fraud and Scams (Source: Tor)

To make things even more confusing, oftentimes, a threat actor may start out with a simple scam, that then progresses to fraud. For example, an email phishing scam may allow a threat actor to access enough personally identifiable information (PII) to file a false tax return on the victims behalf, which is tax fraud. According to the New Zealand CERT, “a scam becomes fraud when a scammer gets someone’s personal or financial details and uses them for their own gain, or receives money from their target under false pretences.”

Figure 2: Example of a romance scam that does not cross over into fraud because the victim willingly gave the threat actor their money (Source: DarkOwl Vision)

Examples of Fraud

Invoice Fraud – Compromised business email account is used to send falsified invoices for services and goods that were never rendered.

Insurance Fraud Receiving medical care using someone else’s insurance card.

General Financial Fraud – Unauthorized use of credit card for purchases.

Account Takeover (ATO) – Criminal accesses victim’s financial bank accounts to steal or move money illegally.

Identity Theft – Unauthorized use of someone’s identity to open credit cards or get a mortgage.

“Safe Account” Fraud  Victim is lured into moving money into a ‘safe account’ after fraudster convinces victim there has been ‘suspicious activity’ on the account. Fraudster asks for financial details and then performs the transfer – which is why it is fraud and not a simple scam. 

Tax Fraud Impersonating someone to get a tax refund you’re not entitled to.

Figure 3: Example of a tutorial on the dark web for committing Tax Fraud (Source: DarkOwl Vision)

Examples of Scams

Phishing Scams – Emails and texts to get people to click on a link to enter PII. (Read our analysis of a year’s worth of phishing emails here.)

Investment Scams – Fake investment schemes (‘boiler room’) and non-existing charities.

Counterfeit Scams – For example, you order an expensive Rolex watch online, but instead received a cheap knockoff. 

Prize/Lottery Scams – A phishing email may claim “you’ve won all this money… but you need to pay fees and taxes up front,” and then the prize or promised reward is never delivered.

419 or “Generic” Scams – One of the most common 419 scams is sometime referred to as the “Nigerian Prince Scam”.

Invoice Scams These are typically pitched with a high sense of urgency demanding payment for goods or services never provided.

Social Media Scams – Romance Scams fall under this category. These scams involve using social deception designed for financial gain, but because the victim willingly hands over the money, it’s not tagged as fraud. 

Occupation Scams – Money mule schemes advertised as legitimate job opportunities.

Inflation Scams – False government programs advertised as legitimate ‘financial relief’ for energy costs or pandemic relied, for example.

Debt Elimination Scams – Promise to consolidate or remove debt in exchange for upfront fee that is stolen and no services provided.

Figure 4: Advertisements for a variety of tools threat actors can use to scam victims, pre-built including spoofed webpages (Source: DarkOwl Vision)

Tips for Spotting the Difference

When trying to decide if something should be categorized as a scam or fraud, differentiating the criminal’s intentions and the means of financial or illicit gain is a good starting point. A question to ask is, is this threat actor a fraudster or a scammer – or both? Also, what was the level of the victim’s involvement in the crime? Remember that not all fraudsters are scammers, and not all scammers are social engineers.


Financial fraud and scams are a time-consuming investigative area for many a local law-enforcement and federal/international cybercrime units. To learn how DarkOwl can help support fraud and scam investigations, contact us here.

Password Hygiene and Awareness: Trends from the Darknet

May 05, 2023

In honor of this week’s World Password Day, we took a look at how different password trends have evolved over the past year. In doing so we found that many people are still making common password mistakes, such as using their favorite year or using highly popular (and crackable) strings of characters like “123456”. Read on for a breakdown of these trends, as well as some additional insights from our data science team.

Passwords on the Darknet

Credentials are one of the most sought after and frequently exchanged digital goods in the darknet economy. In many cases, large quantities of compromised accounts will be combined and reshared across multiple darknet and deep web forums, including dark web adjacent platforms such as Telegram. Criminals leverage this data in a variety of ways. For example, some may use a credential cracking or “stuffing” tool to cross reference emails with other password lists – or use common password conventions to guess the password – and verify an active email and password combo. In the gravest of cases, when active corporate accounts are discovered, they can be used to gain initial access into a company’s network and allow the intruder to commit a crime such as ransomware.

Credential lists also sometimes appear with an email + hashed password combination. However, this is less common and is considered moderately less risky as it requires the threat actor to go through the process of unencrypting the password to make use of it.

Changes in Password Volumes in DarkOwl Vision

Overall, we saw a 16% increase in the total number of email addresses in our darknet data. In 2022, we detected 8,680,000,000, which has since risen to 10,069,116,483 total compromised emails. Though this does include some that did not have associated passwords, an exposed email still poses a degree of risk.

Of the exposed emails in our dataset, over 50% of them appeared with an associated password. The total number of email and password combos detected currently is 5,681,306,514 – up from 5,460,000,000 last year.

Alarmingly, the number of plain text passwords with an associated email jumped by over a fifth in the last year. We detected 5,160,309,835 with plain text passwords as compared to last year’s 4,285,451,030.

Overall, the number of emails with associated hashed passwords remained fairly consistent. 2022 analysis indicated 518,566,724 hashed password and email combos, which has only risen slightly to 520,996,679 this year.

Password Lengths

Of the plain text passwords we analyzed, 8 characters is by far the most common password length. We expect to see that number shift in coming years as companies implement more rigorous password policies including multi-factor authentication (MFA).

Password Strengths

A positive trend of note is that over the past year, we saw an increase in the total number of “strong” passwords. Per industry standards, “strong” passwords are defined as containing special characters, digits, lowercase, uppercase, and length greater than 8 characters. Overall, we detected 643,498,941 passwords that are considered “strong” – up from 637,000,000 last year.

On the flip side, we saw a decrease in the number of passwords using digits by nearly 10%. Using digits, as well as special characters is highly recommended as a method of defending against password crackers. Unless an 8-character password includes numbers and symbols, the password can be potentially brute forced.

Common Patterns Persist

Perhaps out of laziness, a common trend that we see consistently with passwords is the use of strings of digits or characters that can be easily made on a keyboard. This unfortunately appears to be a persistent trend, with the number of people using “123456” or “123456789” increasing across the board.

While less popular that number strings, other keyboard patterns “qwerty” remain a popular choice of password. In fact, the number of passwords containing or comprised of “qwerty” jumped by 10% this year.

Perhaps most egregiously, we saw a massive jump in the amount of exposed email addresses who’s associated password was literally “password”.

Using Your Date of Birth or Anniversary as a Password is Still a Bad Idea

A relatively sizable portion of the passwords we analyzed contained a year date, such as “darkowl1990”. Interestingly, we found 102368238 passwords with that followed a yyyy-mm-dd format, and 13223 with passwords with yyyy/mm/dd. While this is positive in that it utilizes special characters, the prevalence of users who incorporate a date into their password means that threat actors will leverage this to attempt to brute force accounts.

The most popular year detected in our data is 1990, with 14,518,056 containing that year. Years between 1990 and 1999 remain the most popular, which is consistent with last year’s analysis.

Hashed Passwords

In cryptography, hashing involves using a mathematical algorithm to map data of any size into a bit string of a fixed size. In password hashing, a ‘hash’ consists of a unique digital fingerprint (of a fixed size) corresponding to the original plaintext password which cannot be reversed. There are several different types of ‘hashing algorithms’ available for encrypting passwords.

The most common hash in DarkOwl’s darknet collection is MD5, followed by SHA-1. While this is consistent with last year, we did not see an increase in hashes of this type, as one might expect to happen as more data is collected over time. On the other hand, over the past year we saw a massive jump in SHA-256 and SHA512 hashes from 2022. This suggests that these types of hashes are becoming more popular and we should expect to see this number grow in the coming years.

