In this blog, DarkOwl analysts outline top use cases for intelligence agencies, law enforcement, and government, where darknet data often plays a critical role. These examples of DarkOwl’s software-as-a-service (SaaS) darknet data platform help identify and describe how key data sources in the criminal underground can be leveraged to facilitate analysis and reporting required across intelligence agencies entities’ security departments.
DarkOwl’s darknet data can significantly augment cybercriminal investigations by providing key additive informational components – often in conjunction with other OSINT like social media activity. Data from the darknet often creates a more comprehensive picture of the case itself, the criminal’s behavior, and psychological intentions. The resulting darknet intelligence (or DARKINT) fills in critical intelligence gaps that solidify evidence such that indictments and subsequent legal action may be executed.
Using DarkOwl in conjunction with other open sources and utilities, an investigator can easily identify and a track threat actor’s digital fingerprints and subsequent virtual breadcrumbs, such as social media accounts, usernames, aliases, avatars, email addresses, PGP keys, and cryptocurrency wallet identifiers.
The snapshot example below details how DarkOwl identified and tracked a Portuguese-speaking threat actor involved in mobile device malware development. The lower third of the graphic, consisting of evidence collected from the darknet and DarkOwl Vision – confirmed the suspect’s activities across various underground communities in the darknet and a leaked IP address provided a potential physical location of João Pessoa, Brazil.
Russia’s late February military invasion of Ukraine and on-going offensive operation was preceded by numerous opportunities for geopolitical situational awareness prior to the invasion, and subsequent monitoring of the conditions is available with a surge of new Telegram channels documenting live events ‘on-the-ground’ and conversations between users that have unique perspectives of the conflict.
DarkOwl detected members of popular deep web hacking forums sharing and discussing the leak of large databases containing sensitive Ukrainian citizen data weeks prior to the actual kinetic military activity. Further analysis revealed state-sponsored threat actors from Russia had performed extensive covert cyber campaigns against Ukraine prior to any official military operation, troop or vehicle movement across the border.
While the darknet is less active with concerted terrorist related recruitment, propaganda distribution, and activity from groups like ISIS, there are an increasing volume of lesser-known terrorist cells using the darknet and adjacent platforms like Telegram to communicate and coordinate their attacks. DarkOwl supports collecting content in over 52 languages and raw data is indexed in the original language of the author as in-platform translation services might corrupt nuances of the original language. The Vision app user interface and API endpoints support in-language search queries and non-English characters.
For example, DarkOwl uncovered documents related to an anti-Israel terrorist group located in Palestine discussing how they and members of Hamas were planning to target military personnel from the Israeli Defense Force (ISF) for digital blackmail and extortion. The group also listed an email address for direct contact and a Bitcoin address for donations to support the group’s cause. (Source: DarkOwl Vision)
Similarly, DarkOwl has also detected online discussions regarding terrorist activity from international groups of concern and their public statements about their involvement in attacks against specific geopolitical targets.
DarkOwl’s aggregated darknet data and near-decades long historical darknet archives are instrumental in supporting law enforcement drug-related investigations. DarkOwl has identified numerous darknet drug vendors selling illicit drugs, such as opioids, fentanyl, and cocaine, in bulk volumes for resellers on decentralized marketplaces and darknet vendor shops.
We have also identified a recent trend where many of the drug vendors advertise on discussion forums and marketplaces bulletin boards how to contact them on alternative platforms to complete their transactions, e.g. WickR, Whatsapp, and Telegram, for increased security and identity protection.
DarkOwl’s near-decades long collection of historical darknet archives enables investigators to successfully uncover the identity of suspects involved in various segments of illicit crime. This includes human-trafficking, child exploitation, drug dealing, weapons proliferation, etc.
DarkOwl analysts regularly observe criminals identified by name by other darknet users and security researchers out of revenge or to disrupt the person’s online activities on popular deep web sites like doxbin[.]org. For example, shortly after the invasion of Ukraine, over two dozen members of the Russia-aligned ransomware group Conti/Ryuk – and its closely associated Trickbot malware development partners – were all doxxed.
Data captured by DarkOwl Vision database is often used to detect existing cyber espionage activity and be potentially leveraged by nation states and intelligence agencies for future cyber espionage campaigns.
In the fallout of the global cyberwar between Ukraine and Russia, hundreds of corporations and government organizations in Russia were targeted and/or compromised by an international army of cyber hacktivists supporting Ukraine . Data leaks from ‘ministerial’ organizations of Russia, e.g. Ministry of Finance, Ministry of Foreign Affairs, etc.; academic and research institutions, such as, the Joint Institute of Nuclear Research (JINR) and the Russian Federal Institute of Science, were among the groups targeted. Also included was data from critical infrastructure suppliers of energy, water, and transportation, which can be utilized for future cyber espionage purposes. Key individuals from those organizations and their personal data have also been released providing opportunities for targeted social engineering attacks to recruit and/or exploit for political and technical intelligence espionage and critical diplomatic initiatives.
The graphic below contains some of the names of Russian organizations that appeared in leaks released on the darknet from hacktivists supporting Ukraine in the war. You can find the full infographic here.
In recent years the United States has experienced an unprecedented rise in domestic extremism, with members of alt-right paramilitary groups like the Oath Keepers and Proud Boys indicting leading the insurrection against the US Capitol in attempt to keep President Trump in office. Many of these groups congregate and collaborate in darknet forums, chatrooms, and Telegram channels. It is well known that deep web’s imageboards like 8kun are a sanctuary for right-wing conspiracy groups like Qanon to congregate and flourish.
DarkOwl’s darknet data platform allows investigators to monitor for activities from these groups and assist investigations by correlating a suspect’s engagement on social media and anonymous networks. Users of imageboards regularly discuss emotionally charged and controversial topics like assault weapon bans and “replacement theory.”
DarkOwl’s darknet data can be utilized for monitoring mentions of the development of malware to target critical infrastructure. This includes tracking the activity of threat actors who specialize in attacks against industrial control systems (ICS). It also can be used to monitor for mentions of specific critical infrastructure targets that threat actors, terrorist groups, and nation-state sponsored actors are intent on conducting cyberattacks against.
DarkOwl detected an offensive cyber group known as the “Jerusalem Electronic Army” (JEA) targeting agricultural water and heating systems in the northern area of “Negev” or the “Gaza Envelope” near Lakish using ICS/Supervisory Control and Data Acquisition (SCADA)-based attacks to poison the region’s water supply.
Another Telegram channel that advertises support for attacks against Israel – and associated with Team Majhidoon (فريق_مجاهدون) and Team AES (فريق_A-E-S) declared campaigns to penetrate Israel’s solar energy systems in Tel al-Rabiya were successful.