As we reported last week, the popular data sharing dark web forum, BreachForums was seized by Law Enforcement. At the time of writing one of the clearnet mirrors was still up and pointing to a new Telegram channel promising to be back soon.
By 23 May, BreachForums was back with a new onion address, the administrators ShinyHunters announced the new site on Telegram. Initially only those who had previously had an account were able to enter. Whereas its predecessor had many open areas the new site required users to login before any information could be shared. However, a few days later registration was opened.
Many in the community have speculated that this new site is a honeypot from Law Enforcement and are avoiding it. However, ShinyHunters have been posting large leaks from well know organizations such as Ticketmaster which some have speculated is to increase interest in the site again.
Others have decided to start their own site. Well known threat actor USDoD, who often posted on the now seized BF, announced via Twitter that he would be launching his own site called Breach Nation to be launched in early July.
DarkOwl analysts will continue to monitor both the new version of BreachForums and any new sites which pop up to replace it.
May 16, 2024
At around 8am PST on May 15 2024, BreachForums (BF), the infamous dark web marketplace known for trading in stolen data was seized by the FBI. The FBI declared that the site had been seized in conjunction with international law enforcement partners. In conjunction they also announced that they had taken control of Telegram channels which were linked to one of the administrators, Baphomet.
Figure 1: Seizure notice on BF 05/15/24
However, this is not the first time this site has been subject law enforcement action, with two of its predecessors having been seized.
History of BreachForums
BreachForums is the third in the line of dark web forums which was set up to trade in stolen data. Threat actors would upload data relating to companies which was usually stolen through hacking activity but also though scraping and unintentional open access. The site was also used to sell access to others, with initial access brokers selling access to corporations for large volumes of money. Other services were also available as well as access to things like stealer logs and malware.
Figure 2: RaidForums Seizure Notice
The site which began this model was known as RaidForums, which emerged onto the scene in 2015 and quickly became one of the largest sites dealing in stolen data. The site was live until 2022 when the owner and administrator of the site known as Omnipotent, was arrested and charged with six criminal counts. Omnipotent turned out to be a 21 year old Portuguese national living in London named Diogo Santos Coelho who continues to fight his extradition to the US to be prosecuted. Ironically it was possible to identify Coelho’s true identify using the very breach data that he facilitated on his site.
Not long after the seizure of RaidForums an actor known as Pompompurin, who had been active on the site created a new forum which he named Breach Forums which would fill the gap which had been left by Raid. However the site did not operate for long, Pompompurin was arrested in March 2023 and a few months later the site was seized. The seizure notice included the avatar used by Pompompurin highlighting that he was a target of the investigation and likely how they had gained access to the sites backend. As part of the affidavit the FBI also confirmed that they had access to the BreachForums site.
Figure 3: BreachForum seizure notice June 2023
Pompompurin was exposed as Connor Brian Fitzpatrick, a 20 year old from New York State. He pled guilty to hacking and child pornography possession and was sentenced to 20 years supervised release.
The co-administrator of Breached with Pompompurin was known as Baphomet, he took control of the domain(s) in the period after Fitzpatrick’s arrest, however after a short amount of time he shut down the site claiming the FBI had access and it was not safe to use. A lot of back a forth between actors and across domains ensued, with warning not to trust new forums and leaks of BF users being circulated. Telegram was used heavily to communicate about the arrest and the possibility of a new site. However, Baphomet did later bring back the forum, reportedly partnering with a group known as Shiny Hunters, which were well known for selling stolen data they claimed to have obtained. Many in the community speculated that the new site was a LE (Law Enforcement) honeypot, but users continued to use the new site.
Latest Law Enforcement Activity
The latest iteration of BreachForums has been operating since mid 2023, operated by Baphomet. As well as being the administrator of the forum, he also maintained several Telegram channels relating to the forum, including on which was used to upload stolen data which was freely available to viewers of the channel.
Although the site was active for just under a year before it was seized some very high-profile breaches have been leaked to that site in that time including AT&T, 23&Me and T-Mobile. DarkOwl analysts have collected over 100 leaks from this site in the last year.
One actor who has been very active in recent weeks on the site and was also a moderator is known as IntelBroker who reports to be part of a hacking collective known as “CyberNi**ers.” (Redacted for sensitivity reasons). He has claimed access to data from corporations such as Hilton, Dell and Government access to the DOD, Canada and United Arab Emirates. As recently as May 15, he posted on BF claiming to have access to an Aerospace and Defense company, the site was seized shortly after.
Figure 4: Source: DarkOwl Vision
Last week he claimed to have data stole from Europol, specifically the EC3 group. Europol did confirm the data was from them although stipulated that no sensitive information was stolen. Some in the community have speculated that the release of this information is what led to Law Enforcement taking action against the site.
At the same time the BF site was seized a message was posted on a Telegram channel controlled by Baphomet, claiming that it was now under the control of the FBI. The same was true for a second channel also in his control. The post encouraged subscribers of the channel to report any information they knew to the FBI through a dedicated Telegram channel. DarkOwl analysts observed actors claiming that they had contacted the FBI and received a response although it is unclear if they were sharing any content of value.
Figure 5: Baphomet Telegram channel under control of the FBI
This marks one of the first times that the FBI have appeared to take action on the Telegram platform, presumably they have obtained credentials which allow them to control the channel rather than from cooperation with the owners of Telegram given the way the message was posted. This highlights the role that Telegram has with this underground community and how large numbers of actors are communicating.
Indeed, it was on Telegram that rumors started to circulate that Baphomet had been arrested. This was shared by several actors including Shiny Hunters and IntelBroker. Shiny Hunters also moved to make their Telegram channel private, meaning it could not be identified through a global search and only invited users would be able to see the content.
Figure 6: Telegram message from Shiny Hunters stating that Baphomet was arrested
We await confirmation from the FBI as to whether or not this is the case and who the individual behind the alias is. However, perhaps foretelling the arrest, the avatar of both Baphomet and Shiny Hunters was shown on the FBI Seizure notice behind bars.
Figure 7: Baphoment and ShinHunters Avatar behind bars on Breach Forum seizure notice
What Does the Future Hold?
Multiple Telegram channels have been very active over the last 24hrs with speculation about what has happened to the actors involved in BF and what sites should take its place. Two Breach Forums Telegram channels where data can be uploaded, and chat can be conducted remain active at the time of writing with documents being shared and rampant conversations held speculating on the arrest of Baphomet and the role of undercover agents on the site. There was also speculation about a site called Doxbin which seemed to go down at the same time, although operators are claiming to still have control of the domain.
A new channel was also created to share “news” and claiming they had warned that the site was an FBI honeypot the whole time.
Figure 8: Telegram Post claiming the forum was a honeypot the whole time
It is therefore clear that Telegram will have a role to play in whatever happens next for BreachForums and the users that make data available and purchase and download it.
There has also been speculation about what sites will fill the void left by BreachForums, with many existing forums being suggested as front runners. From the history of RaidForums to the current iteration of BreachForums it does seem likely that a successor will emerge whether that is a new or existing site.
DarkOwl analysts will continue to monitor the situation to identify what emerges.
Cybersecurity might has well have its own language. There are so many acronyms, terms, sayings that cybersecurity professionals and threat actors both use that unless you are deeply knowledgeable, have experience in the security field or have a keen interest, one may not know. Understanding what these acronyms and terms mean is the first step to developing a thorough understanding of cybersecurity and in turn better protecting yourself, clients, and employees.
In this blog series, we aim to explain and simplify some of the most commonly used terms. In this edition, let’s dive into CVEs.
