2017: A year in review from the perspective of darknet intelligence

It's hard to believe we're one month in to 2018, but here we are. And what a busy month it's been! Just look at what's already happened so far: 

The public was introduced to the computer bugs Spectre and Meltdown, results of a major chip flaw that has the potential to impact nearly every computer chip on the planet. The highly publicized discovery of the bugs led to widespread panic and multiple class action law suits against tech-giant Intel

240,000 current and former employees of the Department of Homeland Security had their sensitive, personal data exposed as the result of a data breach.  

A mysterious, devastating cyber weapon named Trisis sat in the public for nearly a month.

And, in sharp contrast to the highs seen towards the end of last year, bitcoin is now on course for the worst month in three years

Looking back, it's hard to believe that the Bitcoin breaching the $1,000 benchmark was landmark news just a mere year ago. But, so it was! Here's a look back at 2017 and the key events that took place along the way. 


A strong start for cryptocurrency and a hard-hit for Tor Hidden Services

In January 2017, the Bitcoin hit an all-time record high of $1,100 USD despite the fact China’s Central Bank, the People’s Bank of China (PBOC), urged investors to “take a rational and cautious approach to investing in the digital currency.” During the same time, Microsoft added Bitcoin support to its infamously popular Excel spreadsheet program to allow users to track, calculate, and analyze Bitcoin data.

In February, hacker-group Anonymous targeted Tor service provider Freedom Hosting II, taking over 10,000 hidden services offline. Anonymous stated they hacked the web hosting provider for harboring and assisting in publishing illicit child content on over 5,000 of their services. Hackers dumped 74GB of files and 2.3GB of database content as well as the private keys of every site hit. This was the second time Anonymous targeted Freedom Hosting.

Vault7 included hundreds of documents from CIA's Cyber Information Operations Center.

Vault7 included hundreds of documents from CIA's Cyber Information Operations Center.

March and April brought to light numerous major commercial data breaches, often compromised through a cocktail of SQL injection techniques. Thousands of records including leaked personal identifiable information appeared for sale across darknet markets and DarkOwl successfully harvested much of the data into its DarkOwl Vision engine to cross reference for customer queries. Major databases include Sony Playstation, Yahoo, LinkedIn, among others totaling millions of account data records.

WikiLeaks took the spotlight of the spring for “leaks” when it began sharing classified documents from the CIA called Vault 7. The first part of the series, called “Year Zero” documents the scope and direction of the CIA’s global covert hacking program and revealed how the CIA uses sophisticated zero-day exploits to spy on its enemies both domestic and abroad. Hackers across the darknet gained tremendous knowledge from the source code and documentation that accompanied this breach.

 
The message Anonymous replaced hacked Freedom Hosting II hidden services

The message Anonymous replaced hacked Freedom Hosting II hidden services

 

In May, the WannaCry Ransomware hit more than 300,000 computers across at least 150 countries, crippling the UK National Health Service (NHS) impacting patient care in 16 hospitals. Two days after the WannaCry ransomware outbreak, French police seized a server running two Tor relays belonging to French activist Aeris, who said the server was confiscated in connection to the WannaCry attacks. The activist pointed out on his Twitter feed that tens of other Tor nodes in France all disappeared during the same time. 

 
WannaCry Ransomware Instructions

WannaCry Ransomware Instructions

 

The attack was stopped by a young cybersecurity researcher, Marcus Hutchins who was arrested later in the year in Las Vegas after attending the international BlackHat & DefCon conference. US police charged the hacker, who used the moniker "MalwareTech," for allegedly creating the Kronos virus that aimed to steal peoples' banking details online. He could face up to 40 years in prison if found guilty.

At the same time the world was trying to figure out what ransomware was and how to prevent themselves from becoming WannaCry’s next victim, authorities sentenced Steven Chase, the administrator for popular darknet child predator forum, PlayPen, to 30 years in prison and arrested over 800 forum affiliates across the globe.

We also continued to find that medical patient confidentiality is at risk, when hacker Skyscraper posted the patient data of 500,000 children stolen from pediatricians for sale on a darknet market. 

Darknet markets are seized and cryptocurrency markets respond

Seizure Sites for Hansa and AlphaBay Darknet Markets

Seizure Sites for Hansa and AlphaBay Darknet Markets

In the start of summer in June, cryptocurrency holders were enthusiastic to see the price of bitcoin hit $3,000 USD. In July, a joint international law enforcement effort, dubbed Operation Bayonet, shook the foundation of the darknet when authorities arrested Alex Cazes the creator and administrator of AlphaBay. The disruption of what was at the time the largest ever darknet market time sent thousands of AlphaBay darknet market vendors and buyers to Hansa market, which was simultaneously functioning as a honeypot by the Dutch Police, as we found out when the moderators were also arrested in June. Cazes was found dead in his Thailand jail cell days after the arrest, allegedly opting to take his own life rather than face international cyber criminal prosecution.

