Q2 2025: Product Updates and Highlights

July 17, 2025

Welcome to our Q2 roundup! This quarter, the DarkOwl Product Team doubled down on customer feedback, delivering powerful enhancements across Vision UI and API. From streamlined workflows to smarter site identification, here’s what’s new.

Major Product Updates

Case Findings: Faster, Smarter, More Visual

We’ve reimagined how users create and manage Findings in Vision UI.

Inline Annotation Workflow: Now you can label, snippet, and note your Findings directly from the Search Result or Alert—all without leaving your spot.
Summary View: A new visual dashboard gives you a quick snapshot of your Case’s Findings activity and attributes.
Customer-Driven Enhancements:
- Hyperlinks on the Case landing page for faster navigation
- Improved data handling when converting Alerts to Findings

Site Names and Aliases: Identification at a Glance

We’ve made it easier to identify and filter to website sources across our platform.

Enhanced Display: Site names now appear directly on Search Results and Alerts in Vision UI.
Lexicon Boost: Known aliases are now searchable, improving discoverability.
New API Features: Provide contextual information and targeted filtering options.

In Search API, a new siteId response field is returned with the response for identified websites in the DarkOwl Vision dataset. The siteId query parameter is a new option in Search API to filter to a particular site of interest, without having to know specific source domains or mirrors.

Additionally, to provide greater feature compatibility between Vision UI and API, we have launched two new endpoints within Context API: Site Context API and Site Summary API. Site Context provides supplemental information about named websites (sites) that have been identified in our dataset, and Site Summary provides programmatic access to the Vision UI Lexicon features.

Curious to learn more? Contact us.

Other Vision UI Updates

Universal Phone Number Builder

To better support our entire client base, the team removed the US-specific Phone Number builder in favor of a Universal Phone Number Query Builder. This new template allows you to enter in all the sections of a phone number – country code, area code, and local number – and then automatically structures the query for you.

Report Downloads in Word

Entity Explore and DARKINT Score Reports in Vision UI can now be downloaded in either PDF or Microsoft Word formats. With Word format, customers can then use the text with their own logos, branding, or other enrichment!

Collection Stats

Highlights

Quarter after quarter, our data collection team continues to astonish us with the quantity of data made available across DarkOwl products.

The team had astounding growth of 38% in data leak records. To break it down, the team had 16% growth in email addresses, 7% growth in credit card numbers, 12% increase in total collected ZeroNet documents, 3% growth in cryptocurrency addresses, 23% growth in total collected paste documents, and another 14% growth in total collected records from Telegram – just to highlight a few.

Leaks of Interest Collected

When your search results are from data leaks, users can review additional information curated by DarkOwl analysts, giving you enrichment on the data leak. The descriptions below are all available in our Leak Explore UI feature, or Leak Context API endpoint.

Orange.com and Orange.ro

Data purported to be from Orange was posted on BreachForums, a hacking, on February 25, 2025. According to the post, Orange experienced a significant data breach following their refusal to pay a ransom demanded by the threat actor, Rey. Data exposed includes customer records, source codes, internal documents, invoices, contracts, project details, tickets, user data, employee data, messages, credit card information, personally identifiable information (PII), and call logs.

The breach, primarily affecting Orange Romania but also impacting global divisions, resulted in the exposure of over 600,000 customer records, including 380,000 unique email addresses. Additionally, sensitive data such as source code, internal documents, financial records, project details, employee information, and confidential project plans were compromised

According to media reports, the threat actor, who is a member of the HellCat ransomware group, claimed to have exfiltrated approximately 6.5GB of data, consisting of nearly 12,000 files, by exploiting stolen credentials and vulnerabilities within Orange’s Jira and internal portals.

4chan

Data purported to be from 4chan was posted on Chicken Tikka Masala in /pol/ AnarchyLost edition, a Telegram Channel, on April 14, 2025. Data exposed includes email addresses, IP addresses, usernames, ident protocols, IRC chat messages and message board posts. Additionally, source code for the 4chan board was released. Review of the content indicates the leak contains private conversation of the janitors and moderators on the 4chan IRC channel and /j/ 4chan message board. According to media reports, the hack is suspected to have been carried out by individuals associated with the “Soyjak.party” community, who allegedly exploited vulnerabilities in outdated PHP code to gain access.

Lockbit Hack

On May 7, 2025, an unknown hacker defaced LockBit ransomware group’s data leak site with the message “Don’t do crime CRIME IS BAD xoxo from Prague” which linked to a file hosted on the LockBit domain. Data exposed is a MySQL database dump of Lockbit’s affiliate data containing bitcoin addresses, internal chats, build configurations and a users table. According to cybersecurity researchers, the SQL database is from the site affiliates panels and contains data timestamped from December 2024 through April 2025. The data includes 59,975 unique bitcoin addresses, a builds table with public keys and victim names, build configurations and 4,442 negotiation messages from their chats. Additionally, 75 admins credentials were exposed, with some plain text password exposure for the affiliate panel. LockBit claimed a hacker bypassed the authentication process for their automatic registration portal. The ransomware group asserted that while the database was compromised, no decryption tools or sensitive victim companies data were accessed. LockBit also offered a reward for information leading to the identification of the hacker responsible for the breach.

interpol.int

Data purported to be from INTERPOL was posted on DarkForums, a hacking forum, on May 2, 2025. According to the post, the threat actor converted the original SQL file into JSON format, to make the content easier to read. Data exposed includes email addresses, names, physical addresses, phone numbers, and IP addresses. The dataset includes references to hash types such as MD5 and SHA512, suggesting the potential presence of password hashes. However, at this time, it cannot be confirmed whether these values represent actual passwords, nor whether they are definitively linked to the associated email addresses or usernames.

Russian Medical Center 1.1M

Data purported to be from Russian Center of Aviation Medicine (TsAM) was posted on DarkForums, a hacking forum, on May 9, 2025. According to the post, the data was breached on April 4, 2025 and contains 1.1 million person records on aviation-related health screenings, pilot certification, and aerospace medical research. Data exposed includes medical records, names, dates of birth, genders, ethnicity, national ID numbers, passport numbers, tax identification numbers, physical addresses, email addresses, phone numbers, user identification number (UID), patient data, occupation, and cause of death. SNILS (СНИЛС in Cyrillic) stands for Individual Insurance Account Number in Russia. It’s a unique number issued and used by the Pension Fund of the Russian Federation to track residents’ social security accounts. The SNILS number consists of 9 unique digits that identify the individual, followed by 2 final digits that act as a checksum for validation.