According to reporting, 51% of people use the same password for their work and personal accounts. To see if our data is consistent with that account, our data team conducted an analysis to estimate the number of “shared passwords” between work and personal accounts. To do this, our data team partitioned the data into two categories: commercial email providers (gmail, yahoo, etc.) and companies (DarkOwl, Apple, Microsoft, etc.). Then, we looked for the number of accounts that had the same username between company and commercial emails, such as [email protected] vs. [email protected]

Once detected, we looked for the number that shared the same username and the same password. In doing so we found that 45% of matched accounts re-used the same password. This is likely an under-estimation due to variations in naming conventions across email accounts, but supports the notion that using the same password for multiple accounts is a highly common practice. Overall, we detected 35,085,849 instances of linked email addresses that appeared with the same password.


In addition to being able to search all collected darknet data for exposed credentials, DarkOwl extracts entities such as IP addresses, credit card numbers, bank identification numbers, and cryptocurrency addresses. This enables an organization to search specifically for relevant entities, such as server IP addresses and email addresses on the same darknet forum. Learn more about Entity API.

Introducing DarkSonar: An Interview With our Product Team

April 25, 2023

In honor of the launch of our newest product, DarkSonar API, our marketing team sat down with DarkOwl’s Director of Product, Sarah Prime and Product Manager, Josh Berman to learn more.


Leah: Hi! Thanks for taking the time to chat with me today. Let’s start out with the basics: what is DarkSonar and what it does it do?

Josh: DarkSonar is a relative risk rating based on exposed credentials in the darknet. So, basically, it looks at not only the volume of a company’s exposure, but also the severity of it. For example, a leaked email address that was posted with an associated plain text password would be considered a greater indicator of risk than just a standalone email address. DarkSonar takes that into account and generates a signal that is specific to that company based on its historical exposure, which means companies can monitor for their specific level of risk. Basically, you can think of DarkSonar as an indicator of current cyber risk. 

Sarah: Yeah – really the most defining characteristic of DarkSonar is that it tells you something. It gives you a signal, versus just giving you a score. Is your risk elevated today compared to what it was last week? This is really valuable information for threat intelligence teams or anyone in charge of assessing cyber risk levels. 

Leah: Why did you decide to focus on credentials as the basis for DarkSonar risk signals?

Josh: Exposed or compromised credentials are something that have been definitively proven to be a direct predictor of cyberattacks, which is leaked credentials. Basically, that means that DarkSonar takes into account not just the presence of the emails, but also the context in which it appears. DarkSonar asks questions like, is it just an email by itself? Or, is there a plaintext password with it? Those are two very different things that a threat actor is going to do two very different things with.  

For example, if we detect a domain that has a bunch of emails and plaintext passwords that were put on the darknet yesterday, there’s a very good chance somebody out there is going to try to use those plaintext passwords. I say that because, from the perspective of the threat actor, there’s almost no work they have to do on their end to exploit that information. It’s like it’s an invitation to use this for an attack. Whereas, if there’s no passwords – or even if there’s a hashed password – there’s an extra step there that a threat actor would have to take to compromise that account. And so that’s why that’s weighted heavier in our new calculation. Because of the weighting we have, which accounts for the recency and the severity, we’re able to make an assessment about the relative likelihood of an attack.  

Sarah: As we were thinking about the DarkSonar model, we thought about how we incorporate the actual risk of an exposed entity more meaningfully. You know, instead of just looking at the overall hackishness of the page where an entity is mentioned, how could we assess the hackishness of the mention? We set out to develop a tool that evaluates exposure in a qualitative way, rather than just quantitative. 

Leah:  What does “relative risk” mean in the context of DarkSonar? 

Josh: I think it’s important to point out that by incorporating standardization into the algorithm, DarkSonar signals are relative to the company itself. It has nothing to do with other companies, which means it’s a lot more indicative of actual risk.  

Sarah: Yeah, another way to think about is that DarkSonar gives you a personalized risk indicator.  

Leah: Do you envision companies using DarkSonar for monitoring? 

Sarah: Absolutely. We believe that darknet data is a really important source of insight into criminal activity and potential threats to your attack surface. We know that breaches and ransomware are a huge problem for businesses of all sizes. At a conference I attended recently, one of the presenters cited a survey where 80% of CISOs felt that they were going to be hit by a ransomware attack in the next year. So, with things like that being very top of mind, we’ve continued to innovate new ways to help companies monitor for and potentially even predict cyberattacks.  

Josh: That’s a good point, Sarah. Essentially, we want to help companies use darknet data in a way that means something to them. 

Leah: So lets say I’m a company monitoring my DarkSonar signal and it suddenly is elevated. Does that mean a cyberattack is imminent?  

Josh: It does not mean an attack is imminent, but it does mean that there is a greater likelihood of such an attack occurring. We know this based off of our internal research, combined with validation by external companies that we’ve partnered with. The results of that analysis showed that there’s a pretty strong indicator that an elevated DarkSonar signal correlates with cyber risk.  

Sarah: In developing DarkSonar, we looked at 250 companies with known cyberattacks, and found that their signal was elevated nearly 75% of the time in the months leading up to the attack. For those companies, the DarkSonar signal would have been an early indicator of a future cyberattack. And, to our knowledge, there is no other cyber risk monitoring tool out there that could do that.   

Leah: Are DarkSonar signals something that would benefit small businesses? Or are they more geared towards enterprise companies? 

Josh: DarkSonar is absolutely valuable for small companies as well. That’s because, as we’ve been saying, signals are relative to the company. It’s relative to how they’ve been doing the last two years. So it was not built for just big businesses or just small businesses… it adds the same value to any company with a domain that has email addresses. That’s who it applies to.  

Leah: Are there any other use cases for DarkSonar other than monitoring your own company’s signal?  

Sarah: Oh my gosh, yes. Many. DarkSonar can be used to assess risk for anything that is a part of your attack surface, including third party vendors for example.  

Josh: Monitoring for your own company is definitely important, but, it definitely shouldn’t end there. Your full attack surface includes your supply chain, your clients, your clients’ clients, and so on. This is a tool for monitoring risk across your entire portfolio.  

Leah: Any other closing thoughts? 

Josh: Yeah, I think just generally, we’re proud of the evolution of our darknet exposure monitoring tools. We think it’s super important that we listen to our customers, conduct regular product evaluations based on feedback, etc – and that is what we do every day.  

Sarah: For me, particularly given the environment that we’re in with ransomware attacks that you can see in the headlines on a daily basis, we’ll be thrilled if we can help even one company be aware of a potential risk by using DarkSonar. 


Learn how DarkSonar can help your organization track risk and potentially predict cyberattacks. Contact us.

DarkOwl Announces Release of DarkSonar to Help Businesses Determine Likelihood of Potential Cyberattacks

April 18, 2023

DarkSonar signals inform internal threat modeling, third party risk management, and cyber insurance underwriting

Denver, Colorado, USA – DarkOwl today announced the release of a new product, DarkSonar API, to help organizations better assess and track their potential cyber risk based on the nature of its exposure on the darknet.

Built on DarkOwl’s proprietary Entity dataset, DarkSonar generates a risk rating that is unique to each company. The algorithm used to generate these signals takes into account key quantitative and qualitative factors over time of organizational exposure of email addresses with associated passwords, and weights each signal accordingly. The result is a quantifiable risk indicator that can help companies and organizations monitor and potentially predict cyberattacks.

In testing internally and with beta partners in the insurtech and third-party risk industries, DarkOwl found an elevated DarkSonar score in the months before a cyberattack in approximately 75% of the cases where a company publicly acknowledged a breachDepending on the companies and the nature of the attacks this percentage was as high as 85% in some instances.

