DarkOwl analysts regularly follow threat actors on the darknet who openly discuss cyberattacks and disseminate stolen information such as critical corporate or personal data. Such analysis helps DarkOwl’s collection team direct crawlers and technical resources to potentially actionable and high-value content for the Vision platform and its clients.
Introduction
In the digital age there are many groups of threat actors that operate in the cyber realm targeting different industries, countries and have different motivations. It is important to monitor these groups in order to identify who they are likely to target, what methods they are using and how they are operating. In this blog, we explore one such group known as SCATTERED SPIDER (SS) by security researchers.
Who is SCATTERED SPIDER?
SCATTERED SPIDER are assessed by cyber security researchers to be a cybercriminal group who have been known to target large companies and their supply chain. Reporting indicates that they have largely engaged in data theft, which they have then used for extortion purposes and have also been known to use ransomware which is associated with BlackCat/ALPHV. Although, cyber security researchers assess this activity to be attributed to several groups. All of these groups are part of a larger group known as the Com. In addition to conducting cyber attacks, SCATTERED SPIDER are also reported to be involved in violent activity, Doxing and Swatting.
Although the group appear to have been active since 2022, it is unclear who the individuals behind the activities are, how many individuals are involved, or how they select their victims. However, their motivations do appear to be for financial gain. There have been some indications that some of the individuals in the group may be based in the USA or the UK, but this has not yet been confirmed. The group have recently become the focus of US law enforcement investigations due to their high-profile activities.
Tactics, Techniques and Procedures (TTPs)
By analyzing TTPs, cybersecurity professionals can attribute attacks to specific threat actors or groups. Understanding the tactics used by these adversaries can provide insights into their motivations, capabilities, and potential targets. This information can be invaluable in understanding how attacks are executed and identifying potential vulnerabilities in an organization’s defense.
According to a threat alert from CISA, the group are known to use social engineering techniques including phishing, push bombing, and SIM swap attacks, which they use to obtain credentials, install remote access tools (RAT) and bypass multi-factor authentication (MFA).
Social engineering is a very effective way for threat actors to conduct attacks – they use information that is available through social media and other open sources in order to create attacks that look legitimate. They can also be used outside of the cyber realm to convince individuals to take an action. SCATTERED SPIDER have successfully posed as IT/helpdesk staff to convince employees to share credentials with them or to run RATs to enable initial access and share one-time passwords (OTP) to bypass MFA.
CISA reports that broad phishing attacks have been observed using domains associated with the target. They will then use SIM swapping against those individuals who respond to the phishing attack. Then, they will utilize this to conduct an account takeover.
SCATTERED SPIDER are also known to conduct Living off the Land (LotL) attacks. LotL attacks refer to a strategy employed by cyber attackers to carry out malicious activities using legitimate tools and resources already present on a compromised system, rather than relying on traditional malware. This approach makes LotL attacks harder to detect by security tools since they leverage trusted processes and utilities, blending in with normal system behavior. Researchers report that the group have adopted tools such as PowerShell to conduct reconnaissance as well as exploiting identity providers and modifying security systems to conduct their malicious activities.
According to CISA and FBI investigations the following legitimate tools have been used by the group to conduct malicious activities and the malware types.
Tool
Intended Use
Fleetdeck.io
Enables remote monitoring and management of systems.
Level.io
Enables remote monitoring and management of systems.
Mimikatz
Extracts credentials from a system.
Ngrok
Enables remote access to a local web server by tunneling over the internet.
Pulseway
Enables remote monitoring and management of systems.
Screenconnect
Enables remote connections to network devices for management.
Splashtop
Enables remote connections to network devices for management.
Tactical.RMM
Enables remote monitoring and management of systems.
Tailscale
Provides virtual private networks (VPNs) to secure network communications.
Teamviewer
Enables remote connections to network devices for management.
Table 1: Legitimate Tools Used by Scattered Spider; Source
Malware
Intended Use
AveMaria (also known as WarZone)
Enables remote access to a victim’s systems.
Raccoon Stealer
Steals information including login credentials, browser history, cookies, and other data.
VIDAR Stealer
Steals information including login credentials, browser history, cookies, and other data.
Table 2: Malware used by Scattered Spider
The group have also been reported to use extortion techniques, this is becoming a more and more popular method of attack for groups, particularly those associated with ransomware. The threat actor will steal data from the victim and then threaten to release the data if the victim does not pay a set amount of money. In the case of ransomware, the groups will often manage a “shame site” where they will publish a list of victims and sometimes provide them with a set amount of time that they have to pay the fee or the data will be released.
Researchers believe that SCATTERED SPIDER are an affiliate of the BlackCat/ALPHV ransomware group who are one of the most active groups and were subject to law enforcement action in late 2023. As an affiliate, SCATTERED SPIDER will have access to their ransomware binaries, support, negotiations, and leak site. It is worth noting that Russian ransomware-as-a-service operations do not usually allow affiliates from Western countries. The fact that they have in this case highlights the impact that this group are having and the success that they are having, meaning the ransomware group will be able to profit from their actions. It is worth noting that BlackCat/ALPHV appear to have recently conducted a exit scam. DarkOwl will continue to monitor to see if SS affiliates with another ransomware group in the wake of this.
Victims
SCATTERED SPIDER have targeted a number of different types of victims. According to MITRE, when they emerged in 2022 they targeted customer relationship management and business process outsourcing firms as well as telecommunications and technology companies. Recent activity has shown them targeting other sectors including critical infrastructure organizations.
In August 2022, the telecommunications company Twilio was a victim of SCATTERED SPIDER activities – their customer details were accessed as well as internal applications. This allowed SS to access a dashboard which gave them access to Okta authentication through SMS. It is likely that the group used this access to conduct other attacks.
In September 2023, MGM resorts in Las Vegas was the victim of a cyber attack that lead to computer shutdowns within the organization across the US. There were reports of empty casino floors and issues entering rooms and in the aftermath, MGM expected a $100 million hit to his 3rd quarter results. Soon after the attack, a post was made on the BlackCat/ALPHV leak site taking responsibility for the attack. However it was widely reported that it was actually an affiliate group that was responsible for the attacks – SCATTERED SPIDER.
Figure 1: BlackCat/ALPHV leak site statement on MGM
Cyber researchers from VX-Underground reported that SS were allegedly able to breach MGM by impersonating an employee in a phone call to the company’s helpdesk. It was also reported that they had successfully targeted Western Digital and Caesars Entertainment. In the latter case, it was reported that a $30 million ransom was paid to avoid customer data being shared. These high-profile attacks have lead the group to come under more scrutiny from law enforcement.
Online Communications
Actors assessed to be connected to this group are active on both Telegram and Discord where they interact with each other, boast about their activities, and share tools and techniques. There are many different channels and servers where these groups operate depending on who they are affiliated with and what activity they are seeking to discuss.
In an upcoming blog, we will review the activity on one of these Telegram channels and the main actors active on them. Subscribe to email to get that blog delivered straight to your inbox.
Conclusion
SCATTERED SPIDER have successfully targeted a number of high profile victims, drawing the attention of cyber security experts and law enforcement. They have secured a large sum of money from their victims and continue to adopt social engineering techniques to target their victims. The fact that they contact helpdesks highlights the need to ensure that those individuals working in these areas need to be trained on the threat. While companies often provide training around the risk of phishing emails, less attention has been paid to vishing, smishing and OTP techniques. It is imperative that this training is conducted widely.
It is also likely that the individuals perpetrating these crimes are young and Western based. While many assume that cyber criminals operate from Russia and Eastern Europe, this group shows that cybercrime in the Western world is also prevalent. However, this does leave them open to law enforcement action from the FBI or UK police. It is likely, given the attention they have recently received, that arrests will be forthcoming.
DarkOwl Sources
DarkOwl is an open-source intelligence (OSINT) platform that aggregates information from various underground sources to discern actionable and meaningful intelligence that can be utilized across multiple industry sectors including commercial applications, law enforcement, and national security initiatives.
Remembering the subtle differentiations between data, information, and intelligence, DarkOwl’s key sources of raw data are described here.
In honor of the launch of our newest product feature, our marketing team sat down with DarkOwl’s Director of Client Engagement, Caryn Farino and Product Manager, Josh Berman to learn more.
Thanks for sitting down with me today! Let’s start with some intros.
Josh: I’m Josh Berman. I’m a Product Manager here at DarkOwl. I’ve been with the company a little over five years – five and a half years. My background prior to this was in digital forensics, and before that, audio engineering. But more recently, got into cybersecurity and started here as a Product Engineer, then moved into product management, where I’ve been for a couple of years.
Caryn: My name is Caryn Farino. I’m the Director of Client Engagement here at DarkOwl and have been with the organization for just over 2.5 years. I currently manage all of our client relationships. My background is in OSINT, so I am really excited about a lot of the work that DarkOwl does to highlight darknet specific activity.
Let’s dive into our first question. What are we talking about when we talk about “forums” and “forum structuring”?
Josh: The old way of doing things was when we would collect a webpage and just scrape all the text out and give that to our clients. The advantage of that was it was more simple from a development point of view and allowed us to really focus on depth and breadth of our data. It was the first step in all of this. From a user perspective, that makes it difficult to understand what you’re looking at – there’s a lot of text on a forum page or a marketplace page or ransomware page. Pretty much anything you’re looking at that is not relevant to what you’re actually looking for. So something like following a forum thread on a document that’s a wall of text is very difficult. Not a lot of fun.
Forum structuring basically takes out the parts of the page that are irrelevant. So the actual thread, usernames, post-dates, things like that and structure them into our data store in an easier to interpret and interact with way so people can do things like sort and filter by post-date rather than just when we found it, see other activity by that user, specifically what they posted, search within a post and not just on the entire page, etc. It’s a big advantage in terms of how we’re presenting the data and how the users interact with it and how they can understand it.
Caryn: I would just add on, forums by design are discussion boards. They allow users to create topics and engage in conversations. Because there’s a lot of consistency in that layout, we want to try to replicate that experience for our users. With this revamp of our forum data, we’re allowing our clients to now navigate our data like they would on a forum to be able to look at those individual posts, reconstruct the thread, and look at what other activity might be associated to that user on that board.
Figures 1 and 2 (left to right): Previous view of a thread versus new enhanced view
Why is having access to this data important in the first place?
Caryn: There’s a lot of different types of darknet forums, so we’re going to have a variety of different use cases for our clients. Some of the more prominent boards are going to have data leaks, we’re going to have highly technical communities talking about and engaging in hacking and exploit development. We’ll also see traditional fraud use cases – threat actors focusing on banking fraud, healthcare fraud, identity theft, and so on. There’s just a lot of different activity going on on these forums. We really want to be able to expose all of this for our clients to make sure that they understand what these threats are and what information is being put out there, so that they can feed into their threat model frameworks and cyber risk programs.
Josh: I don’t think I can say much better than that. Criminal stuff happens on these forums and it’s important for not just law enforcement to be able to see these, but cyber security companies looking after their own security need to be able to see this information as well. It’s important for them to see what’s going on on these forums, what people are talking about, and what threat actors are targeting, especially if it is their own business, their employees, or clients.
