2017: A year in review from the perspective of darknet intelligence

It's hard to believe we're one month in to 2018, but here we are. And what a busy month it's been! Just look at what's already happened so far: 

The public was introduced to the computer bugs Spectre and Meltdown, results of a major chip flaw that has the potential to impact nearly every computer chip on the planet. The highly publicized discovery of the bugs led to widespread panic and multiple class action law suits against tech-giant Intel

240,000 current and former employees of the Department of Homeland Security had their sensitive, personal data exposed as the result of a data breach.  

A mysterious, devastating cyber weapon named Trisis sat in the public for nearly a month.

And, in sharp contrast to the highs seen towards the end of last year, bitcoin is now on course for the worst month in three years

Looking back, it's hard to believe that the Bitcoin breaching the $1,000 benchmark was landmark news just a mere year ago. But, so it was! Here's a look back at 2017 and the key events that took place along the way. 


A strong start for cryptocurrency and a hard-hit for Tor Hidden Services

In January 2017, the Bitcoin hit an all-time record high of $1,100 USD despite the fact China’s Central Bank, the People’s Bank of China (PBOC), urged investors to “take a rational and cautious approach to investing in the digital currency.” During the same time, Microsoft added Bitcoin support to its infamously popular Excel spreadsheet program to allow users to track, calculate, and analyze Bitcoin data.

In February, hacker-group Anonymous targeted Tor service provider Freedom Hosting II, taking over 10,000 hidden services offline. Anonymous stated they hacked the web hosting provider for harboring and assisting in publishing illicit child content on over 5,000 of their services. Hackers dumped 74GB of files and 2.3GB of database content as well as the private keys of every site hit. This was the second time Anonymous targeted Freedom Hosting.

  Vault7 included hundreds of documents from CIA's Cyber Information Operations Center.

Vault7 included hundreds of documents from CIA's Cyber Information Operations Center.

March and April brought to light numerous major commercial data breaches, often compromised through a cocktail of SQL injection techniques. Thousands of records including leaked personal identifiable information appeared for sale across darknet markets and DarkOwl successfully harvested much of the data into its DarkOwl Vision engine to cross reference for customer queries. Major databases include Sony Playstation, Yahoo, LinkedIn, among others totaling millions of account data records.

WikiLeaks took the spotlight of the spring for “leaks” when it began sharing classified documents from the CIA called Vault 7. The first part of the series, called “Year Zero” documents the scope and direction of the CIA’s global covert hacking program and revealed how the CIA uses sophisticated zero-day exploits to spy on its enemies both domestic and abroad. Hackers across the darknet gained tremendous knowledge from the source code and documentation that accompanied this breach.

 
  The message Anonymous replaced hacked Freedom Hosting II hidden services

The message Anonymous replaced hacked Freedom Hosting II hidden services

 

In May, the WannaCry Ransomware hit more than 300,000 computers across at least 150 countries, crippling the UK National Health Service (NHS) impacting patient care in 16 hospitals. Two days after the WannaCry ransomware outbreak, French police seized a server running two Tor relays belonging to French activist Aeris, who said the server was confiscated in connection to the WannaCry attacks. The activist pointed out on his Twitter feed that tens of other Tor nodes in France all disappeared during the same time. 

 
   
  
  
   
   
   
   
   
   
   
   
   
   
   
   
  
  
  
  
  
     WannaCry Ransomware Instructions

WannaCry Ransomware Instructions

 

The attack was stopped by a young cybersecurity researcher, Marcus Hutchins who was arrested later in the year in Las Vegas after attending the international BlackHat & DefCon conference. US police charged the hacker, who used the moniker "MalwareTech," for allegedly creating the Kronos virus that aimed to steal peoples' banking details online. He could face up to 40 years in prison if found guilty.

At the same time the world was trying to figure out what ransomware was and how to prevent themselves from becoming WannaCry’s next victim, authorities sentenced Steven Chase, the administrator for popular darknet child predator forum, PlayPen, to 30 years in prison and arrested over 800 forum affiliates across the globe.

We also continued to find that medical patient confidentiality is at risk, when hacker Skyscraper posted the patient data of 500,000 children stolen from pediatricians for sale on a darknet market. 

Darknet markets are seized and cryptocurrency markets respond

   
  
  
   
   
   
   
   
   
   
   
   
   
   
   
  
  
  
  
  
     Seizure Sites for Hansa and AlphaBay Darknet Markets

Seizure Sites for Hansa and AlphaBay Darknet Markets

In the start of summer in June, cryptocurrency holders were enthusiastic to see the price of bitcoin hit $3,000 USD. In July, a joint international law enforcement effort, dubbed Operation Bayonet, shook the foundation of the darknet when authorities arrested Alex Cazes the creator and administrator of AlphaBay. The disruption of what was at the time the largest ever darknet market time sent thousands of AlphaBay darknet market vendors and buyers to Hansa market, which was simultaneously functioning as a honeypot by the Dutch Police, as we found out when the moderators were also arrested in June. Cazes was found dead in his Thailand jail cell days after the arrest, allegedly opting to take his own life rather than face international cyber criminal prosecution.

The subsequent panic that flooded the darknet when AlphaBay and Hansa came down still pervades the darknet today. Many redditors and users of darknet forums were found asking, “where can I find my vendor?” or “what darknet market can I trust?” … Dream Market was believed to be the only safe market to transact with, until rumors of their compromise began circulating as well.