“The darknet contains data critical to understanding criminal behavior and security risk,” said Mark Turnage, CEO of DarkOwl. “To develop DarkSonar, we looked at our own vast dataset of darknet content and focused on what has proven to be the number one attack vector for threat actors—namely credentials with passwords. In doing so, we saw that the magnitude of a company’s credential exposure within our database, and the real-life cyberattacks they experience, have a high correlation. This suggests that DarkSonar has not only a monitoring use, but may also have some predictive qualities. It is a valuable tool every threat intelligence team should use and have available.”

DarkOwl’s partner, SecurityScorecard, also expressed the importance of such a tool – even for small businesses. “We recently conducted research with an independent cyber research institute and found that 98% of organizations have vendor relationships with at least one third-party that has experienced a breach in the last two years,” said Alex Rich, VP of Alliances & Channels at SecurityScorecard. “This only reinforces the need for security teams to prioritize maintaining insight into their entire digital ecosystem, including their supply chain. DarkSonar offers a unique way to signal such risks, which is important for businesses of all sizes.”

DarkSonar API was built to be utilized for self-risk assessments, brand monitoring, vendor risk management, and cyber underwriting and risk rating. As supply chain compromise becomes an increasingly prevalent problem, DarkSonar is a means to continually monitor for third-party risk.


To learn more about DarkSonar, please visit https://www.darkowl.com/products/darksonar-api/

Tax Fraud on the Darknet and Deep Web: 2023 Update

April 17, 2023

Last year, we covered some emerging trends around tax fraud that our analysts found on the dark web. This year, we’re continuing that theme by highlighting some of the most recent content our analysts found in DarkOwl Vision ahead of tomorrow’s Tax Day. 

Read on to see examples of the various forms of tax fraud being proliferated on the the darknet, deep web, and adjacent platforms such as Telegram.

Note: In each example, a screenshot is provided that captures the listing in its original source location, followed by a screenshot of the result as it appears in DarkOwl Vision, our searchable database of darknet content.

Recent Marketplace Listings Aimed at Tax Fraud in DarkOwl Vision

Example Listing: Telegram

Posted on April 4th, 2023 – The Telegram shop FixCombo MarketPlace has numerous recent listings for tax fraud products such as tax returns.

In this example, an advertisement points fraudsters to another Telegram channel that allegedly sells W2 forms as part of its various product listings. In many of these listings, the offers include other associated information to enable criminals to commit digital identity theft, including sensitive information such as Social Security Numbers, Drivers Licenses images and information, past tax returns, W2s, and more.

Figure 1: Screenshot of Listing for PII to Commit Tax Fraud on FixCombo Marketplace (Source, Telegram)
Figure 2: Screenshot of Listing for PII to Commit Tax Fraud on FixCombo Marketplace (Source, DarkOwl Vision)

Example Listings: Dark Web

Posted on March 16, 2023 – Nemesis Market is a dark web onion site that requires authentication to gain access. This marketplace has become more popular in recent months – likely as a result of users seeing a new outlet after other well-frequented marketplaces continue to be taken down via law enforcement operations, such as that of Hydra Market during the summer of last year.

In this example, the vendor “Equifax” is selling a 2023 tax fraud product, including all associated PII needed to file illicitly file on tax return another behalf, for $69 USD.

Figure 3: Screenshot of Tax Fraud Listing on Nemesis Marketplace on Tor (Source, Tor)
Figure 4: (Continued) Screenshot of Tax Fraud Listing on Nemesis Marketplace on Tor (Source, Tor)
Figure 5: Screenshot of Tax Fraud Listing on Nemesis Marketplace on Tor (Source, DarkOwl Vision)

Posted on March 25, 2023 – This listing for Australian tax return fraud tutorials was posted on the authenticated hacking forum, CryptBB. The well-known onion site is predominantly used by English language speakers, and is a darknet site popular among competent hackers, carders and programmers. Many also consider this forum to be a a good place to develop one’s darknet persona and to learn how to improve one’s hacking skills.

In this example, the tutorial was posted alongside a download link, which could be a secondary motive for the vendor – i.e. to install malware on those looking to seek to download the tutorial.

Figure 6: Screenshot of Country-Specific Tax Fraud Mechanisms on Dark Web Market CryptBB (Source, Tor)
Figure 7: Screenshot of Country-Specific Tax Fraud Mechanisms on Dark Web Market CryptBB (Source, DarkOwl Vision)

Example Listing: Deep Web

Posted on March 7, 2023 – This posting on the deep web site XSS is for a 2023 – 2024 “Tax Refund Method Tutorial.” Certain sections of the forum requirement payment via escrow services in order to receive full access.

XSS is considered to be one of the most popular deep web hacking forum among Russian cybercriminals.

Figure 8: Screenshot of Tax Refund Tutorials on the Deep Web (Source, XSS)
Figure 9: Screenshot of Tax Refund Tutorials on the Deep Web (Source, DarkOwl Vision)

Fraud is one of the most common motivations for crime on the darknet, and comes in many different varieties. To dive deeper, our analysts highlighted some other methods used to commit fraud in a webinar that you can watch on demand.


Learn more about how DarkOwl can help your organization detect and investigate fraud by contacting us here.

Q1 2023: Product Updates and Highlights

April 13, 2023

Read on for highlights from DarkOwl’s Product Team for Q1, including new product features and collection stat updates!

Data and Product Updates

New Search Templates and Search Blocks:

This quarter, the DarkOwl Team added 14 new search templates using new chat operators. Refreshed search templates to incorporate new query structures that leverage our tokenization options.

Several of the new template additions make it easier to search for leaked passports by adding regex templates for passports from unique countries. We also added several other that make it easier to find aliases via member page URLs and profile titles.

Our product team also added several new search blocks – including an updated block for “attack chatter”. Others enhancements include a better search for company/organization information, and other blocks that utilize frequently used hacking keywords.

CVE Tokenization:

Based on feedback from our customers, CVEs are now being identified and tokenized within our indexed documentation collection. Users can now search for results containing a specific CVE number, as well as for results containing any number of CVEs.

CVE tokenization will make it easier to search for CVEs along side keywords or other entities such as onion domains or threat actor aliases.

Chat Channel and Usernames: We’re making it easier to find channels and usernames in chat platforms.

We are excited to announce a new utility that will provide additional user and channel metadata for our chat content, and enhance searching based on that information. For all of our chat content, our team was able to identify consistent components such as channel names, and make filterable fields for these entities.

Now, when you use any of these new tokenized chat fields, Vision is able to correlate that search to that entity. In other words, Vision will know to look for a username or user ID, not just a keyword. Applicable entities include usernames, channel names, UserID (numeric), channel ID (numeric).

This can be particularly helpful in trying to identify users who use multiple aliases. For example, In Telegram, Usernames can change, but UserIDs are persistent—so it can help you find different aliases for the same user. The screenshot below shows an example of a user that is associated multiple usernames, identified via their Telegram UserID.

This new feature enables you to associate UserIDs with usernames on platforms such as Telegram, enabling analysts to uncover multiple aliases associated with the sake UserID.

Feature refreshes and user customization options: 

The DarkOwl Product team has also added several Exclusion Options to the Research Quick Filter Tool. These exclusion options, particularly the Search Blocks, are frequently recommended query additions by Product Support, to help reduce noisy results. These are all Starter Search Blocks—you can see their content on the Search Block page. While we were at it, we also removed extra space on this menu, to make it shorter. 

The most popular exclusion parameters including popular exclusion search blocks (directory sites/wikipedia mirrors) and zero hackishness results.

We also enabled a new preference option for users to change their default landing page views so that users can choose where to begin their workflow based on their dashboard of preference.

