Executive Protection and the Dark Web

December 12, 2024

The recent act of targeted violence in New York against Brian Thompson, a health insurance company CEO, unfortunately highlights the need to proactively monitor the dark web and other sources for threats to high level executives.  

Individuals with grievances which can lead to targeted violence, often show signs of leakage which means attacks can be prevented. Furthermore any exposure executives may have online, including any details about their movements could be used for real world targeting. The suspected perpetrator stated he was able to conduct the attack with “basic social engineering.” The more information that threat actors can find out about an individual the more likely they are to be able to successfully target them. 

As instances of data breaches, identity theft, ransomware attacks, and other illicit activities on the dark web continue to increase, it is vital that executive protection efforts adapt to the evolving cybersecurity landscape. Gone are the days of purely physical security-focused executive protection; a comprehensive approach to risk mitigation must now account for the continued rise in cyber threats. This blog provides an overview of the potential impacts of data leaks and breaches on executive security and examines the importance of monitoring for violent rhetoric and reputational damage on the dark web.  

One of the primary threats posed to executives on the dark web are data leaks and breaches. As highlighted in DarkOwl’s “Navigating the Dark Waters of Leaks and Breaches” blog, data leaks are the “unintentional or accidental release or exposure of information,” often due to human error or faulty software. Data breaches, in contrast, are the result of a cyber attack carried out with the intention of accessing, stealing, or manipulating data. Breaches and leaks can be found across the dark web, particularly on hacking forums such as BreachForums. Data breaches continue to be on the rise, with some of the most damaging breaches this year including more than 1 billion stolen records. The persistent increase in breaches over the past few years—data breaches in the U.S. rose by 78% in 2023 compared to 2022—can be accounted for, in part, by the emergence of new ransomware gangs and the evolution of ransomware attacks.  

Given the expansive nature of many of these leaks and breaches—such as the recent 2024 National Public Data leak, which affected millions of customers—there is a possibility that executives may be impacted. The exposed data can include a variety of personally identifiable information (PII), including:

  • Full name
  • Job title
  • Employment history
  • Home address
  • Phone number
  • Social Security number (SSN)
  • Driver’s license number
  • Passport number
  • Professional email address
  • Personal email address
  • Credit card number
  • Medical records
  • Social media handles/account information
  • Passwords
  • Cookies

Monitoring data leaks and breaches can allow for the mitigation of threats and malicious activity directed at executives. Indeed, exposed PII can be used by threat actors for a variety of illicit activities, particularly:

  • Identity theft: exposed names, Social Security numbers, credit card information, and bank account numbers can be used to carry out various types of identity theft, including financial, Social Security, and medical identity theft. The identities can be used to gain benefits and commit fraud.
  • Physical threats: the exposure of home addresses can turn a cyber threat into a physical security threat, as threat actors may use the information to engage in stalking, harassment, or violence. Identifying exposed PII can allow for steps to be taken preemptively to secure the executive’s home, whether through surveillance or the installation of additional security devices.
  • Cyber attacks: exposed information can be used by threat actors to carry out social engineering operations such as phishing attacks. Personal and professional emails exposed in leaks and breaches can be used to more convincingly impersonate executives when sending fraudulent emails requesting access to sensitive data.
  • Espionage: leaked executives’ passwords can provide threat actors with the opportunity to engage in corporate and personal espionage by gaining access to emails and internal systems. This type of unauthorized access can allow threat actors to not only steal confidential documents, but also to blackmail and extort executives.
  • Doxing: PII exposed in leaks or breaches can be acquired by threat actors and used to carry out doxings—a form of cyberbullying that involves sharing an individual’s personal information. In extreme scenarios, doxings can result in death threats against the doxed individual. The dissemination of this information—specifically home addresses—may also result in instances of swatting, the act of placing hoax phone calls to emergency services to prompt the response of a Special Weapons and Tactics (SWAT) team.
Figure 1: Example: Data Leak Credit Card Exposure
Figure 2: Example: Doxing and Swatting Threat  

In addition to monitoring for data leaks and breaches for executive exposure that could result in identity theft, physical threats, targeted cyber attacks, and doxing, a comprehensive executive protection plan should also account for negative chatter on the dark web. Threatening, negative rhetoric directed at organizations and its executives is often seen across social media platforms and imageboards on the surface web, particularly on sites such as 4chan and X (formerly Twitter). Threatening language, however, can also be observed across the deep and dark web, particularly on the dark web-adjacent messaging app Telegram. In some instances, this can include death threats.

Conducting searches for violent rhetoric directed at executives on the dark web using threat detection tools can provide analysts with a more holistic understanding of the dark web threat landscape, and can allow for the identification of threat actors before they are able to carry out attacks. Monitoring the dark web and dark web-adjacent sites can also reveal instances of individuals impersonating executives by using their names or profile pictures. While this type of impersonation isn’t always directly harmful (particularly if the spoofer is posting in channels with few followers), it does have the potential to cause reputational damage depending on the type of content the individual is sharing and the extent of their reach.

The sheer amount of PII exposed in leaks and breaches across the dark web highlights the significance of incorporating dark web monitoring into executive protection plans. In addition to a high probability of exposure given the frequency and scale of leaks—many of which impact millions of individuals—a holistic executive protection plan can also benefit from the monitoring of dark-web adjacent platforms such as Telegram for possible threats or instances of reputation damage. Ultimately, the possibility of threatening rhetoric directed at executives as well as exposure in leaks reflects a need for executive protection to adapt to a continuously evolving threat landscape.


Curious how DarkOwl can help? Contact us.

See why DarkOwl is the Leader in Darknet Data

Copyright © 2024 DarkOwl, LLC All rights reserved.
Privacy Policy
DarkOwl is a Denver-based company that provides the world’s largest index of darknet content and the tools to efficiently find leaked or otherwise compromised sensitive data. We shorten the timeframe to detection of compromised data on the darknet, empowering organizations to swiftly detect security gaps and mitigate damage prior to misuse of their data.