Quick Dive into recent trends in hackish data

DarkOwl continuously and autonomously exfiltrates darknet information 24/7. We then index, store, and score it according to how likely is this information to be interesting to criminals. Having this vantage point gives us unique insight into traffic and trends on the darknet, which we continually post about on our blog. One lens through which we can view our data to make theories – and sometimes even conclusions – about the reasons behind fluctuations in darknet traffic is a proprietary score that we call hackishness™ (algorithm pictured here).

In a nutshell, hackishness is a term DarkOwl uses to broadly describe the criminally relevance of any posting. The score runs from 0% to 100%, and is based upon a number of data points including context, recency, and the presence of nefarious material on the darknet page.  For example, a page with 100% hackishness might include PII, illegal goods or illicit information. On the other hand, a page with 0% hackishness might be something totally innocuous, such as a reprint of a news article.

Below is a graph representing the new, 95%-10% hackish posts found weekly in the DarkOwl Vision database from Mid-January to March 19, 2020. Upon observing the curious downward slope, followed by the sharp uptick in hackish content we collected in our database, I decided to take a closer look to see if we could determine why.

This graph shows that the amount of new darknet information was surprisingly stable from January 17, 2020 to February 27, 2020. The mean of this new weekly highly hackish data was 13,688 pages and the standard deviation was only 10.2.

But starting the week beginning 2/21/20, this darknet data tally fell by 13%, followed by a weekly drop of 27% the next week and 30% the week ending March 12, 2020. Interestingly, this trend downward began, the same week that global stock markets began to wobble. Just like global financial markets, the amount of new criminally interesting information was dropping precipitously.

Then, something different happened the week of March 13 to March 19, 2020. While global markets continued their decline, the number of new highly hackish data posts jumped to this year’s high. To see if we could provide an explanation for this sharp spike, we turned to what we call “Map the Dark” – which – among many other things – categorizes every piece of current and historical darknet content we find into 54 separate categories  

The graph below isolates the eight categories which account for what DarkOwl estimates was 92% of 10,832 new darknet posts from January 7, 2020 to March 19, 2020.

Breaking down these new results by category gives us some interesting insights into what may have caused this surge in hackish content.

Of these new posts, almost half (5,010) are related to Hosting. Why might that be? Likely this is due to the fact that on the evening of March 9, 2020, one of the most prominent darknet hosting platforms – Daniel’s hosting service – was hacked yet again. While darknet hosting sites go down periodically, the loss of Daniel’s has proven more problematic for those that operate on the darknet than others.

Thus, I theorize that the noticeable increase in hackish content categorized as Hosting likely derives from the nearly 800 users of Daniel’s hosting services adding new content to other hosting services as they migrated to other providers. This migration almost certainly accounts for most of the steep drop in darknet traffic observed in the middle of March and the rebound in the weeks following.

The second highest category is Directory, identified by content that contains link lists and darknet addresses for hidden services, and accounts for another 836 new posts. If we assume that the new content in the Hosting category and Directory category are related to the Daniel migration, that would account for 54% of the darknet change observed so far this year.

And what of the remaining 46% of the darknet changes observed since January? Actually, the second biggest jump in darknet posts were in Markets, at 1,969 new posts. Considering the timing, many of these could potentially have been Covid-19 related.

The remaining new posts include the Fraud, Counterfeit, and Scams categories. These 3 categories represent 8.3% of all the new hackish content, and represent that portion which are probably most closely related with new criminal activity designed to take advantage of the current Covid-19 panic. And lastly, the remaining portion of 368 new hackish darknet documents, or roughly 3% of the total, are linked to the Forum category, which the media focuses on far beyond its actual statistical weight.

Closing thoughts

Covid-19 related?

Much is being written continuously about the great daily changes that Covid-19 has wrought. When we set out to look at the reasoning behind the uptick in hackish content in our database, there was strong reason to believe that it may have been directly attributable to the pandemic. At this point in time, we cannot say for sure – in fact it would appear that that is not the case. Likely, the disintegration of Daniels’s hosting service has been much more impactful on darknet traffic than a few vendors attempting to sell surgical masks. But, as time passes from our collective mid-February realization that something monumental might be happening, more data has been collected and can analyzed to see if we are moving away from “normal” or back towards it.

Stay tuned for an upcoming analysis from our data team regarding the greater impact of Daniel’s Hosting take-down. Sign up to our newsletter to hear about it as soon as its published!