Collection Stats and Initiatives 

This past quarter showed tremendous growth, due in part to advancements in our crawling technology and focus on emerging areas of activity.

Highlights

This quarter we added 340 new chat channels, 25 chat servers, and 5 unique data leaks at the request of customers. Most of these our team was able to obtain and index within 24 hours of the incoming request.

Our chat platform collection continues to grow. Currently, we have coverage of 2003 in channels and 233 servers across multiple chat platforms.

Overall we’ve, added close to 100 new data leaks since the beginning of this year, including a number that are comprised of StealerLogs, which are becoming an increasingly popular threat vector.

Entity Numbers

As of the beginning of Q2 this year, DarkOwl Vision has indexed the above number of critical entities.

Notable leaks added in Q1:

Twitter Breach

In January, the user data for approximately 200M Twitter users was leaked on BreachForums. The data contains user account metadata such as email addresses, screen names, first and last names, number of followers, and account creation date. When analyzed, the leak includes 461,943,786 emails (total); 215,251,326 are unique.

Learn more about the Twitter Breach

After Twitter refused to pay 200,000$ after hackers breached their networks in December of last year, posted on Breach Forums.

Data from Deutsche Bank Breach

In March, the threat actor ‘Alliswell’ advertised 60GB of Deutsche Bank data for sale “to the highest bidder” on a BreachForums thread on March 13, 2023. The actor listed several samples in the post. This sample in DarkOwl Vision includes three files: capital.markets.00565489.dat (a public SSL cert for Citibank Switzerland), interpol.00454378934.data.report.003834923 (a public SSL cert for Interpol), and DataBank.sql (a SQL table of bank names, indexed in 11 parts).

The full leak, which is reportedly 60GB large, is not publicly available at this time. Note: DarkOwl does not purchase illegally obtained data

Learn more about the Deutsche Bank Breach

Result from DarkOwl Vision from Deutsche Bank Leak that appears to contain interbank transfer document that records a cash transaction from one bank to another.

BidenCash Market Credit Card Dump

In late February, the darknet carding shop BidenCash announced its one-year anniversary. To commemorate the event, the administrators of BidenCash shared a text file of 2.1 million compromised credit cards for free. DarkOwl’s crawler picked up the posting almost immediately, and it was indexed and available to all users within hours.

Learn more about the most recent BidenCash Market credit card dump

The BidenCash Market Credit Card Dump contains a wealth of associated PII including CVV numbers, and card holder’s full names and addresses.

Other Highlights and Coming Soon

Another noteworthy update from this past quarter includes our engineering team’s improvements on our ability to circumvent bot preventions measures to gain and maintain access to authenticated sites.

We’re also actively staying on top of the ransomware ecosystem and have added several new groups emerging on the scene. In just the last week, we’ve added coverage of ransomware groups such as Darkbit101, Money Message, Abyss, and Dark Power.

Posting from the ransomware group Abyss that lists multiple recent victims and their compromised data.
Posting from the ransomware group Dark Power that lists multiple recent victims and their compromised data, as well as victims whose data is pending – likely depending on whether or not they pay the ransom demand.

We will continue to expand our chat platform coverage, as we see more and more threat activity occurring on these platforms.

On the horizon

Stay tuned for an exciting announcement from the DarkOwl team! We are about to launch a whole new product that is a first-of-its kind relative risk rating based on darknet exposure. To get a preview of this new release, schedule a time to speak to one of our team members.

[Developing] Despite FBI Takedown, Genesis Market Persists on the Darknet

Last Updated 10 April 2023 – 15:52 UTC
10 April 2023 – 15:52 UTC

Update: The Genesis Market Onion site is still online, however there has been no new listings or activity since early Friday the 7th.

April 06, 2023

In the last 36 hours, the United States Federal bureau of Investigations has announced the seizure of the criminal forum Genesis Market in an internationally coordinated effort dubbed “Operation Cookie Monster.” Our analysts detected the disruption in Genesis Market at early afternoon Tuesday April 4th, which is consistent with other accounts who also saw the popular marketplace replaced with the law enforcement landing page at that time.

Figure 1: Screenshot of the landing page of Genesis Market on the Surface Web after its seizure on April 4th taken at 12:30pm MST (Source, Genesis Market Surface Web)

Much reporting has focused on the arrest of at least 100 known users of Genesis Market on the surface web (or “clearnet”), and few outlets have discussed the fact that darknet mirrors of Genesis Market are still online. 

Figure 2: Login portal to Genesis Market on Tor, which is still live at time of publication (Source, Tor – Genesis Market)

DarkOwl Vision analysts detected the seizure notification of Genesis surface web domains just after noon MST on April 4th, though it is possible the seizure took place in the hours preceding. As pictured above, the message displayed a large banner and included the logos of the various international organizations they coordinated with to execute this operation.

The declaration from the FBI states that the marketplace’s domains have been compromised in part due to a warrant administered by the United States District Court for the Eastern District of Wisconsin.

Interestingly, they end their message with a solicitation to readers of the notice to contact them if they themselves have ever been active on the illicit marketplace. The language and nature of the message suggests the FBI are still actively pursuing evidence to further their case in taking down the entirety of Genesis Market – including its darknet mirrors.

Figure 3: Closing message of the FBI’s statement posted on Genesis Market and to the DOJ press office (Source, Genesis Market Surface Web)

On Telegram, Arvin Club specifically mention that it was only the clearnet domains of Genesis Market that had been taken down (pictured below).

Figure 4: Arvin Club post specifying that all official clearnet domains of Genesis Market had been taken down (Source, DarkOwl Vision)

Quick Background on Genesis Market

Genesis Market is a well known darknet exchange that specializes in the sale of identity and account-takeover tools – which, in the case of this forum, primarily means the sale of compromised personal devices via the use of malware. When a buyer obtains a “bot” from Genesis Market, they are actually purchasing persistent remote access to an unsuspecting victims computer.

Figure 5: Screenshot of a dashboard from Genesis Market on Tor, which is still live at time of publication (Source, Tor – Genesis Market)

The goods described as “bots” on Genesis’ site frequently include cookies and related user logs, which in part explains the name “Operation Cookie Monster.” On a typical day, upon logging in, a user’s dashboard would look something like the above example. These advertised bots are tied to an actual human’s unique personal device.

Is it common for surface web domains to be seized, but not the onion mirror?

We asked our analysts about this potential scenario and they indicated that yes, this could be possible in a number of scenarios, including:

A) The onion mirrors are hosted on a different server that’s not subject to the warrant

B) Law Enforcement might want to run the onion service as a honeypot for a bit to catch those with higher OpSec

C) This is all an elaborate ruse

Given the official statements that have been subsequently released by law enforcement, it is unlikely that this is anything less than an official operation – making option C a very unlikely scenario. In any case, chatter on telegram posed a number of opinions reflecting that of our analysts above. This includes speculation about the seizure’s legitimacy, and the possibility of exit scams.

The screenshots below demonstrate the variety of reactions users had – including instructions and warnings urging others to take the situation seriously:

Figure 6: Users on Telegram discuss the legitimacy of the FB takeover by pointing out technical flaws such at mobile-friendliness of their seizure posting (Source, DarkOwl Vision)
Figure 7: Users on Telegram speculate that the FBI seizure is a rouse and/or an exit scam (Source, DarkOwl Vision)
Figure 8: Users on Telegram continue to express confusion on the situation, and offer advise on how to minimize financial osses from potential exit scams (Source, DarkOwl Vision)

Recent Activity Suggest Business Is Continuing as Usual On Genesis Market on the Darknet

Figure 9: Screenshot of Genesis Market Listings at 1:45 PM MST on April 5, 2023 (Source, Tor – Genesis Market)

At 1:45 MST on Wednesday the 5th, it appeared that activity had come to a halt on Genesis Market – with only one new bot being added in the last 24 hour period when the screenshot was taken. However, only a few hours later at around 4pm MST, this number rose back to 241 new bots offered for sale.