 
  Paranoia about Dream Market Survival

Paranoia about Dream Market Survival

 

With the demise of AlphaBay and Hansa, TradeRoute experienced a surge in listings and transactions, until security issues soon began plaguing the popular marketplace. In August, a hacker known only as HugBunter claimed to have breached the market and supposedly blackmailed TradeRoute administrators for weeks, bringing into further question the security of any darknet market.

Throughout this time, DarkOwl witnessed a drop in user relay activity reported by the Tor Project and an increase appearance in vendor-specific hidden services.

 
  HugBunter's post regarding TradeRoute Hack

HugBunter's post regarding TradeRoute Hack

 

  Wolf Creek Nuclear Operating Station, Burlington, Kansas

Wolf Creek Nuclear Operating Station, Burlington, Kansas

At the same time that darknet marketplaces were falling and panic was permeating the darknet, hackers breached a network of a US-based energy utilities.

Wolf Creek Nuclear Power Station in Burlington, Kansas was the first power facility to have their networks compromised. Luckily, the administrative network which was hacked was separate from networks controlling the plant operation. Rules enforced by the Nuclear Regulatory Commission require “air gaps,” i.e. the controls of a plant do not connect by hardwire or antenna to outside systems or the internet, to prevent impact to US power infrastructure. It was shortly after this DarkOwl launched their research and the Utilities Index, evaluating the darknet footprint of major US energy utilities


In the fall, even more data breaches surfaced on the darknet. OurMine and HBO had a full-on cyber war over the release of several episodes of HBO’s popular, Game of Thrones (GoT). Equifax was hacked, compromising 143 million American credit reports. Data from the Equifax breach has yet to appear legitimately for sale on the darknet, despite attempts by one group who call themselves Equihax0r. The popular darknet hacking forum Ex0du$ mysteriously disappeared, and TradeRoute shut down completely.

In October, the price of bitcoin rose slightly to $4,288 USD, while a Norwegian newspaper broke that the largest child abuse and illicit child content forum on the darknet, Child’s Play, had been seized by authorities. To execute the operation, dubbed Operation Artemis, Australian authorities ran the hidden service as a honeypot for over 11 months to trap child abusers. It remains the largest operation of its kind, and arrests are still ongoing for staff and members of the site. Child’s Play had over a million registered accounts and thousands of active users during the operation. 

The remaining darknet markets saw an intensive distributed denial of service (DDoS) attack against them resulting in Dream Market registering hundreds of Tor mirror sites to avoid shutdown. The darknet’s most popular social media site Galaxy 2 crashed after poor system administration in October.

On Thanksgiving in the US, we witnessed the public hack and exposure of the Facebook of Tor, Blackbook. Their 15,000+ membership account details were subsequently posted on public pastebin sites across the clearnet, and on several darknet sites as well. A hacker known as bRpsd took credit for the breach, claiming they exploited vulnerabilities with the hidden service’s SQL databases. The resulting doxxed data revealed that an extraordinary number of Blackbook members used popular email providers, such as Gmail, Yahoo or Hotmail for their account registration.

Holiday conversations focused around the price of bitcoin’s rapid surge in November, as many families learned what a cryptocurrency is. Hackers and legitimate website administrators turned to using JavaScript-based cryptocurrency miners to leverage the CPU power of their site visitor's PC to mine Bitcoin or other cryptocurrencies, known as cryptojacking. Malware experts revealed these scripts work well after you visited the website and even after closing the browser.

By the 16th of December the price of Bitcoin was in excess of $19,000.

 
  Mining Related Hidden Processes have extraordinary high CPU usage (courtesy MalwareBytes and The HackerNews)

Mining Related Hidden Processes have extraordinary high CPU usage (courtesy MalwareBytes and The HackerNews)

 

All was quiet in the darknet until the FCC’s reformation of net neutrality passed only the week before Christmas, leaving many astounded.

To end the year, Police arrested and sentenced multiple drug vendors from Dream Market and Agora. It was reported that police seized servers from the Russian marketplace Hydra, though the Russian administrators denied any police activity on their official Telegram channel, instead attributing any disruption in service to an alleged DDoS attack that had been perpetrated on their servers.

“Dear friends, guests and long-time Hydra users! We have just stopped all the timers. The decision to take this measure is connected with an unstable work of the market caused by DDoS attacks. Pre Orders, orders, disputes, rent payment are temporarily frozen. No need to worry. The situation is under control. Please, wait till the server operation is fully restored.”
— @hydraoniondeep

As 2018 continues, we anticipate that the darknet as we know it will continue to be a place of uncertainty and volatility with attempts to de-anonymize users through traditional browser vulnerabilities, creative traffic, and timing correlation techniques. A resurrection of previous darknet markets will be promoted and new darknet markets will emerge as they have time and time again post previous market seizures.

It is likely that Tor will continue to increase in popularity, especially with what we predict will be an increasing number of net neutrality activists and refugees. We predict that Tor’s increasing popularity will drive many to other darknets such as I2P and ZeroNet, both of which also saw a significant increase in usage throughout 2017. 


 Curious about something you've read on our blog? Want to learn more? Please reach out. We're more than happy to have a conversation.