CVEs 101
CVE is an acronym thrown around frequently in the cybersecurity space. CVE stands for Common Vulnerabilities and Exposures. A CVE is a list of publicly disclosed cybersecurity vulnerabilities that are assigned a unique identifier called a CVE ID. According to the National Institute of Standards and Technology, CVE defines a vulnerability as “a weakness in the computational logic (e.g., code) found in software and hardware components that, when exploited, results in a negative impact to confidentiality, integrity, or availability. Mitigation of the vulnerabilities in this context typically involves coding changes, but could also include specification changes or even specification deprecations (e.g., removal of affected protocols or functionality in their entirety).” When a security vulnerability is identified, it receives a CVE ID number. This identifier is used to monitor and reference the vulnerability in security advisories released by vendors and researchers, and have a uniform way in searching the same vulnerability across databases.
The concept of the CVE database originated in a whitepaper by co-creators Steven M. Christey and David E. Mann of the MITRE Corporation. The initial CVE list was publicly available in 1999, and continues to grow. There are currently over 247,000 CVEs and in the first week of 2024 alone, over 600 were cataloged. The system is maintained by the United States’ National Cybersecurity FFRDC, which is run by the MITRE Corporation and receives finding from the US Department of Homeland Security’s National Cyber Division.
Keeping a record of all CVEs allows security and IT researchers to coordinate efforts in prioritizing and resolving these vulnerabilities. To keep CVE records organized, there is a CVE Program dedicated to identifying, defining, and cataloging publicly disclosed cybersecurity vulnerabilities.
Not only are CVEs important for keeping track of vulnerabilities in a way that is repeatable, searchable and trackable, but they raise security awareness. Because CVEs are publicly documented, there is better awareness of potential threats and security concerns. Individuals and organizations have the ability to search vulnerabilities and take the necessary actions to secure their computer systems and networks. CVEs allow security professionals to stay up to date on the latest security flaws and vulnerabilities.
CVEs in the Wild
CVE-2023-34362: MOVEit Transfer
In 2019, the Cl0p ransomware gang shifted their focus to exploiting the MOVEit vulnerability to target victims starting in May 2023, and they carried on with this campaign throughout the summer. They exploited the SQL injection vulnerability known as CVE-2023-34362 in the MOVEit transfer system, which is extensively utilized for managing file transfer operations across numerous organizations. Cl0p’s exploitation of this vulnerability had significant repercussions for several prominent brands and companies, garnering substantial media coverage. It’s estimated that roughly 2,000 instances of the MOVEit vulnerability were exploited, affecting approximately 60 million individuals worldwide. These figures may be conservative due to under-reported incidents and efforts by affected entities to conceal the extent of network intrusions. Nevertheless, experts projected that the group stood to gain around $100 million from exploiting this vulnerability. If this vulnerability were to be left unaddressed, it could lead to significant data breaches, loss of sensitive information, and severe disruption of services.
Figure 1: Initial vendor alert on the newly discovered MOVEit vulnerability; Source: Community Progress
CVE-2023-22515: Confluence Data Center and Server by Atlassian
Last fall, the Ukrainian Cyber Alliance (UCA) used CVE-2023-22515, which involves Confluence, to escalate privileges and access Trigona’s confluence server. They gained insight into the infrastructure and published Trigona’s support documents, exfilled the developer environment and information pertaining to Trigona’s crypto payments, as well as the back-end of Trigona’s chat service and blog/leak site details. After collecting all the information, UCA defaced and deleted Trigona’s site. Open CVE’s provide danger to all, including the cybercriminals who use the impacted tools.
CVE-2022-42475: FortiOS SSL-VPN Vulnerability
Continuing their world-wide efforts to infiltrate government, military, and key sources of intel, China exploited an extant Fortinet vulnerability (CVE-2022-42475) in early February of this year. This was done to deploy a backdoor named COATHANGER and gain access to a network used by the Dutch military. This was the first time the Dutch have publicly attributed a cyber incident to Chinese actors. This vulnerability, along with CVE-2023-22515, emphasize the importance of maintaining good security hygiene and always updating computer systems to the latest version.
CVEs in DarkOwl Vision
Cyber Actors Discuss CVEs on the Darknet
Cyber criminals and hackers frequently discuss vulnerabilities on the darknet for various platforms. Discussions of relevant software and exploitability of specific CVEs can assist an organization in determining potential unpatched vulnerabilities. Figure 2 shows a forum discussion about an exploit for CVE-2022-30190, which is a Microsoft office vulnerability that hackers can leverage for remote code execution.
Figure 2: DarkOwl Vision search reveals an exploit based on CVE-2022-30190; Source: DarkOwl Vision
Figure 3 shows a post to a hacker forum on the darknet by the user known by the moniker, PresidentXS, that discusses an Azure vulnerability, CVE-2019-1306, “Azure DevOps and Team Foundation Server Remote Code Execution Vulnerability.” An attacker successfully exploiting this vulnerability allows for malicious code execution on an ADO service account.
Figure 3: Source: DarkOwl Vision
Posts and discussion threads like these examples in DarkOwl Vision are useful for reviewing comments, exploring applications, and use cases for the vulnerability specifically.
Tokenization
Based on feedback from our customers, CVEs are identified and tokenized within our indexed documentation collection. DarkOwl Vision UI users can search for results containing a specific CVE number, as well as for results containing any number of CVEs. CVE tokenization makes it easier to search for CVEs along side keywords or other entities such as onion domains or threat actor aliases.
Figure 4: CVE search in Vision UI; Source: DarkOwl Vision
Actor Explore
DarkOwl’s Actor Explore feature provides invaluable insights into cyber threat actors, empowering security professionals, researchers, and organizations with analyst curated information about threat actors, enhancing their ability to understand and combat cybersecurity threats effectively. Each actor profile in Actor Explore includes a detailed dossier, offering an in-depth overview of the threat actor and includes extensive information such as darknet fingerprints, targets, tools, CVEs, contact information, and more. Actor Explore connects this information to our other data sets, including leak sites, ransomware sites, alias, cryptocurrency, etcetera that actors are associated with. This wealth of data enables users to gain a profound understanding of the threat actors, their tactics, and the potential risks they pose.
A DarkOwl Vision user can also search in Actor Explore by CVE. This filtering option makes it easier to find and compare actors of interest.
Figure 5: DarkOwl Actor Explore result for Cl0p and the CVEs they exploit; Source: DarkOwl Vision
Figure 6: Example of CVE filtering in Actor Explore; Source: DarkOwl Vision
Resources
Keeping up to date on CVEs is essential to maintaining a secure IT environment. Below are a couple free resources available for tracking and researching CVEs.
CVE Tracker: A New Motional Open-Source Tool for Tracking Common Vulnerabilities and Exposures. View tool here.
To take investigations the next step, root cause mapping of vulnerabilities is best done by correlating CVE Records. Check out guidance from Mitre here.
To see DarkOwl Vision and our collection of CVEs in action, contact us.
Last month, DarkOwl participated in GISEC Global in Dubai, UAE, for the seventh year in a row! GISEC Global describes themselves as, “the leading gathering ground for the cybersecurity community worldwide.” It is the largest cybersecurity event in the Middle East and Africa. At the event, one can expect the top government dignitaries and cyber leaders, CISOs from major corporations, regional and international innovators and global experts from top cybersecurity enterprises from over 40 countries in the Middle East, Africa, and Asia. Attendees have the opportunity to network with over 3,500 delegates and hear from over 500 top Infosec leaders across multiple stages. GISEC attendees come together to lead cybersecurity transformations across sectors and nations to learn from over 300 hours of content to best to boost cyber resilience for a safer digital future.
“Embark on a thrilling journey through the largest cybersecurity exhibition, where cyber competitions collide with live hacks, revealing true stories and offering unprecedented access to the minds behind the code….”
Representing DarkOwl at GISEC Global was David Alley, CEO of DarkOwl FZE based in Dubai and Magnus Svärd, Director of Strategic Partnerships, based out of DarkOwl’s headquarters in Denver, CO.
