Into the Darknet: Who is Developing + Using MTV?

This week we continue our "Into the Darknet" blog series, which aims to provide readers with a better understanding of the darknet's history, users, uses and purpose and examine other hot topics in DARKINT, cybersecurity, including malware, toolkits, viruses, cryptocurrency, marketplaces and OPSEC.

As we introduced last week, MTV is an overarching term that DarkOwl Cybersecurity has adopted to refer generally to all malware, toolkits and viruses used to test, penetrate, exploit or compromise personal or commercial information systems and data.


Tor’s Hidden Services and the anonymous nature of the darknet make it an ideal space for the collaboration on and the dissemination of MTV. In this post, we use DARKINT to take a look at the personas and types of groups behind MTV development. While some hold the common stereotype of a "hacker" to be some 400 pound guy sitting at his computer, the ethnicity, gender and level of creative sophistication behind the hackers and MTV developers of today is more diverse and unpredictable than ever before.

While malware is often spoken of with a malicious connotation, some malware is developed for the sole purpose of information assurance, e.g. penetration testing, by ethical software developers, or white hats. We regularly witness hackers of all types in darknet forums and chat room discussions, often offering their services and digital goods for sale in underground markets. The scale of the offered operation and expertise with varying types of MTV varies dramatically according to each developer's or hacker's intent and resources.

Some malicious code is developed by individuals, but a majority of large-scale hacking campaigns utilize an organized network of hackers with varying technical and societal backgrounds. MTV is developed and deployed by several different types of groups including state sponsored cyber groups, cyber terrorists, hacktivists, hackers-for-profit security researchers and hobbyist/individual hackers.*

*Stay tuned for a post comparing these groups, their expertise and intentions!


In a computer laboratory on the campus of Massachusetts Institute of Technology (MIT), a crusader for the concept of open source and freely accessible software by the name of Richard Stallman conceived the term “black hat” to contrast the maliciousness of a criminal hacker with the spirit of playfulness and exploration of the booming hacker culture. 

While "white hat" and "black hat" correspond to those who infiltrate computer information systems with either good or evil intent, we all know there are many shades of grey in between the two. Most of us in information security struggle with labels and can certainly relate to the idea that most hackers will wear a “rainbow hat,” taking on a different shade depending on his or her mood, experience and intention at the time.


One definition of "grey hat" hackers encompasses those who utilize black hat methods with a white hat, or ethical, intent. Another states that grey hat hackers are often white hat security experts by day who act as malicious black hat hackers by night. Regardless, grey hats have been instrumental to the software development community, identifying many 0-day exploits before they are a public, major security issue.  However, once a grey hat hacker receives payment or monetary gain for their work, he has crossed the boundary into the realm of a black hat. The specifics of a grey hat hacker’s formal code of ethics are unfortunately unknown.

Politically charged groups like Anonymous recruit grey hat hackers to use both white hat and black hat hacking methodologies to launch their attack against an organization’s network, often to highlight their moral, political or ethical statement or “hacktivist” campaign. These hackers come from all age groups and backgrounds and are widely distributed across the globe. They have been most active on the darknet in several campaigns to oust criminals involved in illicit activities with children, where the hactivists exposed these criminals of the darknet by releasing their names and email addresses.



The typical cyber criminal organization consists of a group of predominantly male, black hat hackers with an average age of about 35. While the true percentage of “organized” digital crime is unknown, many cyber crime rings consist of small groups of individual black hats who collaborate together for monetary gain, like the 2013 ATM Casher Crew, comprised of less than a dozen members, whose average daily earnings totaled almost $5MM after the group successfully hacked 4,500 ATMs across 20 countries. [1]

Some organized crime groups have developed and disseminated malware designed specifically to steal bank account details from an infected computer. This same malicious software could also be used to turn the affected machines into a “zombie army” to launch a distributed denial of service (DDoS) attack against the bank with the intent to distract the bank's IT security staff, while the team cleans out bank accounts using the stolen account credentials or offers the credentials for sale on popular darknet marketplaces like AlphaBay.

In December 2016, authorities arrested 35-year old Aaron James Glende (aka IcyEagle) for hosting over 300 darknet market listings selling credentials, including an offer of “Hacked SunTrust Bank Account Logins $100-$500 Balances” for $9.99. [2]


From white hat hackers using MTV for legal, sanctioned penetration testing to black hat hackers deploying MTV to steal and sell account credentials, the various players in the MTV realm are developing and deploying these malware, toolkits and viruses at an alarming rate. The darknet is their playground of choice, and DARKINT allows us to better understand and track developments when it comes to MTV.

Join us next week when we take a closer look at comparing the varying levels of experience and intent behind hacker personas!