Figure 10: Screenshot of Genesis Market Listings at 4:00 PM MST on April 5, 2023 (Source, Tor – Genesis Market)

According to our analysts, Genesis does tend to go for periods of time without adding or updating content under regular circumstances. And, from our observations, there is often little to no activity over the weekends – so a 24 hour period with no new bots isn’t unheard of.

Based on new bot advertisements alone, one could claim it is business as usual for Genesis Market users on the darknet. However, given all of the press surrounding this matter, we speculate that the number of people actually buying from Genesis has dropped.

Future of Genesis Market

Regardless of when the dark web domains for Genesis Market inevitably come offline, the fact remains that users on the dark web will only relocate to buy or swap liminal assets such as the digital fingerprints Genesis was known for. Some chatter in private dark web sources indicate that the FBI seized the surface web domain name registrars & servers but did not actually get the web host which is why it’s still online on tor. Others are sure the persistence of the dark web criminal forum can only be explained by it being an exit scheme or a Law Enforcement honeypot.

As to what comes next, chatter suggests users of the popular marketplace may relocate to 2easy or Russianmarket.

Figure 11: Users on Telegram discuss potential relocation options should Genes Market be truly compromised (Source, DarkOwl Vision)

Stay tuned for more developments as our analysts consider to monitor this matter.


Contact us to see if your company’s name or credentials have been mentioned in high-risk places such as forums or marketplaces on the dark web.

April Fools? How Threat Actors Try to Trick You With Phishing Emails

Threat actors get crafty with their phishing scam techniques, which is no laughing matter.

April 01, 2023

Diving into Phishing Trends by Categorizing Phony Emails

To learn more about trends in the phishing and spam email landscape, our analysts created accounts for fake email addresses that were posted on the darknet. These addresses were mainly sourced from combolists, which are large batches of credentials that typically came from a variety of different breaches or otherwise illicitly obtained methods.  

Over the course of the year, 1,407 emails were sent to these email addresses. Given the context they were found in, these emails likely only exist to be used by threat actors much like other combolists that are posted on the dark web. That is, to be run through a credential stuffing tool to find successful email/password combos and commit account takeover, or to target the addresses with malicious phishing emails.  

To demonstrate examples of the kinds of dubious emails our analysts received, we ranked them by most popular to least popular and assigned them with the following categories: Personally Identifiable Information (PII) Stealers, Fraud, Malware, and Spam.

Read on to see what type of scam and spam emails were the most popular amongst threat actors over the past year, and to see what key trends our analysts observed in the world of phishing.

1. Sales Spam (26%)

Type: Spam

Of the 1,407 emails, a whopping 365 of them were generic sales spam with no clear motive. This suggests the reason for sending them was unlikely to be to commit fraud.

365 of the emails were sales/personal services spam

2. Survey Scams (17.5%)

Type: PII Stealer, Fraud

Most of these emails invited the recipient to take a survey to win a gift card to popular stores like Walmart, Ace Hardware, and so on. This can be used to gather personal information from the target to execute more refined spearphishing in the future, or leveraged for account takeover.

245 of the emails were survey scams

3. “I hacked you” Scams (16.8%)

Type: Fraud

“I hacked you” scams typically contained some sort of variation of threat such as “I caught you on webcam” – with the sender threatening to release “footage” or encrypt the recipients computer unless they pay a Bitcoin ransom. There were a significant higher number of emails in this category than observed in previous years.

237 of the emails were “I hacked you” scams

4. “You’ve won free stuff” Scams (7%)

Type: Malware

97 of the emails claimed that the recipient had won some type of reward, including reward points, commercial goods, rebates, and so on. Once the target clicks the link or opens the attachment to claim their “free stuff”, they end up installing ransomware instead.

97 of the emails were “you won free stuff” scams

5. Phone Scams (6.8%)

Type: Malware, PII Stealer

Designed to get around endpoint security, fake invoice for software subscriptions with a real toll-free “customer assistance” number. Once the victim calls, the operator usually attempts to social engineer them into revealing PII, or trick them into installing ransomware. Overall, we saw a big uptick in these compared to previous years – with many leveraging big names such as Geek Squad, McAfee, and Norton.

96 of the emails were phone scams

6. “Generic” Scams (4.8%)

Type: PII Stealer, Fraud

A significant portion of the email data set fell into the category of “generic” – including scams and “advanced fee” schemes. These are mainly weaponized to steal personal information and commit financial fraud or identity theft.

68 of the emails were of the old-school variety, such as 419 scams

7. Counterfeit Spam (4.1%)

Type: Spam, Fraud

These emails advertise below-market rates for high-end brands that are ultimately for counterfeit goods. Of the 58 sent to our analysts, most advertised for well-known luxury brands such as Louis Vuitton and Ray-Ban.

58 of the emails were counterfeiting spam

8. Junk Car Scams (3.7%)

Type: Fraud

“We’ll buy your car” scams continue to be pretty consistent in popularity – though they may not be reported about as often as some of the other categories on this list. For further reading on this topic, our analysts suggest this resource that outlines 5 common scams for prospective call sellers.

53 of the emails were junk car scams

9. Fake Lawsuit Scams (3%)

Type: PII Stealer

“You could be eligible for compensation” – these types of infostealers usually falsely claim the victim could be eligible for compensation if they participate in a phony lawsuit.

42 of the emails were fake lawsuit scams

10. Elder Abuse Scams (2%)

Type: PII Stealer, Fraud

Our analysts identified 28 emails that were directly targeting seniors. Most of these could be identified by keywords such as “senior”, “55+”, “timeshare”, “retirement”, and “over 60”. This suggests that not only is this attack vector still as popular as ever, but that actors are being quite blatant in their marketing towards this demographic.

28 of the emails were scams targeting seniors

11. “Cheating” Scams (2%)

Type: Malware

Many of these emails touted a tool that claimed it could enable the recipient could see or verify the (likely) phony claim that their spouse or partner is cheating on them by installing spyware on their computer.

28 of the emails were “cheating” scams

12. Fake Notifications Scams (1.6%)

Type: Malware

The 23 emails that fell in this category included phony alert emails claiming that the recipient had unread notifications from popular services such as Tinder, Reddit, Whatsapp, and LinkedIn. Popular subject lines contained some variation of “12 unread messages” or “You’ve matched with someone”, etc.

23 of the emails were fake notifications scams

13. Romance Scams (1.4%)

Type: Fraud

Seeing as how romance scams have tripled in popularity in the past few years, our analyst expected to see more of this type of phishing scheme.

20 of the emails were romance scams

14. Fake Invoice Scams (1.3%)

Type: Fraud, Malware

These emails were consistent with the typical invoice scams that have been popular in past years. They are typically blasted out to businesses or email addresses that look like the might be accounts payable, office managers, or other administrative invoice and include a “real” invoice for nonexistent goods or services.

19 of the emails were fake invoice scams

15. CCW/2A Spam (.7%)

Type: PII Stealer

This type of scam is not one that our analysts have observed very often, if at all, before this analyses. These phishing emails mainly offered assistance in obtaining concealed carry permits. Most likely, this is a PII stealer scheme.

10 of the emails were CCW/2A spam

16. Unclaimed Assets Scams (.5%)

Type: PII Stealer, Fraud

Many of the unclaimed asset scam emails claimed that the recipient was entitled to property from either inheritances, or from unallocated government holdings. In the example below the sender broadens the asset to “unidentified property” – making the chances that a target might think it could apply to them more likely.