The DarkOwl team remained busy over the three days manning the booth, meeting new prospects, visiting with customers and partners, and showcasing our industry leading darknet platform, Vision UI. The DarkOwl booth saw visitors from India, Pakistan, Kyrgyzstan, Iran, Singapore, Tunisia, Malawi, Lebanon, UAE, Oman, Seychelles, Singapore, US, Canada, UK, Sweden, France, Austria, and more – a truly international presence. Magnus stated, “Visitors to the stand were constant starting 30 minutes into the conference. Suddenly the time was 4:40pm and first day was about to end.” This sentiment was shared across the 3 days, and David shared, “Three really busy days – the busiest GISEC.”
In addition to networking and conversations at the booth, top minds of the space have the platform to share thought leadership, innovations, and the latest in the cyber security space. Speakers were present from all around the world, including the UAE, Argentina, Kenya, UK, US, Singapore, Estonia, Brazil, Oman, Turkey, South Africa, India, Switzerland, Vietnam, Philippines, Saudi Arabia, Ghana, Lebanon, and many more. Topics ranged from harnessing AI for security resilience, keeping up with high-tech cybercrimes, building a strong cybersecurity ecosystem at national level, to mastering risk with real-world insights and strategies, and so much more. In addition, there were halls dedicated to just trainings, meetings and hands on workshops. This is a major benefit of GISEC Global – the emphasis on thought leadership, sharing information and education.
DarkOwl Analyst, Steph Shample, joins Authentic8’s Needle Stack Podcast to discuss dark web research and all its facets. From AI and other trends on the dark web to operational security, learn how to turn on the light beneath the surface of the internet.
Key Takeaways
AI and other dark web trends
Operational security in dark web research
How to search an unindexed environment
The links to the podcast, YouTube Channel, and the transcription can all be found below.
Transcription
Jeff: Welcome to Needlestack. I’m your host, Jeff Phillips.
Shannon: And I’m Shannon Reagan. Today, we are talking to Steph S., Senior Intelligence Analyst at DarkOwl. Steph, thanks for joining us.
Steph: Hi, Shannon. Hi, Jeff. Thank you so much for having me and for having DarkOwl. We’re so excited to be here.
Jeff: Well, let’s start with that, Steph. Um, to kick things off, can you tell us a little bit about, uh, DarkOwl for those that don’t know?
Steph: Absolutely, we are the world leading data provider of the dark web, deep and dark web as well as dark web adjacent technology. So think telegram discord those chat platforms. Also, the markets and forums that you see frequently in the news ransomware victim blogs where they advertise. Other general markets that sell malware, drugs, animals on the dark web.
So, we have a mixed manual and automated collection to safely get that, scrape that information, and then put it in a very friendly user interface or an API if you need. That way you can enrich that information with ClearNet, information from social media, all kinds of different enrichment that you can do to best paint the picture of where your exposure is on What precautions and mitigations you need to take. So it’s just a fascinating company. Truly. It’s really cool.
Shannon: It is very cool. I think Jeff and I are pretty jazzed about dark owl. This might seem like a silly question to you. Um, but what is your perspective of why? Companies, you know, need dark web intelligence, if not maybe going into the dark web directly.
Steph: Yeah, I get that. And no, I truly stand by no silly, no stupid questions. A lot of people really only know the dark web as it pertains to ransomware, right? They see, okay, ransomware is being announced on here, but there is so much more and there always has been so much more on there. So the dark web is not indexable, right?
You can’t Google on it. So you really do have to know a little bit more navigation of where you’re going, what you’re looking for. Why you should have it is because everybody these days is very, very concerned about privacy. So we all want to be online and be connected and have that social aspect. But we also want to try to reduce, you know, what we’re leaking, what we’re exposing.
Unfortunately, with everything these days, um, you know, phishing, Ransomware social engineering. There are so many ways that malicious actors infiltrate an organization or an entity and then sell or monetize that information, or they do it for their own notoriety. You as an organization have got to be aware of what’s out there.
You can’t just Google yourself or your organization and find all of the threats. When you’re caught up in data breaches that are sold online and then cross sold on a market, right? To maximize profit, you’ve got to take a look at what actors are doing with their IP addresses, how they’re innovating and just making their operations more quick, more quick, uh, more efficient.
They’re streamlining them. You’ve got to have the dark web piece of information because they’re very open and talk a lot on there. They train on another. They share in addition to saying. Yeah. I’m going to move my C2 from this provider to that, right? Or don’t message me on this platform anymore. I view it as unsecure.
Let’s all move to telegram discord. You’ve got to keep yourself informed on the dark web. I respect and realize it is not for everybody, but if you do have a presence on there, if you have an incident, you really do need that piece of information or you’re seriously lacking a part of the picture. Follow
Shannon: up to that for those that companies that aren’t, um, kind of I’m going to be chatting more about that. Um, either they may be put into a dedicated effort to understanding the information that is out there on the dark web, either they don’t aren’t staffed with the right people to do it. They maybe don’t have the right tools to do it. What advice do you have for people that think this isn’t for me?
Steph: Sure, yeah, I would say, take a look, right?
Take a look at any dark web service provider. Start a trial, start a conversation, go install tor, right? It’s really easy to do that. Tor is open source. You can download it and just self teach, right? So many people these days want to spend so much time on social media or posting pictures or what have you. Great. But there is a way for self empowerment to go educate yourself, type, uh, type something into a tour browser, take a look at what. People are using the dark web for, and educate yourself, you know, and if you don’t want to do that, then maybe look on LinkedIn or other social media, or just contact a company who does have dark web coverage and truly educate yourself before you make that final decision of, meh, I don’t need this.
Jeff: By the way, for some of our audience, I like to, I don’t know if I like to do this stuff, but TTPs, right? Tactics, techniques, and procedures.
Steph: Yeah, call me out. I’m going to throw every acronym in the book at you tactics, techniques, and procedures. So, for instance, I’m an Iran analyst by trade and Iran was really big about using European VPNs in their malicious operations.
So they would use namely Germany and the Netherlands constantly abuse when the European Union started to crack down on that. They moved to. Japanese infrastructure. That is a tactic technique and procedure that I observed. And then we put out in the researcher community, like, Hey, be aware, you know, you’re going to start to shift.
Jeff: Thank you for that. Um, of course, uh, pretty hot topic these days on the OSINT front, um, is AI. I guess AI is a hot topic on every front, but in specific to us, can you tell us a little bit about any AI trends you’re seeing on the, on the dark web when it comes to AI?
Steph: Absolutely. Yeah. It’s just like you said, everyone’s like, I want AI, but they don’t really know what AI is, but they want it.
Actors have embraced it and are successfully using it. So one use case that we are seeing constantly right now, fishing templates, right? Um, AI is enabling them to write a little cleaner. So there’s not as many English mistakes, grammar mistakes, what have you. And then previously, you know, you can code and you can automate and do all the things to really streamline your operation.
So previously actors would only be able to get those templates to maybe tens or hundreds of companies or organizations that they were trying to infiltrate. Now with AI, you’re getting up to. Thousands, if not tens of thousands, so they can work faster, get more. And it’s harder to tell who wrote this. You know, usually.
The joke is, of course, the Nigerian prince, or you get this email that’s riddled with so many grammatical mistakes. You’re like, really? But now that’s no longer the case. It’s not as easy to tell. And that’s probably the forefront of AI right now and how malicious actors are using them. It’s increasing their operation space.
Shannon: When we were talking ahead of the call, you mentioned that you have a linguistics background, maybe related to, you know, the AI space, you know, that there is such an element of writing and language as part of that. How, uh, Does linguistics play a role in OSINT or, you know, threat intelligence?