What enhancements have been made on the backend to our form processing?
Josh: Basically, we are treating forum threads post by post rather than page by page. Page by page, like I said, makes it difficult to really track what’s going on. We used to treat the entire page as the same blob of text, whereas now we’re treating it as post by post so we can extract things like the usernames, the post dates, the post body, things like that. This makes it easier to search within and makes it easier to reconstruct that thread in chronological order – to interpret what’s actually going on, rather than looking at an entire page trying to figure out what page it’s related to.
Caryn: I’ll just highlight that because of that work that our product and engineering teams have done, the presentation layer now within the user interface is a much more streamlined experience for our users to be able to navigate all of that data in an easier method. This is also mirrored for our API clients, giving them the same opportunity to search and present forum data without complex queries.
Why did the team focus on these improvements?
Caryn: In working with our clients over the years, we’ve gotten a lot of feedback surrounding document post dates. So, with these improvements, we’ve added in dual capabilities, so clients have the ability not only to see when we’ve crawled that data, but when the data was posted by these forum actors. That really allows clients to look and dive into more specific timelines when they find information of concern.
What are some of the new features that you both are most excited about?
Josh: For me, it’s the thread reconstruction. So back to what I said earlier about page by page – there’s really no way to link one page to another. So, a site, a forum on the darknet, might have ten pages in a thread and you might stumble upon page three. Well, how do you find page one, page seven, etc.? There was not really a good way to do that without our thread reconstruction. We’ve now taken care of all of that for you. So regardless of what page it was posted on, if it’s part of the same thread, we can reconstruct that in chronological order. So that’s definitely a feature I’m most excited about.
Caryn: I would say, for our DarkOwl clients, I think they’re also going to be most excited about that feature as well – the simplicity to be able to navigate and reconstruct all information that was part of a specific discussion/thread. As an analyst, I would say I’m personally excited about the ability to pivot and look at what else the user has said on that forum. I think that’s an extremely valuable add-on to not only look at the posts and threads themselves but to look at what other activity that individual is involved in. We’re also extractingall of the usernames that are within the thread itself. That allows more social network analysis onthreat actors communicating on the thread or a specific topic.
Josh: The other thing I was going to mention was the post-date sorting and filtering. People don’t generally care as much about when we found something, they care when it was actually posted. So maybe we found something yesterday that was posted five years ago. Not really a big deal, but these improvements allow people to show things that were actually posted for the first time within a certain time period. So whatever time period they’re interested in, they can filter to that range. They can sort by post-date to see the most recent stuff first. So it makes it a lot easier to get fresh and relevant data.
Any other thoughts on how you both see current clients utilizing this?
Caryn: I want to start with saying that within the last few days, we’ve gotten an overwhelmingly positive response from our clients on these new features. Structured data just overall is easier to work with. But I think the biggest benefit this is going to have is that by breaking out these forum posts into individual documents, we’re going to offer our clients a more concise result set where they can guarantee that their keywords are going to appear in that post, as opposed to scattered across the thread. That’s going to save analysts time in sifting through potentially non-relevant results to find the actual data they care about. And then further, with the addition of the forum usernames to our existing user search feature, clients can now look at what else those threat actors are posting, leading to a more robust dataset to work with. So if you find your keywords in a post, you can quickly create a repository of other activity by that actor. For example, if a threat actor is discussing what organizations are vulnerable to a certain CVE, that triggers your alert, and that same user is later posting on another forum about domain admin or local admin access for sale, but doesn’t list that organization (only location or industry), you can now use that information to support a connection, where you wouldn’t have historically been able to tie those two results together by keyword alone.
Learn how this enhanced feature can save your analysts time. Contact us.
Last month, DarkOwl participated in ISS World Middle East & Africa in Dubai, UAE. ISS World Middle East & Africa describes itself as “the world’s largest gathering of Regional Law Enforcement, Intelligence and Homeland Security Analysts, Telecoms as well as Financial Crime Investigators responsible for Cyber Crime Investigation, Electronic Surveillance and Intelligence Gathering,” making it the ideal event for DarkOwl to grow our international presence, build relationships in person and spread the importance of darknet data to the international intelligence and law enforcement communities.
ISS World takes pride in focusing on education and training covering the areas of law enforcement, public safety, and government and private sector intelligence communities. The first full day of ISS events are dedicated to training and in-depth sessions. Talks throughout the event cover topics ranging from geolocation, exploiting and circumnavigating masking tech, advanced techniques in tracing suspects, open-source tools, artificial intelligence, and more.
Representing DarkOwl at ISS World Middle East & Africa was David Alley, CEO of DarkOwl FZE based in Dubai and Damian Hoffman, Product Engineer and Data Analyst out of DarkOwl’s headquarters in Denver, CO. The same power duo from last year!
One of the great advantages of this show is the true international presence and overall turnout of attendees, Damian noted that there was “essentially non-stop traffic” to the booth all 3 days of the show. Visitors from the United Arab Emirates, Kazakhstan, Qatar, Jordan, Egypt, Iraq, Morocco, Turkey, Latvia, Lithuania, Azerbaijan, Romania, Ukraine, Pakistan, India, Bangladesh, Indonesia, Malaysia, United States, UK, Germany, Italy, Greece, Israel, Rwanda, South Africa, Namibia, Kenya, and Australia and more visited the booth and/or attended our live demo session. Getting to interact face to face with prospects, clients, and partners is invaluable – especially when trying to build up an international presence and grow relationships across seas from all corners of the globe. International shows demonstrate that cyber security is a global problem, no company and no government is immune to the potential risks associated with the world going truly digital.
Sharing Actor Explore
Common themes and topics that were brought up by attendees at the booth included: the use of Telegram by threat actors, Breachforums, and threat actor TTPs (tactics, techniques, and procedures). This gave David and Damian a chance to showcase one of our latest product features: Actor Explore. Actor Explore allows users to review analyst curated insights into active threat actor groups on the darknet and wider. We explore the motivations behind the groups, the tools they have used and searchable attributes to pivot on within DarkOwl Vision. Each actor profile in Actor Explore includes a detailed dossier, offering an in-depth overview of the threat actor. Additionally, DarkOwl analysts provide extensive information such as darknet fingerprints, targets, tools, CVEs, contact information, and more when available. To read further on why tracking and monitoring threat actors is important, check out our blog on this topic here.
DarkOwl is a regular sponsor of several ISS shows around the world, we will be attending ISS World Asia and ISS World Europe later in the year. You can see where we will be around the world here.
Live Demonstration of DarkOwl Vision: Darknet Intelligence Discovery and Collection
In addition to networking and promoting DarkOwl at the booth, David was able to give a live presentation to attendees demonstrating DarkOwl Vision: Darknet Intelligence Discovery and Collection. Vision UI is the industry leading platform for analysts to simply, safely, and comprehensively search the largest commercially available source of darknet data. The goal of this session was to further educate the international intelligence community on how threat actors on the darknet are evolving in their use of new tools and methodologies.
Due to the layer of anonymity it provides, the darknet is often a hub for illegal activity. However, investigating crime on the darknet and deep web poses technical challenges, including the fact that darknet sites are continually coming on and offline with pages vanishing from one minute to the next. The technology DarkOwl leverages to scrape and index hidden digital undergrounds are key to the mission of obtaining proactive situational awareness for protection of the nation’s security initiatives. Vision provides a user friendly interface with powerful querying capabilities to search, monitor, and create alerts for critical information. DarkOwl Vision has been used to support local and federal police investigations, as well as work done in intelligence/fusion centers and federal agencies to uncover human trafficking, opioid selling, terrorism, security issues, and other illegal activity, making it the perfect tool for this audience to be able to dive into.
The internet is a vast realm that extends far beyond the surface web we commonly explore. Beneath the surface lies the darknet, a hidden network that poses significant challenges but also holds immense potential for open-source intelligence (OSINT) investigations. Join DarkOwl’s Director of Intelligence to learn how the darknet expands the scope of information available to researchers and analysts.
In this 30-minute session, Erin covers how darknet data:
Strengthens our ability to combat cybercrime and protect individuals and organizations
Enhances threat intelligence and helps maintain a safer digital ecosystem
Is utilized in identity theft, fraud, compromised accounts and other real world examples
For those that would rather read the presentation, we have transcribed it below.
NOTE: Some content has been edited for length and clarity.
Erin: Good morning or good afternoon, everyone. I’m going to do a quick high-level talk today of what darknet data is, why it’s important and how it can fit into your investigations. Please do ask any questions that you have throughout, and I’d be more than happy to answer those. So, what we’re going to cover today is what is the dark web? A really quick intro, what is OSINT? Again, very high level. Why is dark web important? And then what I really want to focus in on are some use cases and hopefully show you how we can integrate dark web and OSINT together to find some really interesting things in our investigations.
The obligatory who am I side… as any good analyst, I hate having any details about me on the internet, so I’m going to keep it brief, but my name is Erin. I’m the Director of Collections and Intelligence here at DarkOwl, and I’ve been an intelligence analyst for over 12 years now.
Another obligatory slide is the iceberg, you can’t really have an OSINT presentation without including an iceberg of some kind in here. This is to highlight the different areas of the internet. They’re all open-source, so they all form part of open-source investigations but obviously at DarkOwl, and me personally at the moment, focus on the darknet, but it’s always important to see the whole view and look at everything that’s going on. You want to be able to look at sources that are on the deep net and the surface net as well to make sure you’re getting as much information as possible and that you’re able to validate that information as well.
Diving into the dark web, hopefully most of you that are listening are familiar, but I’ll just give a very quick background of what the dark web is and what can be found there. I’m not going to read everything on this slide, but you can see that it’s been around since the 2000, so we’ve got about 20 years now and there’s a lot of things that have happened in terms of the access, the marketplaces that are emerging and forums, breaches starting to occur, terrorists using the information, etc. There’s been a lot of uses of the dark web, and I would like to say that it isn’t just there for illicit uses. There are a lot of legitimate uses for the dark web. I think one of the best things is allowing some individuals that might not have open access to the internet in the countries that they live in are able to access a lot of websites, social media sites, etc. using the dark web that they wouldn’t otherwise be able to access. There are legitimate purposes, but obviously a lot of nefarious actors also use it and take advantage of the anonymity that they believe exists there.
What is on the Dark Web? What can you find there?
Marketplaces, people selling goods. These are usually illicit goods, usually, hacking tools, malware, data, drugs, weapons, counterfeit goods. We see all of those being sold on a regular basis. We also see forums – people chatting and talking to each other but also usually selling some kind of information or sharing information, some of it’s not all for sale. We do also see a lot of extremists, forums, people talking about, information that’s not great, but also getting together, planning events, things like that. As I just mentioned, there are also social media sites on there. There are mirrors of Twitter or X or Facebook, Reddit. All that can be accessed from the dark web. There are cryptocurrency exchanges, mixers, other forms of things. Cryptocurrency is the currency of the dark web. Really, that’s the main way that people transact. The full ecosystem for cryptocurrency also exists on the dark web. You also get news media, news sources. A lot of the main media outlets and newspapers will also have dark web mirrors. The CIA has a dark web mirror. There are a lot of legitimate sites out there. And then of course, everyone is aware of data leaks, that is the main place that they are shared and ransomware. A lot of ransomware groups will have leak sites where they will have a shame board of all their victims, which they will put on the dark web for people to go and view. If the company doesn’t pay their ransom, then that information will be released there and can be downloaded. I should say with the leaks as well, it’s usually advertised on the dark web, but the dark web is very slow in terms of downloading information. Often a downloading service or a torrent will be used if the files are quite large.