The subsequent panic that flooded the darknet when AlphaBay and Hansa came down still pervades the darknet today. Many redditors and users of darknet forums were found asking, “where can I find my vendor?” or “what darknet market can I trust?” … Dream Market was believed to be the only safe market to transact with, until rumors of their compromise began circulating as well.

 
Paranoia about Dream Market Survival

Paranoia about Dream Market Survival

 

With the demise of AlphaBay and Hansa, TradeRoute experienced a surge in listings and transactions, until security issues soon began plaguing the popular marketplace. In August, a hacker known only as HugBunter claimed to have breached the market and supposedly blackmailed TradeRoute administrators for weeks, bringing into further question the security of any darknet market.

Throughout this time, DarkOwl witnessed a drop in user relay activity reported by the Tor Project and an increase appearance in vendor-specific hidden services.

 
HugBunter's post regarding TradeRoute Hack

HugBunter's post regarding TradeRoute Hack

 

Wolf Creek Nuclear Operating Station, Burlington, Kansas

Wolf Creek Nuclear Operating Station, Burlington, Kansas

At the same time that darknet marketplaces were falling and panic was permeating the darknet, hackers breached a network of a US-based energy utilities.

Wolf Creek Nuclear Power Station in Burlington, Kansas was the first power facility to have their networks compromised. Luckily, the administrative network which was hacked was separate from networks controlling the plant operation. Rules enforced by the Nuclear Regulatory Commission require “air gaps,” i.e. the controls of a plant do not connect by hardwire or antenna to outside systems or the internet, to prevent impact to US power infrastructure. It was shortly after this DarkOwl launched their research and the Utilities Index, evaluating the darknet footprint of major US energy utilities


In the fall, even more data breaches surfaced on the darknet. OurMine and HBO had a full-on cyber war over the release of several episodes of HBO’s popular, Game of Thrones (GoT). Equifax was hacked, compromising 143 million American credit reports. Data from the Equifax breach has yet to appear legitimately for sale on the darknet, despite attempts by one group who call themselves Equihax0r. The popular darknet hacking forum Ex0du$ mysteriously disappeared, and TradeRoute shut down completely.

In October, the price of bitcoin rose slightly to $4,288 USD, while a Norwegian newspaper broke that the largest child abuse and illicit child content forum on the darknet, Child’s Play, had been seized by authorities. To execute the operation, dubbed Operation Artemis, Australian authorities ran the hidden service as a honeypot for over 11 months to trap child abusers. It remains the largest operation of its kind, and arrests are still ongoing for staff and members of the site. Child’s Play had over a million registered accounts and thousands of active users during the operation. 

The remaining darknet markets saw an intensive distributed denial of service (DDoS) attack against them resulting in Dream Market registering hundreds of Tor mirror sites to avoid shutdown. The darknet’s most popular social media site Galaxy 2 crashed after poor system administration in October.

On Thanksgiving in the US, we witnessed the public hack and exposure of the Facebook of Tor, Blackbook. Their 15,000+ membership account details were subsequently posted on public pastebin sites across the clearnet, and on several darknet sites as well. A hacker known as bRpsd took credit for the breach, claiming they exploited vulnerabilities with the hidden service’s SQL databases. The resulting doxxed data revealed that an extraordinary number of Blackbook members used popular email providers, such as Gmail, Yahoo or Hotmail for their account registration.

Holiday conversations focused around the price of bitcoin’s rapid surge in November, as many families learned what a cryptocurrency is. Hackers and legitimate website administrators turned to using JavaScript-based cryptocurrency miners to leverage the CPU power of their site visitor's PC to mine Bitcoin or other cryptocurrencies, known as cryptojacking. Malware experts revealed these scripts work well after you visited the website and even after closing the browser.

By the 16th of December the price of Bitcoin was in excess of $19,000.

 
Mining Related Hidden Processes have extraordinary high CPU usage (courtesy MalwareBytes and The HackerNews)

Mining Related Hidden Processes have extraordinary high CPU usage (courtesy MalwareBytes and The HackerNews)

 

All was quiet in the darknet until the FCC’s reformation of net neutrality passed only the week before Christmas, leaving many astounded.

To end the year, Police arrested and sentenced multiple drug vendors from Dream Market and Agora. It was reported that police seized servers from the Russian marketplace Hydra, though the Russian administrators denied any police activity on their official Telegram channel, instead attributing any disruption in service to an alleged DDoS attack that had been perpetrated on their servers.

“Dear friends, guests and long-time Hydra users! We have just stopped all the timers. The decision to take this measure is connected with an unstable work of the market caused by DDoS attacks. Pre Orders, orders, disputes, rent payment are temporarily frozen. No need to worry. The situation is under control. Please, wait till the server operation is fully restored.”
— @hydraoniondeep

As 2018 continues, we anticipate that the darknet as we know it will continue to be a place of uncertainty and volatility with attempts to de-anonymize users through traditional browser vulnerabilities, creative traffic, and timing correlation techniques. A resurrection of previous darknet markets will be promoted and new darknet markets will emerge as they have time and time again post previous market seizures.