Steph: Of course. I’m so glad that there’s a space for that, right? So I think in tech, in AI, whatever you wanna call it, cyber tech, what have you, there is this misconception that you have to be a hardcore programmer, ones and zeros, coding, all the things, right? That there’s no space for other people. And I want to dispel that myth so, so, so much. Linguistics, especially. So, I started translating, you know, of course, and then French and Spanish and saying, you know, this is what they’re doing, et cetera, et cetera. That is happening online, right? Yes. Technology and the Internet. A lot of is in English 80%. I’ll give you guys that. But think of now, if you have kids or little cousins, little nieces and nephews, right? Number one, how can you even understand what they’re saying in the tech jargon and neologism now take that and try to translate from a Spanish little kid or a Persian little kid, right? Or even a Persian actor. So, you have to really be able to understand the nuance of language. If they’re circum locating around an operation, you know, if they say, hey, I’m going to buy this video game from you on steam or a gaming platform. It’s 1400 dollars. Are you good with that? And you’re like, yeah, What kind of video game is 1400 right now? There’s someone malware, right? Gotta pick out the nuance of the language. Translation will never go away. Yes, automation will help it. We’ll streamline it, make it faster. But humans always need that niche and always have to analyze the language, analyze the sentiment.
Those very, very fine things that You’ve got to have a background of, and you’ve got to understand with AI, it’s coming into tune as well. So, you know, word clouds, for instance, it’s a really great way to capture. We have so much data from AI word clouds come out. And let’s say it’s a protest, right? Protests are taking place. So the word cloud comes back, and Berlin is in huge letters, whereas Munich and other cities are smaller. So, you know, it’s like, okay, well, how is this represented? Does this mean I should pay attention to it? Does this mean it’s an anomaly? Should I throw it out? There are so many different ways to involve linguistics translation and just divergent translation. Thinking into this field. So whatever your background is, welcome come and also learn another language because cognitively speaking, I can’t even espouse the benefits enough. I will nerd out with you on a separate podcast.
Shannon: As a former creative writing major, I will welcome you into those.
Steph: Foreign language, linguistics for life.
Jeff: That’s funny. Can I just be a wannabe? Cause you know, I don’t know. It’s a little late to learn a new language
Shannon: anytime.
Jeff: Well, you have, um, a lot of passion about shining a light on the dark web. Um, obviously it’s, so it’s great that you’re a dark owl. Um, do you think shining that light and, and putting out more dark web education can actually start to have an impact or mitigate some of the threats or the particular threat actors?
Steph: It’s a great question. Uh, we are seeing reflections of security and clampdowns shape actors and where they’re moving what they’re doing, how they’re communicating. So I do think that if we keep this up. Yes, absolutely. And public education for cyber cybersecurity, you know, your 2 year old has an iPad. Your grandmother’s on Facebook. The entire spectrum of humanity is tech enabled. We need to protect them. They don’t know if they’re exposing themselves. Then you’ve got the people who use the same password for their corporate account versus again, personal accounts. There’s a lot of education to do. And I say all that because passwords are sold on the dark web, right?
Repeatedly passwords are then put to paste sites and, and put monetized that data, They’ll just put it on a free pay site for other people to use in their operations. I do think it’s a slow process. It’s slower than we would want. And that is tough because tech is so dynamic and move so quickly, but we cannot stop trying to educate and elucidate and really raise the problems of, Hey, this is not going to [00:11:00] stop. This is happening in the background and you’ve got to pay attention.
Jeff: You know, follow up when we were talking earlier, you mentioned, I believe the way you portrayed it was that with all that focus and attention on the dark web that you’re seeing them start to migrate to other platforms and other venues.
Can you talk a little bit about that?
Steph: Absolutely. Yeah. So, you know, dark web, the. onion sites are markets and forums, and you can basically go on. I’ll use dread as an example. Dread is basically the reddit of the dark web, right? It’s the same thing threads, forums, advice, communities, like minded people. So, dread, you can go on there and just find something that, you know, I want to sell malware.
I am, I’m looking for this. I’m having trouble developing this part of it of my malware operation or this code or whatever. Um, so it’s really just essential to. Follow that and follow the actors and they have openly stated, you know, think of Alphabay and Silk Road, those markets that went down. Think of recent ransomware groups have also gone down, right?
You’ve been arrested, taken offline. Those groups are talking, they are sharing in telegram in discord. And then, of course, on talks, which is primarily used for ransomware comms, but it is growing in popularity. Talks is just a peer to peer messaging system. Direct messaging. They are using more opsec. They are saying, do not post on this forum.
We think there’s a law enforcement presence. Contact me on telegram. They are using more controls on Telegram. So you can shape a channel that only you, the admin can post and nobody else can. So we’re definitely seeing them paying attention to what’s happening in the security and law enforcement world and applying that to where they’re moving more secure messaging platforms, direct messages versus public.
Shannon: It is tough to, you know, it feels like an arms race, like that. You’re always, you know, we’re all just chasing each other around the internet.
Jeff: I like that we’re all just chasing each other around the,
Steph: it was awesome.
Shannon: I do wanna talk about tools in a minute, but with [00:13:00] the constant changes in technology and uh, keeping up with threat actors. Is there any advice that you have, particularly for training or, um, you know, recommended forums and platforms that, you know, like dread on the dark web for threat actors?
Like, where do you find the kind of, um, threat intelligence folks getting the most value out of information sharing among other professionals?
Steph: Absolutely. So the two main ones that have really emerged are task forces and trust groups, honestly. So let’s start with task forces. We realize that it’s got to be Government, private and academia has to all participate to best shape and fight the threats we’re facing.
So find someone who’s in your geographical area of interest, right? If you have an interest in China, if you have an interest in Russia, find groups there, use LinkedIn, use all of those and then it’s usually private signal groups, or maybe a private WhatsApp group and there’s a lot of, you know, just that are shared in their talk amongst practitioners and the task forces really bring all 3 perspectives of those industries that are necessary.
Trust groups are. I know this won’t be popular, but analysts are skeptical by nature. Hi. Um, you know, we don’t trust anybody, but when you have a trust group that starts up, so for instance, when Afghanistan fell in 2021 and they were using Snapchat as well as some other hidden, um, underground communications to avoid the Taliban, to get people out of country who were very much in danger, a trust group started up with that for, you know, Operations, getting people to safe houses, monitoring what the Taliban were doing on Twitter, as well as other places.
It was similar with when Russia invaded Ukraine. Okay, find analysts, you know, who has on the ground experience, who has language experience, who has tech experience, especially, you know. What are the Russians using? What are they going after? So task forces and trust groups are one thing. GitHub. I would suggest combing that left and right.
Then I also really want to highlight. There are quite a few really great open source organizations out there. You know, I follow China, so I need to understand how to get behind the firewall. If I can, how do I pick up information or open source information on WeChat, QQ, et cetera, um, the digital Sherlock program handled that.
They have a by area, um, by area of operation, AOR, uh, program that you can do for free. All you have to do is apply, state why you need it. So there’s a lot of free open source training. You can never go wrong with the SANS course. They just do it. Started a cybercrime one, which I’m super excited to take. It’s to 500 level, so I’m gonna wait on that. But yeah, , um, the tech. And then also, I’m not gonna shy away from things like Coursera or Udemi. There’s plenty of baseline foundational classes that you can do on there. You don’t need to say, be a coder yourself, but maybe you wanna understand why your malicious actor is doing what they’re doing on the dark web.
Take a while, one, understand what’s happening, an object versus a whatever. Right. Immerse yourself and use those free resources, YouTube, Coursera, Udemy, work training, trust groups to really flesh out an area and flesh out expertise and share information.
Shannon: That’s great. Okay. Aside from groups, what are, uh, some of the tools with the right know how that you think are really valuable to, you know, dark web threat intelligence understanding?