This is just to give you kind of an idea of what the dark web looks like. These are some sites selling counterfeit goods, organs, drugs, cash apps and accounts. Then also we’ve got some of the advertisements that are shown here.
You can see the different marketplaces that exist with the different areas, we’ve got people selling Social Security numbers, malware, botnets, different types of drugs. There really is this booming commercial aspect to the dark web and a lot of different stores that have been set up either for niche things or sell a huge amount of goods. And as I said, cryptocurrency is the currency of choice. You can see in that middle image: Monero, Bitcoin, Dogecoin, Litecoin are just some of the ones that are accepted. But it is a variety of cryptocurrencies that are usually accepted these days.
There are quite a lot of challenges, though, with collecting from the dark web. I mean, the first one is you’ve got to know where to look. You don’t have the nice URLs that you would get on the surface web. You also don’t have Google to help you. There are search engines on the dark web, but the majority of sites are not indexed and therefore not easy to find. You need to know where to look, and need to be into networks where that information is being shared. You also, in most cases, need a login to access the pages. So, you need to create personas and you need to do that in a secure way. The threat actors that set up these sites and maintain these sites are very against bots. They’re very against DDoS, all of the things that they’re very familiar with but also, they don’t want people going in and crawling the data. They don’t want people to access it that aren’t there for the purposes that they’ve set it up for. I would say the dark web has some of the most sophisticated captures I have ever seen. I can spend quite a bit of my day just trying to solve math issues or see letters in squiggly lines or putting images together. It is quite difficult to get into those. There is a lot of bot traps on the dark web and a lot of human interaction that is required to get into it. It’s not easy but there is a huge amount of data and intelligence to be found once you do get into those sites.
I also just wanted to touch on before I get into some of what that data is what we call at DarkOwl dark web adjacent sites. These are things that are not necessarily on the dark web. They’re not on Tor or I2P or ZeroNet, or some of the other dark web services that are out there but they are used by the same types of people. They are used in the same kind of way. Telegram is a huge one where we do see a huge amount of marketplaces. We see a lot of fraud being conducted. We see a lot of hacking operations. There’s a lot of hacktivist channels, extremist channels, etc. That’s something that you need to be aware of as well when you’re doing these dark web and OSINT investigations. I’ve also mentioned ICQ and Jabber. But there are other things like Rocket, Tocket.io, Tox and things like that where people are communicating. We also see it on gaming apps. Discord got a lot of publicity last year with the leaks from the Pentagon leak. I believe he was just sentenced, actually, this week. In terms of leaking that information on there, but generally, a lot of threat actors are on Discord actively. It is a gaming site, but you can set up different servers and different channels. And so, we see a lot of people sharing and operating there as well. Then a lot of threat actors these days aren’t as worried about anonymity as they perhaps used to be. There’s been a lot of instances where dark web forums and marketplaces have been taken down by law enforcement action. So, some threat actors, I think, think, why should I go to all of this effort of having a Tor node and a Tor site and setting this up when I could just do it on the surface web with the same risks, almost. There are marketplaces that are vendor shops that are forums that sit on the surface web that’s still used by the same kind of actors for the same kind of use cases. We’re very much monitoring and looking at those as well.
To give you an idea of some of the things that we’re able to find from the darknet. A lot of data comes from the darknet, so we see things, huge amounts of personal data, PII. That is the currency of the dark web at the moment. I would say we see a huge amount of issues being stolen, email addresses, passwords, Social Security numbers, social media accounts, stealer logs becoming really prevalent in the last year or two. There’s cookies in there. There’s two factor authentication sign-ins. There’s key questions, etc. So, there’s a huge amount there. We also see a lot of banking information and fraud. There’s a lot of corporate data, especially with ransomware attacks which are only increasing. I’ve mentioned malware and then also risks. There’s a lot of threat actors on the dark web that are very good at what they do. There’s a lot of cyberattacks. There’s a lot of education, actually, on the dark web about how you can conduct those cyberattacks, leaks, etc. There’s a huge amount of information out there if you know where to look.
Will you be discussing during this webinar the uptick in Drainer as a service (DaaS) or explaining it to those new to dark web marketplaces?
No, that is not in the presentation, but I can definitely get to that at the end.
OSINT 101
OSINT is open-source intelligence. It’s information that’s been found from open-sources. Any information found on the dark web does count as OSINT information but obviously it’s a lot broader than that. These are just some of the sources and information that’s out there that you can use as part of OSINT to find information for whatever kind of investigation you’re trying to conduct.
I did want to highlight some tips in terms of doing OSINT. This is true of looking on social media or looking on the dark web. I created my little AI generated sock puppet. That’s what that’s supposed to be if no one can tell but always use the sock puppet. Always have a persona, always ensure that you’re doing this in a secure way – using VPN or proxies. Use a virtual machine, use burner phones. Don’t use any of your own equipment to do any of these investigations. You should never cross over your real-life persona with what you’re doing online ensuring that you’re recording all of the information you find. I mean, it really depends on if you’re doing this for law enforcement or internally. But I would say most people you need to record what you’re finding with the dates, the timestamp so you are able to validate the data is accurate as of the time that you found it. Because obviously all of these things can change, and particularly with the dark web sites go up and down all of the time. What you find today might not be there tomorrow. It might not be there an hour from now. There are a lot of open-source tools out there that can help you with doing that kind of collection. So I would recommend looking into those and if anyone has any questions, I’m more than happy to share some of the, the tools that I’m aware of that can help you with that collection. There’s lots of other OSINT tips and tricks out there. There’s a huge amount of resources, online and for anyone who’s new to the area, I would recommend having a look at those.
Why is Dark Web Important to OSINT Investigations
Basically, there’s a lot of illicit information and activity that’s happening on the dark web, so it can be a really good starting point for investigations in terms of finding out what’s going on. You can see what people are discussing, you can see trends, you can see victims, you can see how things are operating. Then moving into more surface web OSINT investigations, you can sometimes expand on that and build out a really big picture. I would say they’re very complementary of each other and especially if you’re looking at fraud or extremism or drugs or weapons trafficking or human trafficking, the dark web is going to be a really valuable source for you to find information and data points to help you in your investigation.
LockBit
Now I’m hopefully going to go on to some of the interesting bits and walk you through a couple of recent case studies that we have. I’m going to start with Lockbit. Obviously, this has been in the news a lot recently. Kathy is going to share in the chat a blog that we recently did on Lockbit. I think it’s been about two weeks now, Lockbit leak site was taken down by law enforcement. Really interestingly, I thought, rather than just seizing the site as they usually do, they actually had fun with it and started posting on the leak site things about the Lockbit group themselves. One of the things that they did share was that there were two Lockbit affiliates that they had sanctioned and put indictments against. This is after the fact, but I wanted to highlight how you can get really good information from government sources and official sources about threat actors, and then use that and pivot into other data.
So here we have this individual, Ivan, I’m not going to attempt to say, but Vassalord. We’ve got all his usernames and things that he’s using here, and we can pivot in our own data. We were able to identify that he was active on a number of dark web Russian speaking forums. Here we can see him, this is in Russian, I haven’t translated it, but he is selling malware. He is giving people advice on different malware and also selling it within the group. So, through looking at this you know obviously it’s after the fact, but we can see what his activity was. We can see this dates back to 2022, but we can also see who he was interacting with. We can see kind of what tools he was operating, and we can see more information about him. You can also then take that information and put it into social media tools. This is What’s My Name app, where you can put in usernames, and it will search across social media sites and identify if an account exists. So here we can see that there’s some old Twitter accounts. There’s a telegram account which I already mentioned. The threat actors are very active on. We’ve got a Roblox account. You know, threat actors love gaming. It’s giving you these other areas to go and look and to go and research and investigate and can give you more information to build that picture about that individual.
One thing I was just going to highlight, just because I thought it was kind of funny, was that Lockbit actually put something out a few months ago, I believe it’s a few months ago. It might have been a bit longer, saying they would pay anyone who got Lockbit tattooed on them, and several people did it. And they shared that online, and we were able to see those tattoos, which they probably regret quite a lot now.
There was a second Lockbit affiliate, also that I wanted to highlight. This is just highlighting the usefulness of leaked data. We collect data breaches and leaked information and have that within our system. Here you can see there’s two separate leaks. One includes an email address with the full name of the individual. If you only knew this email address was linked to someone who was doing bad things, you could put that into a leak and see if you can get more information about them. And here we’ve got their full name in Cyrillic, which I’ve translated, and also their telephone number. And then pivoting on that telephone number, we’re able to see another leak, which I believe is linked to Yandex app for ordering food. So, you can see kind of the payments information. You can see his name again in Cyrillic as Arthur, you’ve got the phone number there. But also interestingly, you’ve got the iOS version.
So, there’s a lot of information that you can find within these leaks with information about threat actors. And then what I’ve shown below is again, using open-source tools, these are two freely available Python tools that you can use, where you can search on the email address or on the phone number, and it will go and look across social media sites to see if they appear there. And it won’t share that information with the email or the phone number holder. So, you still have OpSec, but here you can see that email address. It has a LastPass account, it has a Nike account, it has a Twitter account so you can start to see where this individual is operating.
Cryptocurrency and Extremism
Another use case I just wanted to highlight. I mentioned cryptocurrencies are used extensively on the dark web. I also wanted to highlight some of the extremist activity that we see. I’m not going to highlight any particular threads on this page because I personally don’t find them to be, I don’t agree with their point of view, but Kiwi Farms is an open forum where people share information about different things. It’s similar to a chan. It does have, some not so nice threads on it but just highlighting that with our Vision platform you’re able to find that information and then also view it through our direct to darknet feature as it would look on the site, and you can see this is their homepage. But one of the things that Kiwi Farms do is they have a donation address, so the people that maintain the account are asking individuals to provide them money to keep the site going. So I wanted to see if I could find out anything about that cryptocurrency address and how the funds are being used. I used an open-source blockchain explorer. This is called breadcrumbs; you can get a basic free account and it allows you to do some kind of network analysis. You can see we’ve got the Kiwi Farms bitcoin address right at the beginning with some of the people that are paying into that. But I was more interested in seeing where that money went and a lot of it was circling back. I have removed some of the nodes on this just to make it a little bit more visually easy to see but a lot of it was going back into Kiwi’s Farm, but then I was able to find areas where it was being cashed out; Kraken, Binance. And then Bravada, were some of the areas where we were seeing that the funds were actually being cashed out. And you can see that the site, breadcrumbs, does also give you an overview of the Bitcoin address and how much funds have gone in and out. You can see it’s quite a high volume and it’s been active for the last three years. You can also see that it plugs into bitcoin abuse. Bitcoin abuse, which I believe its name has changed now to Chain abuse, but it’s another really good source for looking at any cryptocurrency addresses you come across and seeing if they’ve previously been reported as linked to nefarious activity. One of the addresses in the Bravada exchange is actually been reported to be linked to terrorism and sponsoring groups in Russia. It’s interesting that an extremist forum, Kiwi Farms is utilizing and sending funds out that way. Obviously, I can’t say for definite that that’s what’s happening, but we can see that those funds are being trickled out that area and it’s another area for us to investigate and look into.