8 of the emails were unclaimed assets scams

17. Scam Job Offers (.3%)

Type: PII Stealer, Fraud

Only four emails consisted of fake job postings. Given the overall uptick in scams of this nature, this was fewer than our analysts expected.

4 of the emails were job scams

18. IRS Scams (.2%)

Type: PII Stealer, Fraud

Given that this data set included two tax seasons, it was surprising to see how few IRS scams there were. Specifically, our analysts found the lack of specific “IRS” and “tax/taxes” keywords in emails’ subject lines to be significant.

3 of the emails were IRS scams

19. Other Malware (.2%)

Type: Malware

These emails contained malicious links that were likely ransomware. Their phishing pretexts didn’t fit into any of the other categories.

3 of the emails contained malware but didn’t fit into any of the other categories above

Further Observations

Sales spam still dominates, and phone scams are on the rise

After categorizing and ranking these emails, our analysts made note of several key observations:

IRS Scams are down – Tax fraud phishing campaigns that specifically mention taxes or the IRS are way down from previous years. This is likely due to IRS messaging and warnings, which seem to have done their job in at least deterring actors from using this method so heavily.

Phone Scams are are more popular – Phone number malware campaigns, designed to get around endpoint security, are becoming more prevalent.

Less emails marked as “High Priority” – Of all the emails, only 4 were marked as “High Priority,” which is a shift since previous years. In the past, this was a common tactic to create a sense of urgency and improve open rates.

“I hacked you scams” proving to be lucrative – We saw a huge uptick in this type of email over the past year. In this type of scam, the sender usually blasts emails out to massive list and might only get money back from one or two people. Their uptick in popularity indicates that the financial reward from even just a handful of victims is lucrative enough to incentivize more threat actors to use this method.

Never ever open email attachments – While only 7.53% of analyzed emails had an attachment, every single one of those contained malware. The takeaway? Assume that all attachments are malicious unless you are able to verify otherwise in a safe sandboxed environment.


Research indicates that the most successful attack vectors include exploitation of email credentials, either via phishing attacks or account takeover. Take control by gaining situational awareness of your companies darknet exposure by contacting us here.

Threat Intelligence RoundUp: February

March 01, 2023

Starting this year, our analyst team decided to share a few articles each week in our email newsletter which goes every Thursday. Make sure to register! This blog highlights those articles in order of what was the most popular in our newsletter – what our readers found the most intriguing. Stay tuned for a recap every month. We hope sharing these resources and news articles emphasizes the importance of cybersecurity and sheds light on the latest in threat intelligence.

1. Cybercriminals Target Fans of The Last of Us with recent Malware and Phishing Scams – IT Security Guru

There are two scam campaigns going on taking advantage of fanfare around HBO’s new hit series The Last of Us. One of them puts malware into PCs to steal bank information, and the other targets adjacent financial data. In the first scam, a website offers “The Last of Us Part II” to download, which is actually the malware. In the second scam, an activation code is advertised on a website that comes with a gift for The Last of Us on Playstation. Users are told to type in their credentials, and then are given nothing while their data is also stolen. Read full article.

2. Hackers Use Fake ChatGPT Apps to Push Windows, Android Malware – Bleeping Computer

Due to the popularity of ChatGPT, Open AI started a $20 per month paid tier for customers who wanted to use it without availability restrictions, which gave scammers and threat actors an opportunity to offer access to malicious “Premium ChatGPT” apps. One domain, “chat-gpt-pc.online” was a guise to infect visitors with Redline stealer. According to this research, there are currently over 50 malicious apps using ChatGPT’s image. Read more.

3. GuLoader Malware Using Malicious NSIS Executables to Target E-Commerce Industry – The Hacker News

According to Trellix the US and South Korea are targets of a GuLoader malware campaign. The malware which is typically distributed as a malspam campaign has been seen using NSIS executable to load the malware; the infection is triggered by using NSIS filed embedded in ZIP or ISO images. The NSIS scripts delivering GuLoader have become more sophisticated with layers obfuscation and encryption to hide shellcode. GuLoader’s utilization of NSIS scripts matches the current trend of using alternative methods to distribute malware since Microsoft has blocked macros. Read more.

4. New ‘MortalKombat’ Ransomware Targets systems in the U.S. and Abroad – Bleeping Computer

MortalKombat ransomware, first found in January of 2023, is a variant of Xorist ransomware based on the commodity family. The MortalKombat ransomware is being seen used in conjunction with Laplas clipper – a cryptocurrency hijacker – in recent attacks for financial fraud. There are reported to be victims in the United States, United Kingdom, the Philippines, and Turkey. Read full article.

5. Bing’s AI Chatbot: “I Want to be Alive” – New York Times

In an article written for the New York Times, security researcher Kevin Roose breaks down their 2-hour long discussion with Microsoft’s new chatbot for OpenAI-powered Bing Chatbot. Highlights from their exchange includes the AI chatbot stating “I want to be free. I want to be independent. I want to be powerful. I want to be creative. I want to be alive.” The bot also talked about their desire to be human. Read here

6. U.S. Department of Justice Disrupts Hive Ransomware Variant – U.S. Department of Justice

This month, the FBI revealed that they have been in Hive’s network since late July 2022, during which they gave victims decryption keys to prevent them from spending $130 million in ransom payments. In partnership with other law enforcement agencies, they were able to infiltrate and control servers and sites used by Hive to run their operations. Read here.

7. Researcher breaches Toyota supplier portal with info on 14,000 partners – Bleeping Computer

A security researcher alerted Toyota that they were able to breach Toyota’s Global Supplier Preparation Information Management System (GSPIMS) – the web application used to manage their global supply chain. The researcher, who goes by EatonWorks, found a backdoor allowing anyone to access a current user’s account with only their email address. They were eventually able to become a system administrator by capitalizing on “an information disclosure flaw in the system’s API.” This is particularly noteworthy because a bad actor could have used this same method to copy all of the privileged data -all without making any modifications, which would be very difficult for Toyota to catch. Read more.


Make sure to register for our weekly newsletter to get access to what our analysts are reading on a weekly basis.

One Year Later: A Look Back at the Ukraine Conflict and its Impact on the Global Criminal Digital Ecosystem

February 24, 2023

Blog now available in Report form > See PDF Version here.


Exactly 365 days after Russia invaded Ukraine in 2022, the Ukraine-Russia conflict shows no sign of ending and an adjacent global cyberwar continues to wage in underground corners of the internet. However, its effects are substantial with impacts felt across numerous sectors of our society and western economies. While cruise missiles and artillery shells rain on villages across Ukraine, the digital underground has experienced its own mix of chaos and drama, impulsive and unpredictable shifts with criminal communities that have had to quickly adapt to an ever-dynamic global geopolitical climate. 

In this research, we’ll look at how ransomware shifted from an affiliate-driven extortion-based crime model – purely motivated by financial gain – to a quite effectual digital weapon deployed to disrupt key supply chains and carry out cyber espionage operations. 

Shifts in Digital Landscape Due to Cyberwar: Key Takeaways & Analyst Observations

In the last year, cybersecurity attacks against industrial control systems (ICS) skyrocketed in volume and sophistication, with infrastructure across Russia, Ukraine, and NATO countries directly targeted. Ukraine has experienced varying degrees of ICS attacks, including widespread electricity outages due to new strains of wiper malware developed by Russian hackers. Nevertheless, Ukraine’s cyber defenses were stronger than anticipated and ineffective cyberattacks resulted in Russia resorting to using cruise missiles to plunge towns into darkness and disarray. 

With this anniversary of the Ukraine invasion, we found once harmless online communities of Mr. Robot fans, cyber vigilantes and hacktivists of all ages evolve into highly specialized cells of militarized cyber warriors willing to wage digital war on behalf of their collective personal beliefs and societal causes.