Steph: Big that, uh, when I first got started years and years and years ago, and it’s still around dark dot fail, type that in your, in your tour browser, honestly. This is a, I give anybody who’s like, I’m curious about the dark web, but I’m also afraid, right? Understood. There are risks. Dark. fail is, is like a how to, it’s like lower than a one on one course, right?
Basically it gives you every listing of, okay, here’s a popular market. This is its onion site because onion sites are now at 57 characters. If I’m not mistaken, they used to be 22. We can memorize that. And it’s not like a google. com or it’s not like a authenticate. com. The URL doesn’t make sense. The onion ones are obfuscated for a reason.
Dark. fail lists them, lists if they’re up and down, lists if they’re temporarily unavailable, gives you the mirrors or the clear net site equivalents. And then another one I really love is ransomlook. io. That’s, of course, for ransomware, but that site also is amazing. Open source, type that in your browser. It gives you every single ransomware group that’s out there, right? What their blog looks like, what are some of their latest victims is their server up and running. In some cases, where do they host their server? So there’s no perfect way to index the dark web. But there are starting points. Those 2 that I just named to really get you started. And then that curiosity will take…
Shannon: over. I think that’s great to just recognize, you know, even like a tool like dark L is that, you know, a lot of the work can be done for you, but you can still utilize, you know, the intelligence and the information.
Steph: Yeah. And go, you know, whatever your provider is. We like analysts love writing and blogging and be like, this is what I discovered, right?
Go check out blogs from any company that has a dark web focused. If you’re curious, if you’re curious, they have wonderful insight, wonderful how to’s. And then generally they keep it short and sweet, right? Because we’re all busy. We don’t have enough hours in the day. So we’re not going to give you a PhD level thesis of this dark web actor.
We’re going to give you the nitty gritty. Here’s some IOCs, here’s some mitigation, Good luck, right? That’s what we’re going to try to do. So
Jeff: yeah, IOC indicator of compromise. There’s my value. Acronym value. That’s my value. You’re a cyber security linguist, Jeff. Or a linguist. Well, Steph, thank you for joining us today. And thank you to dark owl for letting you join us today. That was great. Much appreciated. Uh, and thank you to our audience for joining us. You can view transcripts and episode info on our website, authentic8.com slash needle stack. That’s authentic with the number eight and be sure to let us know your thoughts on social at needlestack pod and to like, and subscribe wherever you’re listening today and please tune in again next time for needle stack.
Steph: Thank you guys so much.
Learn more about the DarkOwl and Authentic8 partnership here.
Our analyst team shares a few articles each week in our email newsletter which goes every Thursday. Make sure to register! This blog highlights those articles in order of what was the most popular in our newsletter – what our readers found the most intriguing. Stay tuned for a recap every month. We hope sharing these resources and news articles emphasizes the importance of cybersecurity and sheds light on the latest in threat intelligence.
A March 2024 email campaign targeting German organizations was possibly authored by initial access broker TA547 AKA Scully Spider. The script loads the Rhadamanthys infostealer, which can steal cookies, browser and clipboard information, and more system metadata. As the security community studied the malicious code that is used in the script, they noted a hashtag used in coding comments, along with very verbose comments, indicating that AI or a non-human entity possibly authored the code. Read article.
2. U.S. Treasury Sanctions Iranian Firms and Individuals Tied to Cyber Attacks – The Hacker News
The US Treasury sanctioned several Iranian individuals and front companies who have been targeting the US on behalf of the Iranian Government. Their operations used spear phishing and social engineering to target US military veterans, US defense contractors, and other US government entities. Full article here.
3. UnitedHealth confirms it paid ransomware gang to stop data leak – Bleeping Computer
United Health publicly admitted that they paid BlackCat/AlphV ransomware actors in February 2024 to prevent the sale of private healthcare data to criminal actors. Payment activity was confirmed by the public transaction on the blockchain as a Bitcoin payment to the wallet used by BlackCat ransomware gang was visible. Read article.
4. Indian Government Rescues 250 Citizens Forced into Cybercrime in Cambodia – The Hacker News
India’s government issued a public statement and update about the rescue of 250 Indian nationals who went to Cambodia under the pretense of employment but were then forced to participate in cybercrime. In what some dubbed “cyber slavery”, organized crime groups are luring people to Cambodia and other countries with false employment opportunities, and then forcing them to create thousands of social media accounts to use for various purposes, such as gambling, crypto fraud, romance schemes, and more. If the trapped individuals didn’t meet their quota of accounts created, the cybercrime groups denied them food and sleep. Other hotspots observed for this kind of activity include Myanmar, Thailand, and the Philippines. Read more.
5. DPRK hacking groups breach South Korean defense contractors – Bleeping Computer
Targeting technological information, North Korean hacking groups including Lazarus and Kimsuky used extant vulnerabilities to plant malware that sent data back to their cloud servers and was used by the North Korean government. One group accessed the account of an employee who worked with defense subcontractors, while another took advantage of an email server vulnerability. Read more.
6. US Health Dept warns hospitals of hackers targeting IT help desks – Bleeping Computer
The US Department of Health and Human Services issued a public warning this week, concerning social engineering techniques used by threat actors to go after IT desks of the health sector. In these operations, threat actors will call health organizations using a local number of the area they are targeting. They’ll provide details of the organization which are stolen, providing actual corporate ID and/or social security numbers procured in malicious cyber operations. By providing this real information to the IT department, they appear legitimate and then the helpdesk enrolls the threat actor device into corporate multi-factor authentication, allowing deep access to corporate information. Malicious actors then change ACH information regarding payments gain access to corporate email accounts and continue social engineering. Read more.
7. Russia charges suspects behind theft of 160,000 credit cards – Bleeping Computer
Six Russian individuals were recently charged by the Russian Prosecutor General’s Office. The men were charged with skimming 160,000 carss — using malware to steal credit card and other payment details – throughout the past seven years. The group didn’t use the stolen cards instead selling them on various dark web platforms for profit. Article here.
8. Cybercriminals Targeting Latin America with Sophisticated Phishing Scheme – The Hacker News
ZIP files are currently being used to deliver malicious files which appear as an invoice, targeting Spanish-speakers in LATAM. The files redirect the user to another domain, newly set up by the malicious actors. This redirection activates a script that then takes metadata from systems and checks for anti-virus software, collecting system information to use and further malicious operations. Read article here.
9. Scammers offer cash to phone carrier staff to swap SIM cards – SC Media
Cyber actors are cold-contacting employees of various US cell phone companies and offering them cash in exchange for their participation in SIM swapping operations. In SIM swapping incidents, actors fool a wireless carrier, such as Verizon or T-Mobile (who were both targeted in this latest campaign) into rerouting services to a device controlled by the criminals themselves. Once the “swap” is completed, the victims lose access to most personal accounts and personal data attached to the cell phone account is also stolen and used in other malicious operations. Read more.
Make sure to register for our weekly newsletter to get access to what our analysts are reading on a weekly basis.
Cyber Insurance has become a hot topic in recent years. As DarkOwl has previously documented, frequent attacks against organizations mean that there is ever increasing demand for coverage which assists in reducing the negative financial impacts and risks of conducting activities on the internet.
One of the things that cyber insurance can cover is extortion payments associated with ransomware attacks. As ransomware attacks are expected to continue to increase during 2024, with more and more groups adopting double-extortion techniques, it is prudent for organizations to explore their insurance options.
However, insurance carriers are not immune from cyberattacks and can also fall victim to attacks and credential loss. As a third-party supplier, their data can also be exposed through the ransomware attacks of their customers. In this blog we explore this exposure.
Ransomware
The term “Insurance” appears in over 100,000 documents linked to ransomware activity in DarkOwl’s Vision platform. Ransomware groups such as CL0P, Medusa, BlackBasta and 0mega to name just a few have published documents from victims which include insurance information.