Israel-Hamas Conflict
The Israel-Hamas conflict has obviously been ongoing for a while now and it’s been all over telegram. So, as I mentioned, telegram is a really useful place to see a lot of hacktivism, a lot of threat groups. There’s also marketing there, but it’s also being used more and more as a new source and whether that news is factually accurate or is disinformation is always up for debate, but it’s been a really good source of being able to see what is happening on both sides of the conflict. Actually, on October 7th, it was one of the first places that anyone saw that something was happening. You can see one of the images here is them going through the wall into Israel.
This was on telegram almost immediately and anecdotally; I know that people in Israel were watching telegram for news updates because they were coming through quicker than they were on traditional media sources. But as I said, there’s also been a lot of information that’s been shared there that is probably not accurate. There were definitely videos that were being posted at the beginning of the conflict that actually came from video games and things like that but there’s also been a lot of the hacktivist groups on both sides, saying who they’re going to target or saying that they have successfully targeted someone showing evidence of DDoS attacks, showing evidence of defacement attacks, showing documents that have been stolen and leaks. A huge amount of leaks are being shared on telegram but one of the things I wanted to highlight, and I don’t necessarily have a good example here, but you definitely can do it, is taking some of these images and the videos that are being shared. Telegram, unlike Facebook, Instagram, Snapchat doesn’t always strip out the metadata on the images. There are a lot of open-source tools that can kind of help you to see what the metadata is, and if there is any Exif data that’s going to help you there but also you can get hints of where things are occurring and what’s happening by looking at the images and matching them up with satellite imagery or previous images that have been shared as well.
Scattered Spider
I’m conscious I’m running out of time, so I’m going to go quickly. Scattered spider is another group, threat actor group that we’ve been monitoring. They are a financial crime group. Scattered spider is the name that’s been given to them by one of the cyber security threat actors, but they’ve been responsible for some very high-profile attacks in recent years, including taking down Vegas with the MGM and Caesars Palace ransomware attacks. They do a lot of social engineering and phishing techniques; we expect those to probably increase in sophistication. Not that they aren’t already, but we know that AI is being used to assist with those attacks but they are very active on telegram and discord and part of what is known within the community as the comm. We’re doing some analysis on who is active in those groups, who is interacting with each other, and what information can we find out about them. So, there’s a lot you can do with the data that’s in telegram to do analysis, to do that link analysis to, to find out who the individuals are and of course the main ones you can go and look in other sources to see if they have other social media profiles or other areas that you would want to be looking into.
Conclusion and Questions
So, I ran through that really, really quickly. I’ll just leave the key takeaways up here for people to read. Hopefully, that’s what you’ve taken away from it. I think the question about the Drainer service highlights that there’s a huge amount of things that you could cover here. This is very much designed to be an initial overview and an introduction but if there’s topics and interests that people would like to know more about, please put those into the chat and we can look at providing more information on that in the future.
But with that being said I just wanted to highlight we do provide investigation services at DarkOwl for dark web and OSINT investigations so we can assist you with any investigations that you currently have. With that, I will open it up for questions.
What data sources are considered dark web?
Dark web traditionally is sites that are accessed through Tor, so the Onion router, but you also have things like I2P and ZeroNet, which are also dark web providers and there’s a few more out there, but they’re not as used as regularly, such as Magnesium. As I mentioned in the presentation, we also view things as dark web adjacent when it’s the same kind of use case and the same kind of individuals that are operating. So, we definitely consider that to be Telegram, to be Discord, ICQ and then some surface websites as well which are there. So, I think it’s open to interpretation. It depends how narrow you want to be but I think with OSINT Investigations you always need to be open to all of the information that’s out there and being able to validate it against different sources. So, the more data points that you have, the more likely that you’ll be able to do that.
How do you locate and identify new groups on Telegram or Onion sites?
Manually is the main way. So, telegram you can do searches in the global search or telegram on the desktop app. If you have a keyword or a search that you’re aware of, you can put that in and see what you would find. I would also look at the groups that you’re already tracking and monitoring and search for the links. If you click on the channel page, you can go to links and it will show you other telegram channels that have been shared. I will also sometimes look at other social media sources – people on Twitter or other forums will sometimes say, let’s take this conversation to telegram and they will share an invite link there. You can also use Google Dorking to search telegram, which is quite useful, but I would say it’s a keyword phrase. If you’ve got a particular topic you’re interested in, um, search for that. And then also if you’re looking at individuals in other countries, do you use the native language? So if you’re looking at Russian threat actors search for your turn and Cyrillic as well as in Roman characters because you’ll find more information that way. Onion sites, again, it’s similar. We are already monitoring the major forums and marketplaces, and they will share other areas that they’re accessing. There are sites out there that will track new onion sites that have been created and what they’re being used for. So we can look at those. It is kind of just kind of pulling through the different links that are being found and then reviewing them to make sure that they have actually got useful information on them.
Does DarkOwl have copies of entire sites that can be walked through. For example, could one walk through Silk Road and see the listings and users that were active back then?
Yes and no. We have our data, it goes back to 2016 in earnest. So, we do have all of that information, but we store it in documents and pages. You could search Silk Road and go through it. But one of the things that we don’t do is collect images due to legalities around CSAM material. You would be able to see the postings, you would be able to see the usernames and all of that information from any site that we’ve been collecting since 2016 but it wouldn’t be a walk through in terms of – it wouldn’t look like the site. You couldn’t click on buttons and things like that, but the data is all there.
Other than breadcrumbs and chainabuse, what are some other great sources for tracking crypto and blockchain across the deep and dark web?
I think there’s so many sources out there. Breadcrumbs is the one that I like to use just because it’s free. I mean obviously there’s paid services out there that are very, very good. I’m not aware of many others, especially not on the dark web. They’re not there for tracking purposes. I think one I heard of that I’m not familiar with but was recommended to me recently was Qlue – that is supposed to be quite good for cryptocurrency, monitoring but it really depends if you want to do a paid service or open-source.
Don’t miss our next webinar on Big 4 Cyber Adversaries > Register here.
Our analyst team shares a few articles each week in our email newsletter which goes every Thursday. Make sure to register! This blog highlights those articles in order of what was the most popular in our newsletter – what our readers found the most intriguing. Stay tuned for a recap every month. We hope sharing these resources and news articles emphasizes the importance of cybersecurity and sheds light on the latest in threat intelligence.
1. LockBit Ransomware Operation Shut Down; Criminals Arrested; Decryption Keys Released – The Hacker News
LockBit ransomware was taken offline by a global law enforcement operation as of February 20, 2024. The National Crime Agency of the UK led the operation, obtaining LockBit’s source code, arresting two members of the ransomware gang, and freezing 200 cryptocurrency accounts related to LockBit operations. Read full article.
The FBI have seized four domains connected to the Warzone RAT, a commodity malware which offered a number of features including UAC bypass, hidden remote desktop, cookie and password stealing, keylogging, webcam recording and remote shell among others. They also arrested, in conjunction with Malta Police, an individual they said was behind the RAT as well as an individual based in Nigeria.
The individual based in Malta was also reported to have sold the Pegasus RAT for the Skynet corporation. Read article.
3. Bumblebee Malware Buzzes Back on the Scene After 4-Month Hiatus – Dark Reading
Bumblebee is a malware loader which is believed to have been developed by Conti and Trickbot groups. Recent reporting indicates that is has been used to target thousands of organizations in the US in phishing campaigns. According to security researchers the malware is commonly distributed in phishing campaigns to drop additional payloads for initial network access and to conduct ransomware attacks. The use of the malware has not yet been attributed to a specific group. Article here.
4. Russian Hackers Target Ukraine with Disinformation and Credential-Harvesting Attacks – The Hacker News
Two years after the Russian invasion of Ukraine, cyber activity remains a crucial part of Russian warfare. While no specific Russian actor has been identified, the latest operation, occurring between November and December 2023, involved spear-phishing emails sent to harvest Microsoft login credentials. Content included in the campaign now includes PDF attachments related to food and supply shortages, heating issues, and other war/conflict disinformation. Article here.
5. Chinese Hackers Exploited FortiGate Flaw to Breach Dutch Military Network – The Hacker News
Continuing their world-wide efforts to infiltrate government, military, and key sources of intel, China exploited an extant Fortinet vulnerability (CVE-2022-42475) to deploy a backdoor named COATHANGER and gain access to a network used by the Dutch military. This is the first time the Dutch have publicly attributed a cyber incident to Chinese actors. Read article.
6. ‘ResumeLooters’ Attackers Steal Millions of Career Records – Dark Reading
Using legitimate, open-source pen-testing tools combined with XSS and SQL injection techniques, a threat actor group stole millions of email addresses, phone numbers, and other pieces of personal data and put them up for sale throughout several Chinese-speaking Telegram channels. The specifically targeted sector was retail, along with multiple general employment websites. Read full article.
7. Johnson Controls says ransomware attack cost $27 million, data stolen – Bleeping Computer
Industrial control systems and security equipment giant Johnson Controls was the victim of a ransomware attack with a detrimental cost of $27 million dollars. The offices located throughout Asia were the entry point for the malicious actors, who then spread through their entire corporate network; this event did negatively impact customer facing systems, in addition to the loss of 27 TB of corporate information. Article here.
8. New Report Reveals North Korean Hackers Targeting Defense Firms Worldwide – The Hacker News
North Korean actors are conducting a cyber espionage campaign gaining access to defense technologies. Actors create fake profiles on LinkedIn and build trust with contacts, and then offer possible job opportunities and exercises which are documents containing malware. Additionally, supply chain attacks play a large part in these operations as well, with North Korean actors deploying remote control malware. Read full article here.
Make sure to register for our weekly newsletter to get access to what our analysts are reading on a weekly basis.
Ransomware attacks continue to rise with many victims being reported every day. Last week one of the most prolific and successful groups, LockBit, became a target themselves with law enforcement (LE) action taking down their leak site and confirmation of sanctions against some of their affiliates. In this blog, we dig into what happened and what has happened since.
Who are LockBit?
LockBit are a ransomware gang that originally emerged in September of 2019. They offer ransomware-as-a-service (RaaS), which means that they allow affiliates to use their ransomware to attack victims in exchange for a monetary fee. In 2023, LockBit were reported to be one of the most prolific ransomware groups with 44% of ransomware attacks reported globally being attributed to them. The groups have had several iterations, LockBit 2.0 first emerged in 2021, and targeted many high value victims throughout that year and into 2022. In June 2022, they released a new iteration of their malware, LockBit 3.0. As part of their release, they also announced a bug bounty encouraging security professionals to test their malware and offered rewards from $1000 to $1 million. There were rumors that in early 2024 LockBit 4.0 was coming soon. DarkOwl analysts will continue to monitor any developments on this front.
