IRC Protocol: Instant Messenger of the Darknet

Before the age of social media, messaging specific applications, and even SMS text on your mobile phone, computer and networking enthusiasts communicated via an open internet protocol known as IRC, or internet relay chat. This text-based “instant messaging” application first surfaced in 1988, by a Finnish software developer using the alias of “WiZ” who in real life is Jarkko Oikarinen. IRC was codified in 1993 as RFC 1459 as an open source networking protocol, and does not belong to any specific person or group. This means that IRC is not going away anytime soon and will continue to outlive social media instant messaging chat applications. 

If it is not logic, it’s magic.
If it is not magic, it is female logic.”
— Jarkko Oikarinen

Everything you need to know about IRC

IRC follows a standard server/client networking model consisting of a collection of servers hosting multiple channels where multiple users can connect via a standalone chat application or web interface client. There are a number of Windows, Mac, and Linux based IRC clients available to dive into the hidden social network of IRC; however, because most clients are supported by academic or recreational open source software developers, continued support and up to date IRC client applications can be challenging if not impossible to find. Another downside to IRC is that all IRC servers send and receive messages via plaintext making IRC one of the most insecure protocols used in the internet. For this reason, many IRC servers recommend users use a Virtual Private Network (VPN) in addition to a Tor proxy to guarantee anonymity prior to connecting to certain channels or discussing sensitive subjects. Some servers also provide additional support with IP/host cloaking to protect users’ IP addresses from disclosure to the rest of the users connected. 

The people behind an IRC server are as diverse as the topics available for discussion. Individuals and groups of individuals across the world host IRC servers creating a decentralized network of endless chat possibilities. The “channels” available to connect to on an IRC server are akin to “rooms” within a building where people gather to discuss the channel’s subject of interest or topic.  Some IRC servers will have hundreds of channels to choose from, such as Freenode, which publically lists over 52,000 unique channels across their servers. The exact number of live IRC servers is unknown. Even so, irc.netsplit.de lists over 500 publically advertised IRC servers, but there are many Tor-based IRC servers not advertised.

Specific channels on an IRC server are preceded by a hastag “#” and vary across a broad set of discussion topics. As one would expect, many of the topics are specific to computing such as #linux, #python, or #networking, but others range from sports to special interests or even religious beliefs. IRC can be an excellent resource for troubleshooting software or asking technical questions, as many program developers, like those contributing to Linux distributions or mobile applications, (e.g. #iPhonedev), are active on IRC and eager to answer questions and help beginners. On the other hand, some IRC conversations are extremely general and an overly complicated form of social interaction for those who choose to connect virtually with others instead of in person.

Once a user successfully connects to a given IRC server, the command /join #<channel name> allows the user to enter the room of their choice, unless the room is set to private requiring an invitation and a password or the room has been locked by a moderator who wants to ban abusive users from entering the channel. In some special instances, the user might strongly believe they deserve access to a locked or private channel and have been unfairly denied access. If that is the case, the user can type /knock <message>, where message is the user’s custom message sent only to the channel admins. Similar to real life, if one knocks insistently on the door, it might not get one access but instead annoy the admins and get the user banned from the server entirely.

Most IRC users avoid using their real names on the servers and instead connect using a “nickname” or alias for the chat. Frequent visitors to IRC channels register their “nick” with nickserv to prevent other users from using their name. Using the command /nickserv register password e-mail in the main server window (not the unique channel) associates the email to the user and prevents the user’s nickname from being used by any other guests on the server. Users concerned with anonymity or connecting from the darknet would register a nick with an anonymous email address such as secMail or TorBox and not a Clearnet (e.g. gMail or Yahoo) address that is associated with their personal identity or could be used in any way to identify them.

Popular uses of IRC Channels

Over recent years of darknet intelligence collection and interacting in the grey world of computer security, our analysts have found wide-spread use of IRC-based coordination, collaboration and communication across darknet and deepweb regulars on everything from hacking to carding. Anonops and other cyber offensive collectives, offer Tor-hosted IRC servers and channels covering topics such as #hackers, #hardchats, #tor, #ddos, and numerous “#op”-prefixed chaannels for specific operations targeting everything from the NSA to Russia.  

User submitted posts on Verified Carder, a popular Deep Web carding forum, explain how IRC can be used to verify stolen or hacked credit card numbers and the benefit of connecting with “cashiers” who can help make money from the stolen credit card.

 
  Figure        SEQ Figure \* ARABIC     1       Discussion on Finding "Cashiers" on IRC on a Popular Carding Forum

Figure 1 Discussion on Finding "Cashiers" on IRC on a Popular Carding Forum

 

For this reason, Darkowl has active autonomous data collection across hundreds of IRC servers/channels and queries filtered to IRC captured conversation are available using the search pod “Protocol->IRC.” DarkOwl Vision has successfully collected numerous conversations where stolen credit card information is offered for sale or for verification.

 Figure       SEQ Figure \* ARABIC
   2       Vision Capture from DarkIRC Carding Verification on 11 May 2018

Figure 2 Vision Capture from DarkIRC Carding Verification on 11 May 2018

Once connected to an IRC server, conversations in the channels are known for their brightly colored text; however, the text color can also be sometimes altered in the chat client user preferences, depending on the chat client application of choice. A few sample screenshots from various chat clients are listed below.

  Figure        SEQ Figure \* ARABIC     3       Quassel Application Sample IRC

Figure 3 Quassel Application Sample IRC

  Figure        SEQ Figure \* ARABIC     4       HexChat Sample Chat

Figure 4 HexChat Sample Chat

  Figure        SEQ Figure \* ARABIC     5       Weechat Sample Chat

Figure 5 Weechat Sample Chat

But, many IRC servers offer web-based chat clients, which is useful for users having the desire and the bandwidth to run IRC within Tor Browser. In order to run web-based IRC over Tor, Javascript must be enabled.

  Figure        SEQ Figure \* ARABIC     6       AnonOps WebChat Login

Figure 6 AnonOps WebChat Login

  Figure        SEQ Figure \* ARABIC     7       AnonOps Web Interface Sample Collection

Figure 7 AnonOps Web Interface Sample Collection

When viewing IRC conversations in DarkOwl Vision, the exact text is extracted without the color or emphasized font faces. In the result from a recent IRC protocol search in DarkOwl Vision, the date and time stamp of each message is displayed along with the nickname of the user in capital letters preceded and proceeded by “--“ and the message of the user submitted to the channel that was collected. If the conversation included any hyperlinks (Clearnet or Darknet), the engine captures this information as well.

As with any result in DarkOwl Vision, the Metadata Details are included and any data containing personally identifiable information such as email addresses, social security numbers or credit cards is tagged appropriately.

  Figure        SEQ Figure \* ARABIC     8       Vision IRC Collection from 24 May 2018

Figure 8 Vision IRC Collection from 24 May 2018


Curious about something you've read on our blog? Want to learn more? Please reach out. We're more than happy to have a conversation.