The Dunghill Leak group, published on their leak site details of a UK-based transportation company called Go-Ahead Group who they alleged they had obtained data from. They provided descriptions of the data as well as sample images of the documents. They claimed that this included details of insurance claims made by the company. One of the sample documents they provided appears to be related to medical insurance.
Figure 1: Stolen document from Go-Ahead Group
Insurance carriers and providers themselves are also not immune from ransomware attacks. The ransomware group BlackBasta posted information relating to an insurance marketing firm named LeClair. They provide marketing services to insurance brokers. All of the data relating to this organization was published on the leak site of BlackBasta and according to the site has been viewed over 3000 times.
Figure 2: LeClair sample data on BlackBast leak site
Another insurance provider, Delaware Life Insurance Company appeared to be a victim of the group Ransom House. All data relating to this organization was disclosed including a file tree of all documents obtained. The group claimed to have stolen 1.4TB of data from the organization as well as being able to download this is full they also provided proof which contains confidential documents, health records, and pricing information.
Figures 3 and 4: RansomHouse Leak site and proof of documents listed
The CL0p ransomware group, when posting data for one of their victims, a university, detailed that the victim had used their insurance company to negotiate. They stated that they were cheap and the negotiator was bad. Despite the claim that the university offered to pay $950,000 the full data was still leaked. This highlights how insurance providers interact with ransomware groups and their review of the activity.
Figure 5: Post on CL0p leak site from DarkOwl Vision
Leaks
Insurance companies can also appear in other types of data leaks, with information relating to the insurance provider appearing in leaks. This can include email addresses, locations, passwords, and names of employees.
The leak etenders.gov.za, of a government service in South Africa which documents tenders for government initiatives, included information relating to insurance providers including their telephone numbers and email address.
Figure 6: etenders.gov.za leak
Data purported to be from Farm Bureau Insurance – Tennessee was posted on the Telegram channel BF Repo V3 Files, a backup repository for data leaks from BreachForums, on January 20, 2024. Data exposed included full names, email addresses, physical addresses, phone numbers, vehicle information, and dates of birth. The leak appeared to include customer information and the cars that had been insured and the broker.
Figure 7: fbitn.com data leak
The naz.api is reported to be one of the largest credential stuffing lists released and was originally posted in September 9, 2023 on well known darkweb forum BreachForums. According to that post, the database was created by extracting data from stealer logs, and contains over 1 billion unique records of saved logins and passwords in users’ browsers. Infostealer logs are files produced when a trojan is installed on a system that collects information from the infected system.
Searching though this data, almost 700 results were identified which included the statefarm.com domain, indicating that these records likely belong to employees of StateFarm. The data included websites that the addresses had visited as well as the password associated with this account. These types of leaks could give threat actors access to accounts which may lead to a network intrusion and highlight why it is so important for organizations and individuals to practice good password hygiene.
Insurance Fraud
It would be remiss to review insurance on the darknet and not touch on insurance fraud. Although we do not always see the direct activity of fraud, we do see guides and tutorials being offered as well as documentation being sold that can assist an individual in conducting insurance fraud.
Figure 8: Guide for sale on the dark web
Posts on Telegram offer insurance documents for sale, likely to be used to conduct fraud operations.
Figure 9: Telegram channel Skimming Central
As well as actors claiming they are able to produce car insurance documents so individuals do not need to insure their cars.
Figure 10: Post on Telegram channel Bazaar Lounge
A post on the dark web marketplace nifheim.world offers insurance documents as well as other counterfeit documents.
Figure 11: Post on Nifheim.world
Conclusion
Although cyber security insurance is an ever growing business, adopted to protect organizations from the financial and reputational damage a cyberattack can cause, insurance companies themselves are not immune from the threat of cyber attacks. Whether it be data leaks, ransomware attacks, or the continued threat of insurance fraud, insurance companies too need to be vigilant to the threat of attacks to ensure they protect themselves and their customers. As insurance covers large swaths of our lives from our vehicles, houses, sentimental items and health they can hold sensitive information on their customers, it is therefore imperative that this data is secured.
Although cyber actors continue to successfully target victims globally, extorting and fraudulently obtaining large sums of money, Law enforcement are becoming increasingly adept at capturing these cybercriminals and holding them to justice.
Throughout 2023 there were a number of notable arrests and prosecutions. In this blog, DarkOwl analysts summarize what are arguably the biggest law enforcement actions of 2023 globally.
Conor Brian Fitzpatrick AKA POMPOMPURIN
In March 2023, an individual named Conor Fitzpatrick was arrested by the FBI in upstate New York. He was accused of being the administrator of popular dark web forum BreachForums.
Fitzpatrick was charged with hacking, wire fraud, and possession of child abuse imagery. He admitted to the majority of these offenses upon his arrest and was facing up to 40 years in prison. In January 2024, he was sentenced to 20 years’ supervised release. Fitzpatrick will have no access to the internet for the first year of his home confinement and must register with state sex offender registries.
Prosecutors said the following:
“By creating a platform for hackers and fraudsters to connect and conduct business, the defendant made it possible for BreachForums members to commit exponentially more crimes and more sophisticated crimes than any could have done alone.”
However, soon after Fitzpatrick’s arrest, BreachForum was back up, being run by his reported partner Baphomet. It remains to be seen how this will continue.
The Hive Ransomware Gang’s Takedown
In January 2023, the FBI announced they had successfully disrupted the Hive Ransomware group that has targeted more than 1,500 victims in over 80 countries around the world, including hospitals, school districts, financial firms, and critical infrastructure.
Since 2022, the FBI had successfully infiltrated the servers for the group and was able to provide decryption keys to their victims. This led to them, in partnership with European partners successfully seizing the infrastructure used by the group. Unlike disruptions which were attempted by Law Enforcement later in 2023 and into 2024, this appeared to disrupt the group.
In December 2023, French authorities arrested a Russian national in Paris for allegedly helping the Hive ransomware gang with laundering their victims’ ransom payments. They also seized €570,000 worth of cryptocurrency. This highlights that even after infrastructure is seized, authorities globally will continue to hunt the individuals perpetrating the crimes.
Denis Gennadievich Kulkov
Kulkov was identified as the mastermind behind the Try2Check credit card checking operation. In May 2023, the DOJ unsealed an indictment charging Kulkov with access device fraud, computer intrusion, and money laundering in connection with his operation of Try2Check, the primary service offering “card-checking” to cybercriminals in the stolen credit card trade. Kulkov reportedly earned over $18 million from the scheme.
According to the DOJ:
“The Try2Check platform catered to cybercriminals who purchased and sold stolen credit card numbers in bulk on the Internet, offering criminals the ability to quickly determine what percentage of the cards were valid and active. As such, Try2Check was a primary enabler of the trade in stolen credit card information, processing at least tens of millions of card numbers every year.”
Despite being wanted by the U.S. Secret Service, he remains in Russia, beyond U.S. authorities’ reach.
Interpol’s Arrests in Africa
In April 2023, Interpol’s Africa Cyber Surge II operation led to the arrest of multiple individuals and the seizure of assets worth millions across Africa. These operations targeted groups involved in various cyber crimes including business email compromise (BEC), romance scams, and credit card fraud. They were also able to seize, or takedown infrastructure linked to the group’s operations.
Cameroon: 3 suspects arrested for $850,000 online art scam.
Nigeria: 1 individual arrested for defrauding a Gambian victim.
Mauritius: 2 money mules arrested linked to messaging platform scams.
Gambia: 185 malicious IPs taken down through proactive measures and partnerships.
Cameroon: 2 darknet sites shut down by authorities.
Kenya: 615 malware hosters taken down by authorities.