LockBit Takedown by Law Enforcement
On February 19, changes were made to the LockBit leak site, which made it clear that it was now under control of Law Enforcement. In recent years, law enforcement have successfully seized several dark web sites, such as Breach Forums and Raid Forms and have put a notice on the site indicating that it has been seized. However, with LockBit the message stated that the leak site was now under the control of law enforcement.
Figure 1: DDOS protection on LockBit site seized by Law Enforcement
Utilizing the same technology that LockBit used for Distributed Denial of Service (DDOS) protection, the site, after a period of time, directed you to the LockBit Blog post, the usual cryptocurrency icons were replaced with the flags of the countries of the involved law enforcement. A DDOS attack is a malicious attack on a network that is executed by flooding a server with useless network traffic, which exploits the limits of TCP/IP (transmission control/internet protocol) protocols and renders the network inaccessible. Although it looked the same has it had when under the control of LockBit, instead of displaying victim names and details, the site now included information about the group themselves. Law enforcement was even using the same countdown technology LockBit used to shame victims to pay ransom. Announcing that new information would be leaked.
Figure 2: LockBit blog containing information about the group posted by LE
Law enforcement announced several types of action that they had taken against the operators of LockBit. They provided a blog with details of Op Cronos and what operations they had taken. The statement indicated that a task force of Law Enforcement agencies from 10 different countries had come together to take down the group. The takedown was led by the UK National Crime Agency (NCA). The statement stated:
“The months-long operation has resulted in the compromise of LockBit’s primary platform and other critical infrastructure that enabled their criminal enterprise. This includes the takedown of 34 servers in the Netherlands, Germany, Finland, France, Switzerland, Australia, the United States, and the United Kingdom.
In addition, two LockBit actors have been arrested in Poland and Ukraine at the request of the French judicial authorities. Three international arrest warrants and five indictments have also been issued by the French and U.S. judicial authorities.”
UK National Crime Agency (NCA)
Although it is notable that the task force did arrest two individuals and indict two others, it appears that these individuals were affiliates of the group rather than those who operate the LockBit infrastructure. Leaving some ambiguity about the impact this takedown would have.
As well as providing details of the operation the NCA also released images of the backend of LockBit’s system. This included the admin panel showing the victim posts and the countdown.
Figure 3: LockBit back end leaked by LE
Law Enforcement also claimed that they had access to some decryptor keys for the malware, and that victims should contact them to see if they are able to help with releasing the data that had been stolen by LockBit.
Law enforcement indicated that they had identified 30,000 bitcoin addresses associated to the group, 500 of which are currently active on the blockchain and have received over $125 million. A lot of these funds came from a 20% fee from the affiliate groups implying that the ransomware amounts paid by victims is actually a lot higher. $110 million of this was still unspent on the blockchain.
LockBit’s POV
Soon after the announcement of the takedown, a letter started circulating online which appeared to be a message from the group to their affiliates alerting them to the fact that a security incident had occurred. It is unclear if this indeed did come from the group and DarkOwl analysts have not been able to authenticate it. The letter was written in the style of a security incident where personal information had been shared. Similar to that which would be shared by the group’s victims.
Figure 4: Unverified notification from LockBit
As of February 22, one of the onion mirrors for the leak site appeared to be a backup albeit with limited functionality. There were files which appeared to be named for the victims and the files included file trees and samples of data which had been stolen from victims. None of the other links on the page were working and the usual format was not maintained.
Figure 5: LockBit site back up after LE action
On February 24 a note was circulated which was signed with PGP keys to prove authenticity which provided an explanation of what activity had taken place from LockBit’s perspective. The note started by stating that LE had been successful because the controller had become lazy in his security due to all the money they had made.
Figure 6: Message from LockBit
The message also included a list of onion mirrors which the threat actor claimed were still in operation and had not been affected by the law enforcement action. They also claimed that they still had access to victim data and would continue to release this if the ransom was not paid. In response to the Law Enforcement claim that they had decryption keys, the threat actor stated that they had only been able to secure a small number of these and the majority of the data could not be decrypted.
They also stated that they would continue to operate and while the law enforcement action had disabled their infrastructure for 4 days, that was because they had to update the source code. They continued to operate. Furthermore, the site indicated that they had an FBI leak and seemed to indicate they would respond to the action.
Figure 7: LockBit blog page ack up with FBI listed as a victim
DarkOwl Analysis
The law enforcement action which took months to coordinate appeared to only take LockBit offline for four days. Although the action will likely have some reputational impact, with affiliate groups possibly wary about working with the group knowing they are a target of law enforcement, most groups probably knew this was the case for one of the most prolific RaaS providers out there.
It is also likely that the group will adopt more secure operations going forward, as they themselves admitted that they had been complacent in their operations due to the amount of funds they had amassed and how long they had been able to operate without issue. They will likely not make that mistake again.
It is a constant conundrum for law enforcement to decide when they should take disruptive action against a group and when they should continue to watch them for intelligence purposes. Law enforcement had come under pressure to take action against LockBit due to their success and the number of victims that had been targeted, and disruption does send a message to the wider community. However, the disruption was short lived and likely angers the threat group to be more active and target more vulnerable areas that encouraging them to stop their activities.
This was highlighted by the takedown of the BlackCat/ALPV ransomware group in late 2023, although the site was seized this did not last for long with the group managing to take the site back in a matter of days, they also lifted their ban on targeting victims such as hospitals. This highlights that while the seizure of a site can cause issues, if the individuals behind the group are not removed this is only a short-term solution. The fact that the NCA and the FBI continue to offer a reward for information regarding the individuals behind the group highlights that they still don’t know who they are.
One could argue that it would be more profitable for law enforcement to maintain access to the threat actors’ servers and leak sites in order to find information that can help victims such as encryption keys or the data that has been stolen and view the group from within to find more information about them. This, after all, is the tactic that most threat actors use, maintaining persistence and lurking on systems to find the most damaging information. But Law Enforcement would have considered this and factored the risks before going public with their operation. Only time will tell the true impact this had on LockBit’s activities.
On January 21, Cyber News published an article stating that they had identified the “Mother of All Breaches” (MOAB) which revealed 26 billion records. The article stated that the data had been identified by cyber security researches on an open instance, meaning the data was not secured and easily accessible by anyone who came across it.
The 12 TB of data was said to include records from previously reported leaks such as LinkedIn, Twitter, Weibo and others but it was also claimed that there was new data held within this dataset that had not been seen before. Although it was not clear what this claim was based on. At the time the article was published it was not clear who owned this data – was it a threat actor who had amalgamated all this data, was it from a marketplace where this data was stored, or was there another entity altogether that had this data?
The Dark Web Reacts
Almost immediately chatter began on dark web forums discussing this leak – where it might have come from, who the data belonged to, and how they could get access to the information. A post on popular dark web forum BreachForums garnered 37 replies and over 4,000 views.
The reaction to the data was mixed. Some of the users were eager to get their hands on the data asking for confirmation of where it was available to download and actors commenting that they would need to purchase more hard drives to store the massive amount of data.
Others felt the information was old, that it had previously been exposed and there was nothing new to be found. Their view was that this was simply being used to generate press, with some suggesting the data had been planted for marketing purposes.
Another actor felt that this data must have been the collection of convicted site admin Pompompurin (Connor Fitzpatrick) as he stated it included leaks that had only been posted to Breach Forums.
Although many actors showed skepticism, most showed an interest in obtaining the data and were discussing how it would be shared – torrent being the preferred solution – and when it would become available. But the Mother of All Breaches did not materialize.
Cyber Security Companies Make Mistakes Too….
On January 23, two days after the initial article was published, the company Leak-Lookup posted on X (Twitter) taking responsibility for the leak, claiming that a firewall misconfiguration was responsible for the data being exposed.
Leak-Lookup is an organization which collects data leaks in order to allow consumers to check their information and see if they have been exposed. They claim to be a “Data Breach search engine” allowing their users to proactively protect themselves against possible exposure. This is an open source service, however they do also charge for some searches.
The company went on to state that “Initial access was gained sometime around the start of December, due to a misconfigured server allowing IPv6 access to our “hot” cluster.” Highlighting that cyber security companies are not immune to cyber incidents, whether this be an attack or a technical issue. Fortunately, it did not appear that any of their registered users’ information had been compromised, the data that was identified is publicly available through their search. The misconfiguration was also quickly addressed to ensure no others could access this data.
DarkOwl Assessment
Given that the MOAB was actually a database of leaks curated by a breach aggregator, it is very unlikely that any new data was included in this breach. Just as with DarkOwl, Leak-Lookup will only collect leaks which are already publicly available on the dark web. Although they may sometimes get tipped some leaks which have not been widely shared, the volume of these is likely to be low.
DarkOwl continued to monitor dark web chatter relating to this breach and did not identify any threat actor claiming that they had access to this data. Given that the database is now secure it is unlikely that anyone obtained the data during this period of time given the size. However, as the database did contain previously leaked data, the information is still out there. As always, DarkOwl recommends using good password hygiene on all your accounts and highly recommends a password manager. Security is important for all organizations and all data should be strongly protected.
Valentine’s Day is a great time to celebrate love whether you are in a relationship or single – most people celebrate the day in some way be it with date night or a girls or guys night out. Like most things, there can even be a dark side to Valentine’s Day – while many celebrate romance, others are taking advantage of those wanting to feel loved or special by someone. The FBI’s Internet Complaint Center (IC3) reported in 2022 there were 19,000 complaints relating to Romance Scams with reported losses of at least $739 Million. The Federal Trade Commission reports even more staggering numbers. According to the FTC, nearly 70,000 people reported a romance scam in 2022, totaling $1.3 billion in losses – a median reported loss of $4,400.
A Romance scam, also known as confidence scams or pig butchering, is the targeting of an individual, usually through a fake online profile on a dating site or social media, convincing them to believe they are in a relationship. The goal of the actor is to steal money from the target. According to the FBI “most commonly, the perpetrators are men targeting women over 40 who are divorced, widowed, elderly, or disabled. The scam usually starts with an “innocent” contact online and builds from there. Romance scammers often use well-rehearsed scripts which have been previously used successfully.” Last year, DarkOwl analysts highlighted some of these scripts found on the darknet being circulated by romance scammers.
Romance scammers are no different than other scammers – they don’t miss a beat and get to know their victim before taking full advantage of them. According to the FTC, there are frequent sayings and stories that these scammers use and follow to garner the most sympathy and make a seemingly genuine connection with their victim.
Just two days ago, DarkOwl analysts observed users of a Discord channel discussing the potential of romance scams, claiming that this scam is likely more popular around the holiday. Thankfully, romance scams have garnered more attention in recent years and law enforcement and news sources are highlighting the potential threat.
Romance scams are commonly discussed on the dark web. Last year, we explored this topic for the first time and it continues to be one of our top blogs. This year, we make researching romance scams a yearly tradition around Valentine’s Day as we explore some of the recent activities relating to these scams.