It is likely that Tor will continue to increase in popularity, especially with what we predict will be an increasing number of net neutrality activists and refugees. We predict that Tor’s increasing popularity will drive many to other darknets such as I2P and ZeroNet, both of which also saw a significant increase in usage throughout 2017. 


 Curious about something you've read on our blog? Want to learn more? Please reach out. We're more than happy to have a conversation.

Major Darknet Social Media Site and Admin Lameth Gone for Good?

For the last few weeks, regular members of the popular Galaxy2 (or G2 to the regulars) darknet social media site on Tor, have been anxiously awaiting to hear the cause of the site’s unexplained week-long downtime. Rumors circulated across darknet and IRC chatrooms that site was under DDoS after G2’s hidden service initially gave a 502 Bad Gateway error and then was unresponsive thereafter.

Thursday night, after refreshing the hidden service, yet another time to see if it was back up, members were shocked to see a bittersweet update from the site Admin: Lameth.

Figure 1 - What remains of G2 hidden service (26 Oct 17, Source: http://w363zoq3ylux5rf5[.]onion)

Figure 1 - What remains of G2 hidden service (26 Oct 17, Source: http://w363zoq3ylux5rf5[.]onion)

It turns out the DDoS rumors were all conspiracy. In fact, the server hosting G2 suffered a catastrophic hardware failure, leading Lameth to announce that he “failed the community” in his duty as host and admin in not regularly backing up the server’s data. Hence his comment, "Galaxy2 is not coming back anytime soon" (Figure 1). He furthers that even if G2’s site data could be somehow salvaged, that this is the end for him as an administrator and site host.

What is G2?

The original “Galaxy” Tor-based social network was founded and run by an admin named Krueger. Galaxy2, created by the one called, “Lameth”, was a “reincarnation” of the original site, which disappeared without warning or explanation, like many a Tor hidden service. Lameth was well known for establishing DarkNexus Chat 5.0, a web-based IRC-like chat room with HTTP refresh; Javascript not-required.

Figure 2 - DarkNexus Chat Description by Lameth (2015, Source: DarkOwl Vision)

Figure 2 - DarkNexus Chat Description by Lameth (2015, Source: DarkOwl Vision)

What was G2 like?

Figure 3 - Sample Galaxy2 Profile Page

Figure 3 - Sample Galaxy2 Profile Page

G2 imported many of the features of mainstream social media such as Facebook and Twitter and was considered more modern and user-friendly than the 1980s-era like bulletin board systems across the rest of Tor. Members could customize their profile page, using their darknet pseudonym, or “alias,” add photos, upload files, create blog posts, and comment on posts made by other members. The site also supported a private message system for sending and receiving mail from other members as well as an instant message, or chat utility between site “friends.” The advanced features required Javascript and were often underutilized by members.

G2 facilitated a variety of member groups, ranging from hackers to political activist, darknet newbies and feminists to a group dedicated to sharing recipes. Most groups were open to all members, unless it was by invite-only -- very similar to Facebook groups on the Clearnet. Popular groups included “The Café at the End of the Internet”, “Deepest Onion Links”, and “OPSEC”, where members could openly discuss the technical specifics on how to remain anonymous on the darknet as well as share links of interest across Tor.  

 
Figure 4 - Popular Groups on Galaxy2

Figure 4 - Popular Groups on Galaxy2

 

Lameth offered no safe haven for the some 20,000 lost users of G2, but encouraged members to consider other darknet social media hidden services and chat services. TorBook and Blackbook are considered the next best alternatives, but some users say Blackbook poorly regulates users posting illicit content involving minors and TorBook, which looks exactly like Facebook, has advertisements on the main activity wall, cluttering up the user experience.

 
Figure 5 - Login screen for TorBook Social Media Site

Figure 5 - Login screen for TorBook Social Media Site

 

In an interview in 2014, shortly after the debut of G2, founder Lameth commented on the importance of social media, internet privacy and the anonymity that Tor provides.

I believe that people should be allowed to interact with each other without the fear of persecution or other risks to their person. Not everyone is sharing that privilege. A social network on the dark web can provide this; it can be a platform for exchanging ideas, debating point of views, and help expand people’s knowledge and understanding of other cultures.

But really, Tor is about freedom. It’s about the freedom to express yourself without fearing the government imprisoning you or worse. It’s about being able to surf the Internet without being subjected to traffic analyzing, surveillance, or censorship. Tor also helps the young girl in some oppressive regime to tell her story, and report on the real situation of her village, or the gay man to meet other people without fearing death squad and raids, or the whistleblower to contact journalists with confidential information about how the government or an enterprise are violating human rights and constitutional law
— Andrew Lameth, "Socializing the Dark Web"

While many believe that the darknet is full of the most heinous of criminals, selling fentanyl and abusing children, darknets, such as Tor and i2p, also facilitate the simplicity of connecting people anonymously, many from countries with oppressive governments that block Clearnet social media sites like Facebook. Galaxy2 will be sorely missed and DarkOwl will keep you informed if and when a comparable hidden service surfaces.