Ragnar Locker Ransomware
In October 2023, Europol announced that it had disrupted the infrastructure associated with the Ragnar Locker Ransomware group. In addition, French authorities arrested a key individual linked to the gang, who was said to be a central developer. Further individuals were also interviewed in Spain and Latvia. Two suspects associated with the ransomware crew were previously arrested from Ukraine in 2021. A year later, another member was apprehended in Canada.
This highlights that the most effective way to take down a ransomware group is not just to seize the infrastructure but also arrest the individuals behind it.
Warzone RAT Malware Operation
In February 2023, the FBI announced that it had dismantled the Warzone RAT operation, arresting two individuals associated with the malware – in Nigeria and Malta. They also indicated that they had seized multiple domains.
The Warzone RAT malware, was a Remote Access Trojan (RAT), which enabled cybercriminals to browse victims’ file systems, take screenshots, record keystrokes, steal victims’ usernames and passwords, and watch victims through their web cameras, without their knowledge or permission.
Operation ‘SpecTor’
In May 2023, the FBI spearheaded 288 arrests across multiple countries, taking down the dark web Monopoly marketplace responsible for selling drugs. It was reported to be the largest international operation against darknet trafficking of fentanyl and opioids. The operation also seized 117 firearms, 850 kilograms of drugs that include 64 kilograms of fentanyl or fentanyl-laced narcotics, and $53.4 million in cash and virtual currencies.
Lapsus$ Arrests
In August 2023, two teenagers in the United Kingdom were found guilty of conducting cyberattacks against Uber, Nvidia, Rockstar Games, and Okta, among others as part of the criminal gang Lapsus$. Arion Kurtaj, an 18 year old from the UK was sentenced to indefinite detention in a hospital.
As well as hacking major companies he was also accused of blackmailing employees and causing millions worth of damage to the companies that he targeted. He also leaked data that he had stolen from them. Another individual was also found guilty of similar charges but could not be named due to his age. This case highlighted that young individuals that are perpetrating hacking crimes results in difficulty prosecuting them because of their juvenile status.
Conclusion
Only some of the law enforcement action that took place in 2023 are described in this blog. Law enforcement are becoming more and more successful in their operations against cybercriminals both in terms of arrests and seizure of infrastructure – including on the dark web.
However, events this year (2024) have already shown that some law enforcement action is not enough to take down groups, particularly ransomware groups. Notable activity against BlackCat/ALPHV and LockBit have shown to only take the groups out for a matter of days, when no arrests take place. BlackCat are reported to have recently conducted an exit scam after a high-profile ransomware was paid, and Lockbit seem intent on revenge after their recent skirmish with the law.
It is unlikely that law enforcement will be able to eradicate cybercrime and the game whack-a-mole will continue. However, the events of 2023 show that the law enforcement bodies globally are taking action and standing up to the criminals creating dire consequences for some, which will hopefully deter future threat actors.
Interested in learning how DarkOwl can help with our darknet use case? Contact us!
The darknet has long been a place for criminal actors to operate with the hope of anonymity – they utilize forums to discuss nefarious and extremist activities, use marketplaces to buy and sell illicit goods, and more. In efforts to stop security researchers and law enforcement from accessing and scraping information from these sites threat actors are using increasingly sophisticated methods. In this blog, we explore some of the more complex CAPTCHAs we have seen threat actors using on darknet sites. Could you solve them?
What is a CAPTCHA?
A CAPTCHA is a type of challenge-response test used in computing to determine whether the user is human. This is done in order to deter Bots and Spam from accessing certain portions of online content. The acronym loosely comes from the phrase; “Completely Automated Public Turing test to tell Computers and Humans Apart.”
The tool was developed by two groups working in tandem in the late 90s and was put to the task of protecting sites soon after. The first form required a user to enter a sequence of letters and numbers in a distorted image. Since then, comparable tools like Cloudflare and others have been employed for similar reasons, and CAPTCHAs have continued to develop and become more complex. Google’s reCAPTCHA and the independent hCaptcha have emerged as the most commonly used tools to ensure that the person on the other end of the browser is human.
CAPTCHAs on the Darknet
The black markets and community platforms on the darknet have developed a lot of different versions of these CAPTCHAs, which are also sometimes known as “Turing Tests” and have become pretty ingenious with their various methods of preventing automated traffic on their sites.
Some of the puzzles are colorful, funny or intentionally misleading, and have definitively become a way that the various Markets and darknet operators express themselves; but not all are created equally. Some require logic, needing a human to parse out directions in the text, while others are simple. Typically, the more advanced the CAPTCHA, the more involved the other protocols of a darknet market or forum will be. Often times, they are also multi-layered, using the usual method of geometric or graphical interfaces to confuse a would-be bot attacker alongside text and other information that explains what to do. Over time, when the CAPTCHA fails to do its job, it is improved, upgraded and deployed to prevent their sites from getting crawled.
Of course, not all sites on the darknet are in English. There are many sites which represent countries across the globe, and many of the CAPTCHAS function in the native languages of the market. An emerging trend around the darknet are CAPTCHAS intentionally implemented in different languages so that the user must manually adjust to be able to access what’s on the other side.
Examples
In the following section, we explore some of the more interesting CAPTCHAs frequently found on the darknet.
The below image from the Russian market, OMG!OMG!, requires the user to input the characters shown in the box, in the traditional way that CAPTCHAs have operated. However, this site is Russian and it therefore requires you to input your response in the Cyrillic language. If the user is not a Russian native or resident, this will require them to change their keyboard settings or copy their input from a Cyrillic character tool.
The following CAPTCHA asks the “human” to pick the odd one out. It shows various images on a confusing background. In this case, the plant would be the odd one out as all the others are animals. This appeared on the site RuTOR.
The marketplace Kerberos requires you to complete two puzzles, one asks you to identify what is in the image from a selection of answers in a drop-down menu, to make this more difficult the pixels in the image constantly change. The other asks you to select the correct characters from a phrase, again using a drop-down menu. You have to complete this in a given amount of time otherwise the CAPTCHA will expire, and you will have to start over again.
The below CAPTCHA from the seized and now-defunct Kingdom Marketplace asks you to fill in the characters in the image, but it also highlights the characters that should appear in the URL to ensure that you are not on a scam site and that you are not being phished.
Another methodology that has been adopted by darknet operators is asking you to fill in the characters, but it will highlight which character to enter based on the box that you are filling in – meaning that the characters are not sequential as shown in the image below.
Another example is shown below where the circle will move to different characters as you enter in more. In some cases, you are able to correct your work, other times you have to reload the CAPTCHA, but these more interactive versions are fairly commonplace among the various dark web sites, many of which are tailored versions of each other.
The below image shows an example of a CAPTCHA that requires you to solve a math problem in order to be admitted into the site. More and more sites are using sometimes quite complex math problems to make it more difficult for bots to enter the site.
Others focus more on images. Asking you to identify which image is missing. In the below image, in order to enter the site you have to figure out which hieroglyph is missing.
Another, from AlphaBay, will test how good you are at telling the time, but complicates the task by adding shapes to the clock face that make it very difficult to see the accurate time. You are also only given 1 minute to complete the test before it will reset.
Conclusion
In this blog, we have shown you the wide range of CAPTCHAs that are used across darknet sites to protect them. CAPTCHAs are used to ensure that bots are not entering a site, usually for the purposes of crawling the site or to flood the site for malicious purposes or to ensure access, such as with ticket purchasing bots. They are widely utilized on the dark web to not only protect the sites from DDOS attacks (distributed denial-of-service attack) but also to protect the users and the information on those sites from security researchers and law enforcement. This can make it particularly difficult for some users to access the darknet.
The team at DarkOwl routinely deals with these CAPTCHAs and are able to access the dark web in order to assist those who seek to protect their information and bring an end to online criminal activity.
Learn more how DarkOwl’s expertise in the darknet can help your organization. Contact Us.