Romance Scams on the Darknet
Leading up to this year’s Valentine’s Day, DarkOwl analysts observed the popular darknet forum Exploit being used to discuss the best way to target individuals through dating apps. The user claimed to have over 3,000 contacts over the age of 20 and wanted to know how he could best exploit this. The majority of responses to this post recommend that the original poster conduct romance scams in order to make money by pretending to be romantically interested and asking for money. They also recommend specific sites to get the best outcome as well as ways to receive the cash.
People also seek data relating to individuals who have been a victim of these scams, although it is unclear what it will be used for – possibly to re-victimize as they have been deemed easy targets at least once prior.
The Flip Side
However, the dark web also highlights the impact that these scams can have on individuals. A forum which is used for communications between individuals with suicidal thoughts was used by one victim to highlight the impact a romance scam had had on them.
In a Discord channel, a victim shares how they were a victim of romance scam that lead to her giving her scammer money and how she was able to go to the Internet Crime Complaint Center and file a report in order to get her money back – and it was recovered! She also claims that when looking for other recovery services, many offered help for a fee. Great warning that when filing any sort of scam or fraud complaint, to always work with the IC3.
Victims Fight Back!
In the screenshots below, perpetrators are targeted – victims who took offense to the scams conducted by these individuals shared all of their information through a dox. A dox (also doxx) is a detailed public record of someone’s identity. To ‘dox’ someone is to publish private information about that person – as a form of public shame and generated to enact revenge on the company or person for some perceived wrongdoing.
Another example shows an angry victim of ewhoring releasing the information of their scammer after finding out that she was also cheating on him. He leaks information including basic demographic information and calls others to “spam her with pics” to her Snapchat and Discord, which they have provided as well.
E-Whoring
An emerging extension of romance scams has been E-Whoring, this is the practice of trading and selling nude images of other people. The intent is to sell the images to make money or impersonate the women in the images to conduct other attacks.
As we know, threat actors take great pride in proving themselves by sharing their knowledge, tips and tricks with others as a way to build up their reputation and standing out within the threat actor community. DarkOwl analysts observed many sharing, some for free and some for sale, guides and ebooks covering how to get involved in e-whoring and romance scams.
The example below is a posting on a darknet forum where the threat actor is selling his ebook in which he claims to teach how to “easily make up to $800+ a week” and to “master the method explained in no time.” He claims to be a “superb eWhore” and be a professional social engineer.
The ebook table of contents shows just how in-depth the author goes – covering everything from the very basics to the detailed specifics of how to really make a full business out of e-whoring. This is a very detailed guide and shows the steps that some of these more dedicated threat actors take to e-whore – setting up a website, making a fake ID, etc. These activities also clearly overlap with other crime that we see on the darknet and in illicit marketplaces.
Further on in the ebook guide, the author even shares some tips and tricks on how to act with their victims and what a woman would say versus a man when texting or communicating, teaching his trainees how to be believable.
Here we see another example of a guide to go from “beginner to pro” for e-whoring.
In addition, perpetrators will use the dark web in order to sell “nude packs.” Telegram is also a popular vector to sell this data with packs being sold for as little as 15 Euros.
In Conclusion
As long as the romance scam industry is profitable, darknet actors will continue to innovate, and we will see scammers taking advantage of innocents looking for someone special – especially around Valentine’s Day. As with conducting any activity on the internet, it is always important to remain vigilant to scams, whether that be romance scams or not.
When finding love online, always make sure a friend or family members knows you are talking to someone, always require seeing that person face to face, in person is always better (in a public place!), and never give someone money unless you are 100% positive they are who they say they are have verified their story. Be wary of anyone that makes excuses as to why they cannot meet in person or video chat, and always reverse-search images from their dating or social media profile – most romance scammers will be using someone else’s photos from online. As AI continues to make its way into everyday life, it will be interesting to see how romance scams evolve for next year’s research!
We wish all our readers a very happy Valentine’s Day!
Curious how darknet data applies to your use case? Contact us.
Due to the layer of anonymity the darknet provides, it is often a hub for illegal activity. The technology DarkOwl leverages to collect and index, 24/7/365 in near real time, hidden digital undergrounds is key in obtaining crucial data and situational awareness for intelligence and government agencies, and law enforcement.
DarkOwl, the leading provider of darknet data, reviews how darknet can be used to:
Track illicit sales of drugs, human trafficking, and cyber weapons
Detect potential threats and monitor persons of interest
Stay one step ahead of foreign Nation-State adversarial activity and attacks
Learn the latest tactics, techniques, and procedures of threat actors to better prevent future cyberattacks on critical infrastructure
For those that would rather read the presentation, we have transcribed it below.
NOTE: Some content has been edited for length and clarity.
Alison: Thank you Carahsoft for putting this together. Thank you all for logging on. I’m going to jump right in. I have a lot of content to cover. And as Erin mentioned, we will field some questions at the end.
So I’m going to go over a little DarkOwl history, specifically dig into why this data set is so crucial for so many areas of the US government and other government partners. We’re going to look at some data examples off of the darknet. It’s always fun to do. So I’m then going to end with the current events that have recently elevated the darknet data set just in a more global way. And then if there’s time, we’ll walk through an interesting data leak that we uncovered. Before I launch in, I did want to mention that DarkOwl will be at the AFCEA West conference, which is in San Diego next week. I would love meet anyone going there.
So history on DarkOWl. We’re based out here in Denver, Colorado. We have been doing darknet collection for over ten years. Essentially we 24 – 7 coverage of collecting data, pulling it off the darknet, parking it in our database, and then we give our clients access to that. Obviously, there’s a bunch of different formats that that can take. We have a user interface, there’s a bunch of different API endpoints. And like everything, the devil’s in the details. And I think the one thing I want all of you to walk away with today is, when we think about darknet collection, by definition, if you were to go out and take a look at, you know, a handful of Tor pages a couple times a month and store those in a database, you are, in fact, a darknet collector. That said, I would argue that DarkOwl’s strength is in how we define the darknet and what our collection efforts are focused on. And I think we do a really good job of walking the line of both automation. You can’t get the scale of data that’s going to be valuable if you’re trying to do this entirely manually. That said, if you’re doing it entirely automated, you’re not going to get into the hard to find sites or be able to maintain personas and get into forums and marketplaces. So we use both those techniques. If you’re looking at this slide here, I know this is a little noisy.
Everything in red is our data sources that we collect from. DarkOwl obviously we’ve been collecting from Tor forever, that’s been our bread and butter. We have really focused in the last year or so on a lot of the peer to peer networks. I’m getting so many questions from law enforcement, government, commercial on telegram collections. So we’re going to go into that a little bit further on. But you can see here telegram, discord, I2P, ZeroNet. Our collection team is always trying to figure out what the next platform is – where can we start to collect? And all these take different efforts from a collection standpoint. A lot of skill behind the behind the scenes here in navigating all of these, regardless of where we get it, it’s all parked in our database. And then you’re able to access it as a DarkOwl client.
So this slides this is just kind of a visualization of how the data flows through.
So as I mentioned, we’re doing all the collection. We park it in our database. And then as we bring that data in, we’re trying to tokenize and add as much structure and value as we can to make the searching and finding from all of your end a more streamlined process. We we will tokenize information such as email addresses, IPS, crypto wallets, credit cards, usernames. And then depending on what that tokenization looks like, the bottom line here is the product set that we, DarkOwl, spit out of that data. So on the far left hand side is our user interface. So that’s going to be an analyst dashboard. And then we have a lot of different API endpoints ranging from you know Scores which we call DarkSonar, which is a relative risk measurement of an organization or an agency or a government group’s presence on the dark web just numerically represented all the way down to DataFeeds, where we are just pushing data every couple of minutes to clients. So it runs the gamut. But the important takeaway here is that the collections is done by us. We do the tokenization, and then we let you search and filter that depending on what information you’re specifically looking for.
On the left hand side – these are our these are our sources. And as you can see by the numbers, we’re really trying to scale at all times. These numbers were just updated – 28 million records from telegram channels. All of these documents are coming in, being tokenized, and then and then accessible. And, you know, at the end of the day, I feel like we’re solving two problems. Number one, there is no reason any of you can’t go out and do this on your own. You can download Tor, you can have a burner device. It’s just extremely inefficient. Right? It’s going to take time for you to do that. Collection sites go up and down. So it’s an efficiency play. And then number two, especially in looking at the attendee list here, I know most of you are US government. There’s a real safety feature here in that DarkOwl has done the collection. You are only playing in the DarkOwl data set so you don’t run the risk of exposing your own organization or burning a persona. We’re doing all of that in the backend, so it’s efficiency and safety at the end of the day.
So thinking about the the darknet in regards to US government use cases.
And I kind of boiled it down to three here. I’m sure all of you can can come up with more, but the first one I think of is just the force protection side – looking out for our own exposure, monitoring for email exposure, looking for PII of prominent folks and alerting them and making sure that we have an understanding as a government of what potential vulnerabilities are out there. And that could run the gamut from exposed PII for someone in a senior position to military part numbers being sold or darknet forums discussing ways to penetrate organizations.
The middle one here – identity management. So I think of that as the investigation side of it – really using the data set to conduct research, to look into identities. How are people talking about this? What can we find? What can we correlate? Who can we associate with this? A lot of red team activities.
And then on the right hand side here, targeting and thinking about what can this data set tell us about nation states and other folks, threat actors, what’s trending, ransomware, there’s so much content out there that is powerful to be in the know on how that’s being talked about and presented.
So without further ado, let’s jump into some data data examples. And again, I highlighted before we do that, why is this data set so challenging to get your hands on. Part of it is just the time and effort that it takes to do this, these sites go up and down all the time, they move locations. Access to these forums and marketplaces – it’s not as simple as just signing in and you can’t scrape page one, scrape page two and park it in a database. You need to be very strategic about how you do that. So these are some of the skills that we possess and have been doing for a long time. CAPTCHAs. And I’m not going to do a live demo today, but I do continue to fail CAPTCHAs on the darknet. They are extremely hard. I’m always laughing at that piece. So we’re doing these collection efforts in the background and basically taking that time suck and that risk off of all of you. Then the evolution of where people are moving to, I mentioned these peer to peer networks. You know, we’ve seen such popularity there, especially with the start of the Russia conflict breaking out in Russia and Ukraine. Following those trends is something that we’re always staying on top of as well.
Alright. Darknet data. What’s out there? Um, I just pulled together some slides of examples that I thought might be compelling for some of you on the phone, and to just give you a sense for what we’re looking for. So, no surprise, a ton of PII, all sorts of banking and transaction data, credit cards for sale, exploit kits, malware. And remember, by definition, the reason to be on the darknet is to remain anonymous. So anyone trying to sell or transact or trade in any illegal goods or services is going to be attracted to that. So there’s forums and marketplaces on how to do these things. It’s a it’s a colorful space.
The next bunch of slides are going to be screenshots from our platform, which we call Vision. And I’ll highlight just some of the findings here.
So I know it’s a little small on the background here, but if you look up at the top in caps it says DHS traders home addresses. So this is a hacker that’s uncovered some PII and is posting it out there, maybe in anger, unclear. And they’ve listed everything from title, home address, phone numbers. This is just someone posting this on a Tor page and we were able to capture that. And then this is a result right out of DarkOwl Vision.
