All Signs Point to a Law Enforcement Takedown of KickAss Forum

On January 9, the KickAss Forum went offline. On Twitter, user @bitsdigit initially reported that the site was seized by law enforcement, but then said the seizure was not a legitimate notice (remarking that “something is very fishy”) and warned others to stay clear. Though the URL in the initial @bitsdigit reporting correlates to an older KickAss hidden service URL, DarkOwl confirmed the two most recent onion v3 KickAss URLs are indeed down, but do not display the Seized Hidden Service Banner.

On January 7, KickAss moderators started the thread, “KICKASS TOR VERSION 3 URLS”, announcing deactivation of the old v2 hidden service addresses and new v3 URLs would be circulating “for security reasons” - perhaps due to recent publicity relating to forum member TheDarkOverlord. Shortly after, the login page for KickAss changed to PRIVATE, with instructions for members to message a Jabber address using Off-The-Record (OTR) for continued access.

Screenshots from DarkOwl Vision from January 2019, listing new KickAss URLs.

Screenshots from DarkOwl Vision from January 2019, listing new KickAss URLs.

Screenshot from DarkOwl Vision from January 2019, with Jabber contact.

Screenshot from DarkOwl Vision from January 2019, with Jabber contact.

However, according to historical records of the forum in DarkOwl Vision, the ka_apps@jabber.calyxinstitute.org Jabber account from a few days ago does not match Jabber accounts KickAss moderators have ever mentioned. Additionally, an announcement thread from November 2018, captured by DarkOwl Vision, stated that KickAss staff only uses OMEMO for end-to-end encryption, as OTR is not “save” [sic] anymore.

Screenshot from DarkOwl Vision from November 2018, mentioning that Kickass staff only use OMEMO, not OTR.

Screenshot from DarkOwl Vision from November 2018, mentioning that Kickass staff only use OMEMO, not OTR.

Given the abrupt private state of the forum days before it disappeared and use of OTR instead of OMEMO, it seems likely Law Enforcement has seized the KickAss forum, and the Jabber account with OTR was a phishing attempt to garner information about its active members. In the past, Law Enforcement have taken over hidden services and impersonated its moderators in attempt to get information about the sites’ members. Dutch police studied the logs of the real admins of Hansa for weeks and even operated the illegal marketplace, throwing the darknet community into chaos in 2017.

One thing that is consistent on the darknet is that hidden services come and go. On Thursday, members of Torum, another popular Tor-based cybersecurity forum, discuss the disappearance of KickAss and the importance of making the most of what’s online while it’s online.

Screenshot of Torum discussion about the KickAss forum disappearance.

Screenshot of Torum discussion about the KickAss forum disappearance.

DarkOwl will continue to follow this story and report updates as they are available.