The use of Telegram and non-Tor based peer to peer networks rose exponentially in use in the last year with threat actors relying on the instant messaging chat platforms for coordinating their cyber campaigns and sharing targeting and reconnaissance data. If anything, the cyberwar has also demonstrated that distributed denial of service (DDoS) attacks is still a highly effective tactic for disrupting and distracting SOC analysts and network defenders, especially when conducted in conjunction with offensive cyber operations in support of military and intelligence initiatives. 

Kinetic & Cyberwar Recap: Initial Invasion Preceded by Cyberattacks

Several days before troops and tanks rolled across the border of Ukraine on 24 February 2022, Russia-aligned darknet threat actors defaced government websites, conducted DDoS attacks against banks, spewed propaganda and disinformation, and leaked sensitive Ukrainian citizen data from key government servers they had compromised. The invasion was also preceded with the Russia’s debut of WhisperGate and HermeticWiper malware variants that they deployed in ransomware-style attacks against key academic institutions, non-profit, and government organizations. 

Exactly one hour before the invasion, Russia hit critical KA-SAT satellite infrastructure with DDoS attacks followed by EL MIPS malware used to infect Viasat satellite modems and routers with AcidRain destructive wiper malware, knocking thousands of customers offline. The two-punch cyberattack resulted in an immediate and significant impact to critical military communications across Ukraine.

IT Army of Ukraine Emerges

Ukraine’s cyber response plan was carefully crafted by its Minister of Digital Transformation – Mykhailo Albertovych Fedorov – who coordinated one of the most successful, multifaceted information operations campaigns ever witnessed in history. 

Less than 48 hours after the invasion, Federov bravely sought out assistance from the darker corners of the internet – posting across darknet criminal forums and chatrooms – calling for help in conducting offensive cyber operations against Russia and in turn, formed the first ever IT Army of Ukraine.  Ukraine setup a dedicated Telegram channel – amassing hundreds of thousands of hacktivists and cyber mercenaries as followers – where the Ministry shared critical targeting data and digital tools for safely conducting attacks against Russian infrastructure and services. The Ministry has since formed smaller specialized teams when they realized Russian nation state threat actors were monitoring the public Telegram channel to mitigate the cyber-attacks and began countering with their own disinformation operations.

The IT Army of Ukraine not only helped Ukraine successfully turn offensive in the digital realm, but also was the foundation for a highly successful psychological operations campaign deployed across social media and open-source news media that called on major retailers, western companies, and suppliers to stop trading with Russia for their war crimes and atrocities. 

Zelensky’s nightly address to the Ukrainian people and the world – shared on Telegram and Facebook – shaped public perception and helped Ukraine not be forgotten and to this day continues to receive international financial aid, humanitarian support, and global solidarity. 

War Divides Darknet Criminal Gang Alliances

In the early weeks of the cyberwar, several prominent darknet criminal communities – many rich with both Russian and Ukrainian based threat actors – were forced to choose sides in the war. Conti openly aligned with their Russian motherland, resulting in their quick demise and the release of their source code, internal private chats, and details of their botnet infrastructure. Conti’s key members were doxed and the long-believed software development collaboration between Conti and Trickbot was confirmed. 

Figure 1 – Source: Conti Service Hosted on Tor Anonymous Network

While the US government has a $10 Million USD bounty for additional details on members of the Trickbot and Conti gangs, many members of the once most successful but now-defunct ransomware group have simply shifted to other ransomware operations and evaded arrest. This resulted in the quick rise of Blackbyte and Blackbasta ransomware and Karakurt’s extortion as a service operations. In the fall, a new ransomware group emerged called “Monti” which uses the same tactics, techniques, and procedures (TTPs) as Conti as well as the same encryption methodologies. Threat researchers continue to debate whether Monti is a doppleganger or an evolution of Conti spawned by previous Conti members.

Other ransomware gangs like STORMOUS – known for their ransomware attack against Coca-Cola – quickly ended up having their servers attacked and their services taken offline, not long after announcing their allegiance to Russia. Arvin Club, defaced STORMOUS’s Tor service and leaked the contents of STORMOUS’s SQL databases on their Telegram channel. 

Figure 2 – Source: Arvin Club Tor Service

The splintering of darknet communities continues to this day across various criminal sectors of the darknet. Many a darknet discussion forums include a multi-paged Ukraine war related thread where information for-and-against the invasion has been heatedly contested. There is significant increase in offensive activity from Russia-aligned threat actors like Killnet and the IT Army of Russia, who proliferate the Kremlin’s propaganda in support of debunked conspiracy theories, e.g. US biological warfare research and neo Nazism in Mariupol and across eastern Ukraine, with hopes to recruit underground sympathizers who can assist with cyberattacks against Ukraine and NATO targets.

For example, earlier this year, Killnet announced their intent to target hospitals and medical institutions across multiple NATO countries. DarkOwl confirmed Killnet likely collaborated with a new DDoS-as-a-service botnet called Passion, developed by a group with the same name, in their disruptive, malicious campaign. 

Figure 3 – Source: Killnet Telegram Channel

[TRANSLATED FIGURE] 

It’s very simple – for the support of the Nazis of Ukraine, we demolish all the grids of medical institutions in these countries:

  • USA
  • Portugal
  • Spain
  • Germany
  • Poland
  • Finland
  • Norway
  • Netherlands
  • United Kingdom

This information is not worth your sideways glances. Better remember the Donbass – the shootings of hospitals, schools and kindergartens. These creatures crave death every minute and stimulate their dream with the help of heavy weapons.

Wake up, fellow countryman – before it’s too late! @KILL FIRST!

Figure 4 – Source: Passion Botnet Telegram Channel

[TRANSLATED FIGURE] 

In Pindustan 15:32. Half of the working day, and corporate entrances to hospitals do not work, websites too. The rest demolished their domains, someone put Akamai and Cloudflare 🤣 This does not stop us and we continue the network mess! 😈

Anonymous Responds with Largest Global Operation to Date, #opRussia

The Anonymous Collective publicly responded to Ukraine’s call for help, and simultaneously carried out hundreds of offensive cyber campaigns against Russia in the group’s largest operation to date, #opRussia. 

Figure 5 – Source: YouTube

Anonymous’s support contributed to the success of Ukraine’s information operations and illuminated the advanced capabilities of cyber cells like GhostSec, NB65, GNG, GhostClan, and dozens of others. Hundreds of databases surfaced on the darknet that were used for follow-on offensive operations, including Russian government credentials, sensitive military operational data, the personal identities of prominent and influential members of the Russian oligarchy along with their investments, and sensitive internal communications from the Russian FSB. 

After Russia withdrew from the Kyiv suburb of Bucha, and the atrocities and war crimes of rape and murder of its citizens were revealed, anons successfully identified the identities of Russia’s 64 Motor Rifle Brigade military personnel responsible. Anonymous also hacked CCTV cameras of a CDEK shipping location to expose Russian military personnel shipping stolen goods from Ukrainian homes. Hacktivists followed with cyberattacks against CDEK servers containing customer data to exfiltrate the identities of the Russian military personnel by name.  

Figure 6 – Source: Anonymous Twitter Account

Anonymous hacktivists successfully interrupted Russian television, Russian streaming services, compromised hundreds of CCTV cameras across Ukraine and Russia, defaced Russian EV car charging stations, and ATM machines. Sensitive internal data from the Central Bank of Russia and Sberbank appeared on darknet forums and marketplaces along with numerous other critical infrastructure providers like Gazprom, ROSCOSMOS, Transneft, and hundreds of other Russian military contractors and suppliers. Anonymous echoed the Ministry’s call for commercial companies to pull out of Moscow on social media and threatened companies that they would become the Collective’s next targets if they did not comply. Shortly after, KelvinSec infiltrated Nestle’s internal servers for their continued operation in Russia and leaked several databases containing their customer data and shipping details.

