Q2 2023: Product Updates and Highlights

July 19, 2023

Read on for highlights from DarkOwl’s Product Team for Q2, including new product features and collection stat updates!

Data and Product Updates

DarkSonar Launch and Updated Features

In April, DarkOwl announced the release of a new product, DarkSonar API, to help organizations better assess and track their potential cyber risk based on the nature of their exposure on the darknet. 

Built on DarkOwl’s proprietary Entity dataset, DarkSonar generates a risk rating that is unique to each company. The algorithm used to generate these signals takes into account key quantitative and qualitative factors over time of organizational exposure of email addresses with associated passwords, and weights each signal accordingly. The result is a quantifiable risk indicator that can help companies and organizations monitor and potentially predict cyberattacks. 

In testing internally and with beta partners in the insurtech and third-party risk industries, DarkOwl found an elevated DarkSonar score in the months before a cyberattack in nearly 75% of the cases where a company publicly acknowledged a breach. 

Date Input Option

This recently added feature allows users to input the date of a known event or breach, to get DarkSonar signals and trending for the months leading up to that date. This update is particularly important for customers with known historical incidents (reminder – DarkOwl never captures API queries in the system!).


In case you missed it and want to learn more about DarkSonar and the importance of forecasting cyber threats, there are several resources available to check out: 

  • Report: Forecasting Cyber Threats: This report outlines DarkOwl’s new metric based on email and credential volume to measure an organization’s exposure. We tested our metric against 237 public cyberattacks occurring in 2021 and 2022 and found our signal was elevated within the last four months prior to an attack for 74% of the organizations.  
  • Blog: Cyber Risk Modeling: Introducing DarkSonar: With cyberattacks on the rise, organizations need better intelligence to enable them to model cyber risk to prevent and predict cyberattacks. 
  • Webinar: Tracking Your Relative Risk on the Darknet: DarkOwl’s CTO explains how to potentially predict cyberattacks and why modeling risk is essential for all organizations of any size. 
  • DarkSonar API Document: Signals to inform threat modeling, third party risk management, and cyber insurance, that potentially predict the likelihood of attacks. 

Search Tabs

The product team has added Search Tabs into the Research section of the UI, thanks to customer feedback! With Search Tabs, a user can have up to four search inquiries open at the same time. This will help users pivot while still retaining results from another search. To start a new search, simply click on the “+” icon next to the current result tab. With this new feature, the quick filter menu has also been adjusted to be more streamlined.

Enhanced Forum Presentation

The product team is most excited about improvements to forum presentation in our UI and Search API. A user will be able to easily distinguish thread Titles, number of posts on the time of collection, Users, Post Dates, and Posts. The numbers of forums available in the new format is growing every day, as of early July, there are 60 available. The below screenshot demonstrates the new formatting.

Decode/Encode Buttons

The Decode URL feature allows users to see the original (non-encoded) URL. Users need the encoded version to search in URL in our system. If a URL has been encoded, there will be a new Decode URL button below the URL in the search result.

Example of improved forum presentation and Decode URL

User-Selected Default Search Settings

The team has also added more personalization to the UI so that users can select their own Default search options for sorting, seeing duplicates, or seeing empty bodies. Ease of use for customers is always top of mind when implementing new changes and features.

Alternate Telegram Usernames

Telegram channels have become increasingly popular with threat actors as a means of advertising illicit goods and communicating with each other. Although Telegram users can change their display name as often as they want, when registering they are assigned a user ID which cannot be changed.

This quarter the team added a feature which allows the user to search on the User ID with the click of a button to see all the posts made by that user regardless of their username saving the analyst time and making it easy to focus in on posts. The screenshot below from Vision UI shows exactly when someone has changed their name in a channel, what their old name was and what they have changed it to. As mentioned above, their user ID is not changed.

Lexicon Updates

DarkOwl Vision’s DARKINT Search Lexicon is an easy-to-use tool intended to help users find interesting content within our database. This quarter a huge audit took place updating and adding hundreds of Lexicon entries for Forums, Markets, and Ransomware Sites. Clients can always submit content for us to add. Curious what DarkOwl means by “DarkInt?” Check out our full write up.

Collection Stats and Initiatives 

The collections efforts and team continue to grow as advances are made in crawling technology and focus on emerging areas of activity continues. Below stats show tremendous areas of growth over Q1, 2023.


This quarter 386 new chat channels and groups and 56 unique data leaks, totaling 900,000 new documents, were added. The team was able to obtain and index most channels and data leaks requested by customers within 24 hours of the incoming request. Some of the most notable include Shell.com, Viva Air, and Eye4Fraud.

Entity Numbers

As of the beginning of Q3 this year, DarkOwl Vision has captured the below number of critical entities and the database is growing every day.

Notable Leaks added in Q1:


Russian ransomware gang Cl0p, mainly oriented around double extortion ransomware, successfully exploited a zero-day vulnerability in the MOVEit file transfer tool in June 2023 which has led to the exposure of over 150 victims. The group listed Shell.com as one of their victims and released files including names, email addresses, phone numbers, social security numbers, physical addresses and more of customers and employees as well as internal documents. DarkOwl analysts are seeing their activity continue into July, with more victims being added and more files released. Learn more about the Shell Data Breach. 

File structure in  DarkOwl Vision from Shell breach indicating what victim information is available.

Throughout June, the actors were highly active using the nascent MOVEit zero-day vulnerability. They have shared details of their victims on their leak site which now contains over 150 organizations with information relating to 15 million individuals. Stay tuned as we release more in-depth analysis of MOVEit and their recent activities.

Viva Air

Viva Air, a budget airline based in Colombia, was allegedly hacked in March 2023 by Ransomexx ransomware. According to the original posting, shown in the DarkOwl Vision screenshot below, on BreachForums, 26.5 million records containing clients names, dates of birth, passport numbers, phones, and emails were leaked with a total size of 18.25GB. The posting also provided a sample of the data showing the personally identifiable information leaked. Processing this alone added nearly 450,000 documents into the DarkOwl darknet database. DarkOwl analysts also found listings and conversations about the leaked data re-posted for sale on several other forums and marketplaces as well as Telegram.  


In March 2023, Eye4Fraud, a global fraud detection firm, publicly announced that they fell victim to a data breach that resulted in the compromise of over 16 million unique email addresses, as well as full names, phone numbers, physical addresses from businesses that use their services. The company provides services to help protect against fraudulent orders for eCommerce companies and received criticism for their slow response to notify customer about the breach. 

On the Horizon

Be the first to hear an exciting announcement from the DarkOwl team – we are about to launch something you will not want to miss! To get a preview of this new release, schedule a time to speak to one of our team members.

See why DarkOwl is the Leader in Darknet Data

Copyright © 2024 DarkOwl, LLC All rights reserved.
Privacy Policy
DarkOwl is a Denver-based company that provides the world’s largest index of darknet content and the tools to efficiently find leaked or otherwise compromised sensitive data. We shorten the timeframe to detection of compromised data on the darknet, empowering organizations to swiftly detect security gaps and mitigate damage prior to misuse of their data.