Here’s another one. This is someone who is promoting their skills around making custom IDs, utility bills, bank statements and other documents, passports for sale. You can see the price here in in Bitcoin. This is this is very, very common – people trying to gain business and sell IDs and everything you can think of.
So here’s one that, um, I thought would be good for today.
This is a counterfeit item. They’re selling DOD ID cards and editable templates. You can even choose your own name and picture.
Alright, moving along – event and personnel protection. I looked at the registration list and I think some of you are tasked with some of these directives.
These are screenshots here of folks that, this one in the middle is actually a telegram group. You can see there’s 32,893 members in it. It’s entitled the Ultra Patriot Voice. You can see some words down here at the bottom. So these may be channels that would be worth monitoring. We’re collecting from them on an ongoing basis. We’re able to identify what users are are in those telegram channels, what their ID is, what their username is. And then, given some of our other sources, we can oftentimes back that into an actual person.
It wouldn’t be a good darknet presentation without the talk of ransomware. This is such a such a prominent thing for all of us.
Our commercial clients are are always very concerned about this. This is a screenshot of what we would see on the darknet side. So this is not what the victim would see on their own network. It’s important to understand here that the ransomware actors are hosting this content and they call them shame sites. So they’re posting this and saying, hey, and in this case, it was actually a, um, this is actually a grocery chain. And they were saying, you know, here’s the information we have. But why this is so critical is because this is where we can assess and figure out what actual data has been exposed. So monitoring these sites and being able to be there in real time is important.
This is a fun slide.
This was actually an investigation that DarkOwl had done where we identified and tracked a Portuguese speaking threat actor. They were involved in a mobile device malware issue. If you look kind of towards the bottom here, we were able to confirm that the suspect’s activities were in a bunch of these communities and the black part at the bottom here where it says steam, where you can see where it’s grayed out there. That was actually a leaked IP address that we were able to get a potential physical location for this gentleman that was in the Brazil area. I like to highlight this one because I think the first thought a lot of folks have in regards to the darknet is that there’s no geographical location because everyone has obfuscated their identity and their location. That said, there’s enough breadcrumbs in there that you can often back into it. So this was a case where we were able to do so.
Insider threats. So we see a lot of posts in regards to this. This is actually someone who’s looking to recruit insiders. You can see that this site toggles back and forth between English and Russian on the right hand side here towards the bottom – they talk about my team will lock, exfiltrate and pivot with your access keys and with your access, and you’ll keep a percentage of the money for giving access. So they’re recruiting folks to try and get in. This could be government related, commercial related and or both. So insider threat, no surprise there.
Drug and gun sales on the darknet isvery prominent. We see it all the time. There’s marketplaces dedicated to it.
I think there’s some folks on the on the phone from the DEA. Kudos to you guys. It is an uphill battle. And I know you’re fighting this daily. There’s so much and we’ve improved. One of the things we’ve done at DarkOwl very recently, is going into a lot of these forums and marketplaces and really dissecting how the chats are happening. So what I mean by that is looking at timestamps and who’s talking to who and trying to build out these networks so we can try and get to the bottom of some of these. There have been some really great use cases where our clients were able to use this data to solve a case.
One question we get often is what do we do with images, right? There is a lot of content on the darknet that none of us want to have eyes on. And so what we do at DarkOwl is we ingest all of the text into our database.
So on the left hand side here, you see a screenshot from Vision. That’s our platform. And I simply ran a search and said, I think my specific search was “glock”, and then the word “sale”, and I think I put in “Miami” as well, because I was talking to some folks in Florida and this page came up. So you can see we list where it came from, you can see the dot onion and then all of the text here. So if you’re sitting in the DarkOwl platform, you do not need to be concerned about coming across any child exploitation photos or anything in that regard. That said, sometimes the images that are captured can be quite compelling. So we have recently added what we are calling Direct to Darknet. You can see in the middle of the screen, there’s a little light blue bubble there. So if you click that button within the DarkOwl tool, it opens a new window. You’re in a safe, secure sandbox environment. I do it all the time off my DarkOwl laptop. This is not a burner device or anything. And up comes the actual page. And in this case, I’ve taken a screenshot off of the page, and you can see that the bracelet this person’s wearing, to me would help maybe frame the persona of who’s using this. We also have, if you see in the original text, they’ve provided a telegram handle here. So, you know, starting to gather a couple pieces of information that I think could be pretty compelling for an investigation here. So, again, the images won’t be pulled directly into the DarkOwl database intentionally, but you can go back out and capture those if needed.
Alright, I’m going to switch gears a little bit. A lot of the examples I’ve provided are ones that folks are pretty aware of – trading, selling, transacting in illegal goods and services is and has been what the darknet has been used for forever. What’s been interesting in the last year or two is really the political climate and how there’s been such an increase in real time chat applications and encrypted communication platforms for people to collaborate both for good and evil. We’ve seen a huge growth in telegram use and therefore the request for telegram data. There’s a lot of these invite only and pay to play architecture that’s been spun up. It’s just such an evolving space. So it’s been really interesting to follow that evolution and start to do some of our collection from these peer to peer networks. So there’s a lot changing. And I would say that one of the catalysts for that was absolutely the Ukraine Russian war. I think our actual data database, so just DarkOwl’s data went up by maybe 10% to 20% just within the first couple months of that. Half a million hacktivists and gray hats were taking on Russia and their allies. We saw just a huge influx of data and communication. It’s been really compelling and interesting to see that evolution in the modern warfare today. In a similar vein, if we think about the Israel-Hamas conflict, very much the same, there’s been a lot of data leaked on both sides.
These images here on the right, the bottom one is, is an attempt to map some of the hacktivist groups that are working together. These top ones are actually images that were shared on a telegram channel. This is this is a whole new way to engage and it’s been just eye opening for us to see the amount of data that’s coming onto the darknet in regards to these conflicts and wars.
Telegram is coming up again and again. There’s so much information being passed through that. We had a concerted effort, right when the conflict broke out, to try and join a lot of these groups, we were able to get 320 of them into our collection efforts that were specific to the conflict. And we actually have a really awesome blog on our website – it’s worth the read.
Russians on the darknet. Interestingly, the second most represented language in our database is Russian. Their ransomware groups are very prominent, very sophisticated. There’s a lot of content that that we have found. I’m actually going to show a couple examples in the next couple slides.
In regards to this was an interesting leak where there was Bushehr nuclear power plant, sometimes referred to as the NPPD leak, came out on a telegram channel. This was a hacktivist group that had come out after the death of that woman and they had posted all of these, download the entire email server and posted a lot of these pictures on a telegram channel. We, DarkOwl, were able to go in and capture some of those. It was posted in a bunch of different parts, but the compelling piece here for you to take away is we were able to go in, we were able to grab these images and, and capture this. And this is the kind of stuff that, given the line of work that you all are in, can be pretty compelling to help with investigations. So these were some internal photos. You can see all of the metadata is captured there as well. Historically this has been a plant that I don’t think folks have had eyes, or at least, you know, we in the US, on the inside.
These were a bunch of passports. So everyone that came in and out of that plant had to submit a passport. All of that was being passed through email communications. And because they had downloaded or had taken down that whole email server, every single itinerary of people that had been in and out of that plant in the last couple of years was captured. So again compelling for anyone that was needing to do research in this area or learn more about what was going on here.
You can see the flag here in the over on the right. This is obviously a Russian aircraft, some equipment, being delivered to this plant. So, again, just compelling information that would not have been able or clearly was not meant to be out into the public had been exposed on this telegram channel, and we were able to capture it and bring it into our data set.
So I’m going to pause there and wanted to take a couple questions.
Knowing that you folks cover Telegram and Discord channels/servers. What are the types of servers and channels that you usually collect from? E.g., are they solely reach groups, criminal groups, or a mixture?
Alison: Great question. So DarkOwl serves both a commercial client base and a government client base. So right now, our telegram and discord collection is focused on what our specific client use cases are. For instance, we had a client join a couple months ago that was concerned about some financial fraud that they were combating, so we joined a bunch of telegram channels on their behalf. So the short answer is it depends on our client’s use case, but I would say the ones that you referenced are all a part of our collection. We also love to do collection by demand. So what I mean is, as we bring on new clients, we always sit down during that onboarding and say, you know what’s of interest to you? What telegram groups can we join on your behalf? What is your use case? So a lot of that collection is customized to what our clients are looking for.
GEOs from the IP. Are you getting IP registration goes through a service like Maxmind or is it a GPS geo from a device using that IP.
Alison: So if you’re referencing the slide where I was talking about that actual investigation, we pulled the the actual IP address off of a post that we saw and then that we couldn’t we weren’t geo locating that within our tool so that that would have to be done outside of the Vision tool.
If Tor sites are always going up and down, how do you track this and find the news sites/markets?
Alison: I talked about this early in the presentation. It’s a combination of both manual and automated. So if we’re on a Tor site and crawling that and we see that there’s links to other pages, we will immediately spider and go to those pages and start collection there. Sometimes we’ll use one of our analysts to find a forum or marketplace. And oftentimes if those forums or marketplaces go down, they’ll post, hey, we’re moving it to this, or this has been taken down by law enforcement, we’re going to stand it up here. So it’s a combination of both spidering within the pages we collect and following those links, and then also our analysts just knowing the space and navigating to new forums and marketplaces. And the nice thing is, once we’ve captured the information, it’s retained in our data set. So if we were on a marketplace last week and we pulled down all the listings for, Glocks for sale in Miami, and then that site were to go down today, if you went into DarkOwl Vision, it would still be there. So there’s a nice lookback feature here because we don’t age off any data. So that’s, that’s where the capturing and looking back can be helpful.
Our unit’s focus is the commercial exploitation of children in the US, specifically California. How is your coverage of that topic?
Alison: We should talk because we actually have a partnership with a couple nonprofits that are in a similar line of work as you. We’re collecting this information at scale. So I guarantee we are going to have some sites of interest for you. The piece that would be important for you is that direct to darknet piece, where you would probably have to go out and actually capture some images there. I would want you to sit with our product team and walk through what that looks like. But my guess is we do have content that would help you with your work.
If we are looking for a particular chat, such as those including child exploitation, will your company actively search topics or is it only the data that has already been pulled available?
Alison: No, we will actively search sites if for some reason there’s a site that we are not already collecting from, whether that be a telegram group of discord server, a dot onion. We will go out and collect from it, per your request, as long as we’re able to do so.
What data sources are considered dark web?
Alison: It depends on your definition. I feel like everyone’s definition of dark web is a little different. We at DarkOwl consider that to be, Tor, I2P, ZeroNet. And then, as I mentioned, we collect from a lot of these dark web adjacent peer to peer networks. So telegram, discord, and some others. But the short answer is I think the definition of dark web can vary depending on who you ask. Ours is fairly broad, and we try and collect from a lot of adjacent sites as well.
How do you legally collect all this information? Is it Osint?