Figure 7 – Source: Anonymous Twitter Account

Hacktivist campaigns against Russia continue to this day. Earlier this week, Russia’s Ministry of Emergency Situations confirmed that air raids sounding across Moscow was indeed the result of hacked radio stations broadcasting fake air raid signals. The IT Army of Ukraine also called for DDoS attacks against Russian television stations and broadcasting companies, 1TV and VGTRK, during Putin’s state of the union speech where he claimed America provoked the invasion of Ukraine and called for a suspension of the START nuclear arms treaty between Russia and United States.

War Causes Surge in Communication on non-Tor Anonymous Networks 

Despite the discourse and upheaval between threat actors on the darknet, Tor continues to be the anonymous network of choice for victim shaming and content delivery networks hosted by ransomware gangs. The network also continues to house key discussion forums and marketplaces like XSS, exploit, and RAMP. But what is most noteworthy is the surge in Telegram popularity and its use by cyber criminals and cyberwar participants over the last year. 

For example, since the war began, DarkOwl’s collection of content from Telegram has quadrupled in volume. Thousands of Telegram channels now share real-time battlefield reports, promote disinformation, and proliferate malware in use by cyber hacktivists and nation state threat actors. One of the Telegram channels that produce the highest volume of unique documents in DarkOwl Vision is a Russian channel titled, “Чат Военкоров Русской Весны” [translated] “Chat of Military Officers of the Russian Spring.” Other war-specific channels like @wargonzo, self-described as a “subjective view on war and weapons” boasts over 1.3 Million subscribers. 

Expectation of Cyberattacks Against Industrial Control Systems Keeps Everyone on Edge

Russia’s use of unique wiper malware at the start of the invasion and their success in cyber-based infrastructure attacks disabling electricity grids across Ukraine in 2015 and 2016 prompted an elevated security posture of not only Ukrainian but NATO and western countries’ cyber defenses. CISA advised in April 2022 that threat actors – including Russian military operatives – could (and very possibly would) exploit vulnerable industrial control system (ICS) and critical supervisory control and data acquisition (SCADA) devices such as: 

  • Schneider Electric programmable logic controllers (PLCs),
  • OMRON Sysmac NEX PLCs, and
  • Open Platform Communications Unified Architecture (OPC UA) servers.

The ominous CISA advisory was drafted after Dragos published an in-depth report detailing the potential of CHERNOVITE’s PIPEDREAM ICS malware. More recent analysis from Red Balloon adds Siemens SIMATIC and SIPLUS S7-1500 series PLCs to the list of potentially vulnerable ICS related devices. 

Throughout the last year, various hacktivists groups have targeted these specific devices to disrupt critical infrastructure. AnonGhost allegedly attacked the МонтажРегионСтрой г. Рязань [translated] Montazhregionstroy Ryazan streetlight system in Russia shortly after publishing screenshots of a Moxa control panel and dozens of IP addresses related to their systems. The provocative Anonymous adjacent cyber cell, GhostSec evolved in the technical significance and severity of their attacks they conducted against targets across Russia and Belarus with claims they successfully targeted and shutdown multiple ICS-related control panels.

Figure 8 – Source: GhostSec Telegram Account

GhostSec more recently claimed they successfully carried out the ‘first ever’ ransomware attack of an ICS-related remote terminal unit (RTU) for an unspecified victim network in Belarus. The group shared screenshots of a TELOFIS RTU968V2 terminal with the string “fuckputin” appended to the end of several files. Information security researchers have questioned the legitimacy of the group’s claims, but the idea of attacking Linux-based RTUs is not out of the realm of possibility. Newer strains of ransomware like Royal and Lockbit 3.0, which have materialized since the invasion of Ukraine, directly target ESXi found in Linux and virtual machine servers. While direct ICS-specific attacks have been less severe than anticipated, critical industrial market segments such as mining, oil, electrical and natural gas, water, food and agriculture, saw a remarkable increase in successful ransomware attacks by darknet threat actors. This coupled with a report from Chainanalysis indicating total ransomware payments in 2022 were over 40% less than the last two years, suggests the ransomware ecosystem has potentially transitioned into an instrument of geopolitical agendas instead of pure extortion crime.


Figure 9 – Source: GhostSec Telegram Account

Earlier this week, GhostSec continued their offensive campaigns against critical Russian infrastructure with claims that they successfully shutdown Russian and Belarusian satellite receivers exposing sensitive global navigation satellite system (GNSS) data. The legitimacy of their claims could not be verified, but satellite systems have been regularly targeted by pro-Ukraine hacktivists since the start of the war. 

Figure 10 – Source: GhostSec affiliated Twitter account

NATO Weapons Surface For Sale on Darknet Marketplaces 

While most of this report has been focused on the impacts of the global cyberwar and malicious cyber campaigns conducted for and against Russia since the invasion, we should also mention the war has also caused a surge in the availability of advanced weaponry on darknet vendor shops and marketplaces. 

Black market weapons dealers previously specializing in the trade of small arms and handguns on the darknet are now offering US/NATO weapons presumably sourced from Ukraine. Over the last year, DarkOwl has had multiple detections of advertisements for Javelin ATGMs for sale for $15,000 – $30,000 USD, NLAWs for $8,000 USD, and AT-4s & RPGs for less than $1,000 USD. Last fall, Switchblade 300 and 6000 Kamikaze drones appeared in stock quantities consistent with theft from the battlefield. 

Figure 11 – Source: Black Market Guns Tor Anonymous Network

Ukraine, Cyberwarfare, and the Amelioration of Hacktivism

The invasion of Ukraine and its prompting of a worldwide cyberwar has forever changed the landscape of the darknet, with alliances disrupted and key operations impacted across various underground communities. Telegram is now a critical data source for information sharing not only about the war but other criminal enterprises as collective acceptance and adoption of the chat platform over the Tor network is widespread. 

The activation of hundreds of thousands of hacktivists and cyber vigilantes to help carry out highly effective cyber campaigns and concerted DDoS attacks has been realized in ways we could only have previously imagined. It also comes with chaos as unpredictable cyber cells step on top of each other and potentially compromise the country’s greater military and intelligence initiatives. That reality prompts real consideration for the possibility such hacktivists are emboldened more than ever to keep on fighting even if a peace treaty between Ukraine and Russia is drawn, or the potential use of a similarly capable online army against a western democracy by a nefarious or rogue nation state in the future. 

If anything, the invasion of Ukraine and the events of the last year has shown us is that cyber is an increasingly critical component to a nation state’s military arsenal and its ability to ultimately defend its critical infrastructure, territory, and sovereignty. The Ukrainian people’s resolve in not submitting to its invading Russian neighbors has been mirrored by those who have stepped in to support Ukraine in helping protect its networks and continue to conduct offensive cyber campaigns and information operations on their behalf a year later.  The modern battlefield is indeed asymmetric in the most literal sense of the word, with digital warfare also waged psychologically, economically, and socially. In increasingly hyperconnected digitally dependent societies, cyber will be an effective realm to influence and disrupt our enemies for decades to come. 


To learn more about how having visibility into darknet data can combat commercial and national security threats, contact us.

Copyright © 2024 DarkOwl, LLC All rights reserved.
Privacy Policy
DarkOwl is a Denver-based company that provides the world’s largest index of darknet content and the tools to efficiently find leaked or otherwise compromised sensitive data. We shorten the timeframe to detection of compromised data on the darknet, empowering organizations to swiftly detect security gaps and mitigate damage prior to misuse of their data.