Now in its 16th year, FIC proudly asserts itself as the preeminent gathering in the realm of digital security and trust. Positioned as a cornerstone event in the European cybersecurity landscape, FIC distinguishes itself by fostering an inclusive environment that unites every facet of the cybersecurity ecosystem. From end consumers to service providers, law enforcement agencies to academic institutions and consultants, FIC’s scope encompasses them all.
With a dual mission, FIC addresses the operational hurdles of cybersecurity while also championing the development of a digital future aligned with European values and interests. This holistic approach ensures that attendees and sponsors gain comprehensive insights into the state of cybersecurity in Europe and have the opportunity to glean knowledge from industry luminaries.
At FIC, the over 20,000 attendees have unparalleled access to both end-users and providers of solutions and services, facilitating discussions on both tactical challenges and strategic imperatives in cybersecurity.
“Ready for AI?”
The theme of FIC 2023, was “Ready for AI?”. According to a recent report by Forbes, the artificial intelligence (AI) market is projected to reach $407 billion by 2027 and 64% of businesses expect AI to increase overall productivity.
To build relationships and trust, and share the value and essential need of darknet data for any cybersecurity posture, David Alley, CEO of DarkOwl FZE based in Dubai and Magnus Svärd, Director of Strategic Partnerships, based out of DarkOwl’s headquarters in Denver, CO, represented DarkOwl at FIC.
In addition to networking and conversations at the booth, top minds of the space have the platform to share thought leadership, innovations and the latest in the cyber security space. Speakers were present from all across Europe and the world: France, Switzerland, Luxembourg, Belgium, the United States, Netherlands, Germany, Spain, Canada, Singapore, Poland, Norway, Romania, Mexico, South Africa, China, Thailand, and more. Topics ranged from industrial infrastructure cybersecurity, quantum-resistant cryptography, identity security, international cybersecurity law, AI and counterterrorism, digital crime, social engineering, cybercrime trends, trust and safety in the cloud, and many more. Many of the presentations throughout the three days were not just thought leadership, but also practical presentations – showing the “how to.”
David and Magnus both expressed that they experienced “non-stop traffic” and kept busy on the show floor throughout the event meeting new prospects and showcasing our industry leading darknet platform, Vision UI, and meeting with several current clients and partners. With many current clients present, the DarkOwl team was able to spend time understanding how we can best optimize and elevate our current partnerships and how we can continue to provide the most value as their darknet data provider, focusing on continuing to build up our customer relationships and building trust. The DarkOwl team is confident there will be many follow ups and successful connections coming from our participation at FIC and looks forward attending The International Cybersecurity Forum in 2025.
As the tax deadline fast approaches, it is important for us all to be aware of the risks that are posed to us by cyber criminals at this time of year. Whether it be identity theft from tax forms, targeting of tax filing providers, or fraudulent returns, there are a number of ways that the tax system can be exploited for criminal financial gain.
As we do each year, DarkOwl analysts have reviewed the activity of cyber criminals on the dark web and dark web adjacent sites and messaging platforms to highlight some of the activities cyber criminals are participating in.
Selling Tax Refund Methodologies
Fraudsters on the dark web will sell step by step guides on how to conduct specific types of identity fraud. The below advertisement from Telegram is soliciting users to contact an individual to buy a tax refund methodology that allegedly bypasses the ID.ME facial recognition verification method that has recently been implemented by the IRS as a fraud prevention method.
DarkOwl analysts have also noted several instances where the technology vendor, ID.ME, has been targeted on stealer log marketplace websites like 2Easy or Russian Market, which may allow threat actors to access accounts of users for fraudulent purposes, as stealer logs usually contain usernames, passwords and session cookies.
Another Telegram post claims to provide buyers with a guide to obtain a Federal Tax refund claiming to offer advice on what bank account you should cash out to and what method to use. They claim that a refund will be guaranteed.
Phishing Templates
ID.ME is commonly targeted across the darknet. DarkOwl analysts have observed fraudsters selling phishing admin panels for sites like ID.ME, PayPal, and USPS on Telegram as well, meaning that they are able to collect the data of unsuspecting victims who believe they are adding their credentials to a legitimate site. Access to these accounts could mean that a threat actor is able to steal someone’s identity whether that be for tax fraud or other types of financial fraud.
Selling Tax Forms
DarkOwl analysts identified threat actors on the popular carding forum 2crd and found an actor advertising counterfeit identification documents, and also included tax return information and common tax forms which could be used to impersonate an individual. It is unclear if these documents are fraudulent in nature or had been stolen from a legitimate owner.
Similar postings were found on another site, ProCRD, offering W2 forms with a 1040 and full info. These documents are being sold for as little as $10. These appear to be sold as part of Fullz, which is a term used by dark web actors to indicate they have the full information for an individual – this usually includes financial information and identity details to be used to conduct identity fraud or financial crime.
A post on a Telegram channel claimed to have W2 forms, tax returns, and pay stubs for sale as well as credit card numbers, Social Security numbers and other sensitive personal information used to conduct fraud. DarkOwl analysts note this advertisement relates to an automated Telegram bot where one can purchase these illicit items. Telegram bots are an effective way to sell illicit items on Telegram because it maintains a certain level of anonymity between the seller and end user.
Another Telegram advertisement was identified which sells similar products, but notes all of the sensitive documents being sold are from other countries like the UAE and European countries. This highlights that it is not just the US that is subject to this type of fraud.
A third similar example from Telegram is shown below. It is important to note, as shown in all of these examples that tax forms are typically sold with other identity fraud products like fullz, credit card numbers, etc. This allows the fraudsters to be more convincing in their fraudulent activities as they have more information which makes them appear legitimate.
The tax fraud community is considerable on Telegram, a search across DarkOwl’s dark web collection for the mention of “tax refund” on Telegram resulted in nearly 100,000 hits. However, Telegram fraudsters will typically also advertise across the darknet and deep web from sites like Royal or Russian Market to ProCRD or WWH Club – often moving to private messaging on Telegram for security.
Telegram is a major medium/vehicle for all types of identity fraud in 2024 because the platform allows for increased security, anonymity (between sellers and end users), as well as more efficient transactions through automated chat bots, rather than processing transactions directly on a .onion site. DarkOwl analysts therefore identify a large amount of this activity on Telegram but cross over from other dark web sites highlighting that similar communities are active on both.
Tax Filing Providers
Many individuals will use services in order to file their taxes, as it often removes some of the stress associated with tax season, and hopefully ensures that you maximize your return. However, these organizations are also targeted at this time of year.
A review of Stealer Logs collected by DarkOwl highlighted several instances in the last several months where credentials for these organizations were stolen. Allowing actors to access sensitive information and conduct fraudulent filings.
There are also Telegram channels which offer buyers the chance to obtain tax refunds through TurboTax.
Ransomware
Ransomware attacks continue to be prevalent in 2024, with many companies subject to attack, one group PLAY, like many other groups, post their victims details on their leak site as well as details about what information they have relating to them.
In almost all of the posts relating to their victims the group claim to have information relating to taxes, likely both the company taxes as well as employees’ details. Some of them also claim to have evidence of tax evasion.
If/when these details are released by the ransomware group that information can be used by other threat actors to conduct other types of fraud.
Conclusion
Tax season is just another thing that can be used by threat actors to commit fraud against individuals and companies. However, financial fraud can be committed at any time of the year and it is important to protect your personal information by practicing good cyber hygiene, do not reuse passwords, and be vigilant to phishing and malvertising campaigns.
DarkOwl is a Denver-based company that provides the world’s largest index of darknet content and the tools to efficiently find leaked or otherwise compromised sensitive data. We shorten the timeframe to detection of compromised data on the darknet, empowering organizations to swiftly detect security gaps and mitigate damage prior to misuse of their data.