I’ll answer the first part – legally everything that we collect at DarkOwl is considered Osint, so open source we are able to do so with the right skill set. Any of you could go and find this information. A couple lines we will not cross. We will not purchase data. We won’t go behind firewalls. We follow very strictly the Department of Justice guidelines around data. Everything is done ethically. And again, we’re not purchasing data and or going behind firewalls. So we’re able to collect it because it’s open source information.
Can we search the data you collect by name, date of birth, etc.? Can you show how the application works live?
I can absolutely show how the application works live, not on this webinar because they’re recording it and going to be sending it out. I’d be happy to give you a demo outside of this webinar to answer the first part of your question. You can search for anything in our data set. Think of it as the Google of the darknet. So there’s a big search bar you can type in a term, an email address, a phrase, and hit search. And we’re going to show you all the results that are relevant to that, that have come out of all these varied collection sources. So yes, you can search for a date of birth, you can search for Social Security number, a phrase, whatever you want.
What are upcoming trends security practitioners should be looking out for?
I’m definitely not the best person to answer that question, but I would tell you that our collection team is always trying to stay ahead of what’s coming up next. And a lot of these forums and groups are talking about what the next technique is. I think the best we can do is all come together. Those of us that are on the the right side of the coin here and share what we’re seeing and hope that by sharing those practices and sharing what each of us is coming up against, we can make some headway. But I feel like I’m not the best one at DarkOwl to to field that question.
Do you have a newsletter, an email of examples of cases which were sought and closed and how they were investigated and the outcome?
Absolutely. We have a extremely comprehensive blog that we put out and there are white papers. I will tell you that if this topic is of interest in any capacity, any of the slides I showed, whether it’s in regards to some of the recent conflicts or very specific drug sales. Our blog is incredible. There’s so much information in there. All of those pieces were months and months of research.
Would you be able to say if any departments in new Jersey are currently using Dark Owl? I just want to see if this is something that would be beneficial to our detectives.
Off the top of my head, I don’t I don’t think we have any New Jersey specific clients, but I will tell you that we absolutely have state agencies and state departments that are using this. We have both federal clients and a lot of SLEDs. So I’m happy to make a referral to another state that is using it and see if that would be helpful to talk to them and learn more about their use case.
Don’t miss our next webinar on Big 4 Cyber Adversaries > Register here.
According to a 2022 report from the National Cyber Security Centre, “70% of sports organizations experience at least one cyberattack per year. This is a considerable increase over general businesses, of which just 32% reported dealing with cyber incidents or harmful cyber activity.” According from a 2023 report, Microsoft warned of growing cyber-threats to sporting events.
One of the driving factors of increased cyber-attacks around major sporting events is due to the increasing digitization of sensitive information and 3rd party technology vendors. According to the Business Research Company, with the global sports market expected to reach $623.6 billion by 2027, cyber criminals are expected to increasingly target this industry. Cyber threats surrounding large-scale events like the Super Bowl are much more complex. Well before fans, performers, media teams and vendors arrive at the stadium on Sunday, there will have been numerous betting transactions made, sponsorship payments delivered, and accounts for fantasy apps created. All these digital touch points offer threat actors the opportunity for exploitation and theft.
Last year DarkOwl analysts examined the Super Bowl’s cyber threat landscape looking at how exposed technology vendors involved in the Super Bowl appear on the darknet. Given the popularity of last year’s blog, we wanted to do an update and examine new trends. This includes exposed credentials and chatter around malware that can allow hackers access to key vendor technologies, such as ticket payment systems.
Darknet Risks to the Super Bowl: Key Vendors Pose Supply Chain Risk
Gambling & Online Sports Betting Apps
Super Bowl sweep stakes are very popular with others choosing to bet direct at this time more than any other. Gambling and sports betting apps continue to be highly attractive targets for hackers because of how popular these apps and websites are. It is common to see product listings for gambling application site accounts alongside listings for banks (Wells Fargo, Chase), online payment companies (PayPal, CashApp), streaming platforms (Netflix, Hulu), and really any other companies that have a large global mobile application user base.
These types of services are also typically connected to a payment system, allowing users to make bets and access their transaction with minimal effort. From a threat actor perspective, that makes digital sports gambling apps one of the most likely targets for phishing campaigns and potential account takeover by leveraging digital fraud techniques.
Bet365
Bet365 is a British based gambling company that has become one of the most popular gambling companies in the United States. DarkOwl analysts discovered various ways Bet365 was exposed on the darknet. The below example from DarkOwl Vision shows a detailed listing for Bet365 accounts containing active balances from various countries on a popular deep web forum primarily known for its corporate leaked databases called Amunet.
Figure 1: Post on a deepnet forum soliciting advertising Bet365 accounts with active balances; Screenshot: DarkOwl Vision, Original Source: Amunet.io
This user also includes their Telegram contact info. Telegram accounts are often listed on Deep and Darknet listings because threat actors prefer this chat application to verify a user and complete a transaction.
Telegram is also a popular place for threat actors to sell information belonging to gambling companies. The below Telegram post displays a user selling Bet365 accounts. It is important to note all the additional vendors mentioned on the same product listing from other gambling companies like BetMGM, payment transfer companies like CashApp, as well as large banks like Barclays.
Figure 2: Telegram post listing accounts for sale
DraftKings
DraftKings is another popular betting app, below is an example a DraftKings account appearing in the naz.API database with a plaintext password. This could be used by threat actors to access the account and steal funds.
What is naz.API? A version of the naz.api leak was made available on BreachForums, on January 15, 2024. According to the post, it is a 35 GB collection of public URLs, usernames, and passwords. The post also notes that it was originally on xkey.info but was taken down for allegedly not being the real naz.api leak. Naz.api is reported to be one of the largest credential stuffing lists released, originally posted on September 9, 2023, by 0x64. According to that post, the database was created by extracting data from stealer logs and contains over 1 billion unique records of saved logins and passwords in users’ browsers. The post also notes that the original naz.api dataset was donated to 0t. rocks.
Infostealer logs are files produced when a trojan is installed on a system that collects information from the infected system. Depending on the infostealer malware, the extracted data can include system information and browser session data (including autofills, credentials, financial information, cookies, browser history, etc.). Some malwares will also capture stored local files and install keylogging on the system to exfiltrate data outside of the browser sessions.
Hackers can also gain access to existing DraftKing accounts using more traditional methods like credential stuffing and exchanging combolists to exploit exposed account login information.
In the image below, a user on the darknet forum, FSS Squad, is allegedly selling DraftKings accounts with actual balances. Listings for stolen DraftKing accounts on Telegram are more explicit, with some offering accounts that come with pre-existing balances, as well as methods to bypass multi-factor authentication.
Figure 4: DraftKings accounts with balances being sold on the Deepnet forum, FS Squad; Source: DarkOwl Vision
Methods around stealing DraftKings accounts is a common topic discussed on Telegram fraudster channels like “Big Fat Chat” or “Bazaar Lounge”. The below is an example of a user the sale over 800,000 DraftKings logs on the Deepnet carding site Bazaar Lounge.
Figure 5: Telegram user selling DraftKings stealer logs on a carding site
Banking Systems
Truist
In January 2021, the bank Truist signed a multi-year deal to be the official retail bank of the NFL. As a result of this agreement, Truist is now the exclusive financial service provider for all facets and personnel within the NFL, including player contracts. Below are several examples of actors on the darknet and deep web actively targeting Truist Bank.
Truist card numbers, bank account numbers, and other account information is readily available on all major carding forums like WWH Club, AS Carding, Card Villa, as well as across thousands of Telegram fraudster channels. The below example is from WWH Club, where users are discussing how to target Truist Bank. The user in the screenshot says in Russian, “Бро а не знаешь номера у труиста пробиваются? или нет”, which translates to “Bro do you have Truist numbers” … referring to bank account numbers for Truist bank members.
Figure 6: WWHClub user soliciting Truist bank account numbers
Truist logs and accounts are regularly sold across hundreds – thousands of Telegram fraudster channels. In below screenshot this user is advertising Truist accounts for sale on a deep web carding market, but also claims to sell PayPal, Coinbase, Wells Fargo, Cloned Cards, Bank Logs, and more.
Figure 7: Truist.com accounts advertisement on a Telegram fraudster channel
It is likely that the Truist accounts are being targeted due to general financial fraud, however their links to the NFL highlight how access can be used to target other organizations in a supply chain.
Ticket Payment Systems
StubHub
As the official ticket payment system of the Super Bowl, DarkOwl analysts found numerous instances of official Super Bowl ticket vendor StubHub data on the darknet.
Figure 8: Source DarkOwl Vision
The above is a listing to a Stubhub accounts being sold on the popular Russian language credit card fraud forum known as WWH Club. In this instance, a threat actor has uploaded 163 Stubhub accounts to sell on the forum.
Below, users on Telegram discuss various options for bypassing multi factor authentication on Stubhub and Ticket Master.
Figure 9: Users on Telegram sell stolen StubHub accounts
Streaming Services
Sunday Ticket + YouTube TV
Since the NFL Sunday Ticket and YouTube TV showing NFL games launched, DarkOwl analysts have observed cyber criminals advertise accounts for sale as well as solicit accounts on Telegram and darknet forums.
Telegram fraudsters have targeted YouTube TV more since the merger with NFL Sunday Ticket and RedZone. The below post a Telegram user is selling access to YouTube TV, NFL Sunday Ticket, YouTube premium, HBO Max, and other apps for $150 USD.
Figure 9: Telegram listing for NFL Sunday Ticket + YouTube TV
Our analysts identified the below result of a Nulled user soliciting access to YouTube TV accounts so they can watch “any NFL game”, an obvious reference to NFL Sunday Ticket. Another responds and asks the prospective buyer to contact them privately on TG. Again, DarkOwl analysts are increasingly seeing vendors on various darknet forums and marketplaces asking buyers to contact them privately on Telegram.
Figure 10: Nulled user soliciting YouTube TV accounts
Cyber Risks to the Super Bowl: The Bigger Picture
While the dispersed and perhaps seemingly small-scale nature of these vendors’ darknet footprints may make them seem inconsequential, it is important to consider the bigger picture. In the last year threat actors have increasingly targeted technology vendors involved with major sporting events like the Super Bowl, World Cup, and Olympics. DarkOwl analysts agree with the assessments of Microsoft and the National Cyber Security Centre that cyber threat actors will increasingly target major sporting events as these events increasingly rely on technology vendors for infrastructure, payment, advertising, etc, and make a lot of money.
With threat attack vectors becoming ever more sophisticated, large events like the Super Bowl – which bring together humans and technology at such a high magnitude during such a concentrated period – offer a unique opportunity to threat actors. By maintaining visibility into threat actor activity on the darknet, NFL fans, vendors, and corporate decision makers can position themselves in the best way possible to be ahead of and respond to cyber incidents.
Whoever you support we hope you enjoy the game!
Interested in learning how darknet data applies to your use case? Contact us.
DarkOwl is a Denver-based company that provides the world’s largest index of darknet content and the tools to efficiently find leaked or otherwise compromised sensitive data. We shorten the timeframe to detection of compromised data on the darknet, empowering organizations to swiftly detect security gaps and mitigate damage prior to misuse of their data.