March 05, 2024

Or, watch on YouTube

The internet is a vast realm that extends far beyond the surface web we commonly explore. Beneath the surface lies the darknet, a hidden network that poses significant challenges but also holds immense potential for open-source intelligence (OSINT) investigations. Join DarkOwl’s Director of Intelligence to learn how the darknet expands the scope of information available to researchers and analysts.

In this 30-minute session, Erin covers how darknet data:

• Enhances OSINT investigations by unveiling hidden information
• Strengthens our ability to combat cybercrime and protect individuals and organizations
• Enhances threat intelligence and helps maintain a safer digital ecosystem
• Is utilized in identity theft, fraud, compromised accounts and other real world examples

For those that would rather read the presentation, we have transcribed it below.

NOTE: Some content has been edited for length and clarity.

---

Erin: Good morning or good afternoon, everyone. I’m going to do a quick high-level talk today of what darknet data is, why it’s important and how it can fit into your investigations. Please do ask any questions that you have throughout, and I’d be more than happy to answer those. So, what we’re going to cover today is what is the dark web? A really quick intro, what is OSINT? Again, very high level. Why is dark web important? And then what I really want to focus in on are some use cases and hopefully show you how we can integrate dark web and OSINT together to find some really interesting things in our investigations.

The obligatory who am I side… as any good analyst, I hate having any details about me on the internet, so I’m going to keep it brief, but my name is Erin. I’m the Director of Collections and Intelligence here at DarkOwl, and I’ve been an intelligence analyst for over 12 years now.

Another obligatory slide is the iceberg, you can’t really have an OSINT presentation without including an iceberg of some kind in here. This is to highlight the different areas of the internet. They’re all open-source, so they all form part of open-source investigations but obviously at DarkOwl, and me personally at the moment, focus on the darknet, but it’s always important to see the whole view and look at everything that’s going on. You want to be able to look at sources that are on the deep net and the surface net as well to make sure you’re getting as much information as possible and that you’re able to validate that information as well.

Diving into the dark web, hopefully most of you that are listening are familiar, but I’ll just give a very quick background of what the dark web is and what can be found there.  I’m not going to read everything on this slide, but you can see that it’s been around since the 2000, so we’ve got about 20 years now and there’s a lot of things that have happened in terms of the access, the marketplaces that are emerging and forums, breaches starting to occur, terrorists using the information, etc. There’s been a lot of uses of the dark web, and I would like to say that it isn’t just there for illicit uses. There are a lot of legitimate uses for the dark web. I think one of the best things is allowing some individuals that might not have open access to the internet in the countries that they live in are able to access a lot of websites, social media sites, etc. using the dark web that they wouldn’t otherwise be able to access. There are legitimate purposes, but obviously a lot of nefarious actors also use it and take advantage of the anonymity that they believe exists there.

What is on the Dark Web? What can you find there?

Marketplaces, people selling goods. These are usually illicit goods, usually, hacking tools, malware, data, drugs, weapons, counterfeit goods. We see all of those being sold on a regular basis. We also see forums – people chatting and talking to each other but also usually selling some kind of information or sharing information, some of it’s not all for sale. We do also see a lot of extremists, forums, people talking about, information that’s not great, but also getting together, planning events, things like that. As I just mentioned, there are also social media sites on there. There are mirrors of Twitter or X or Facebook, Reddit.  All that can be accessed from the dark web. There are cryptocurrency exchanges, mixers, other forms of things. Cryptocurrency is the currency of the dark web. Really, that’s the main way that people transact. The full ecosystem for cryptocurrency also exists on the dark web. You also get news media, news sources. A lot of the main media outlets and newspapers will also have dark web mirrors. The CIA has a dark web mirror. There are a lot of legitimate sites out there. And then of course, everyone is aware of data leaks, that is the main place that they are shared and ransomware. A lot of ransomware groups will have leak sites where they will have a shame board of all their victims, which they will put on the dark web for people to go and view. If the company doesn’t pay their ransom, then that information will be released there and can be downloaded. I should say with the leaks as well, it’s usually advertised on the dark web, but the dark web is very slow in terms of downloading information. Often a downloading service or a torrent will be used if the files are quite large.

This is just to give you kind of an idea of what the dark web looks like. These are some sites selling counterfeit goods, organs, drugs, cash apps and accounts. Then also we’ve got some of the advertisements that are shown here. 

You can see the different marketplaces that exist with the different areas, we’ve got people selling Social Security numbers, malware, botnets, different types of drugs. There really is this booming commercial aspect to the dark web and a lot of different stores that have been set up either for niche things or sell a huge amount of goods. And as I said, cryptocurrency is the currency of choice. You can see in that middle image: Monero, Bitcoin, Dogecoin, Litecoin are just some of the ones that are accepted. But it is a variety of cryptocurrencies that are usually accepted these days.

There are quite a lot of challenges, though, with collecting from the dark web. I mean, the first one is you’ve got to know where to look. You don’t have the nice URLs that you would get on the surface web. You also don’t have Google to help you. There are search engines on the dark web, but the majority of sites are not indexed and therefore not easy to find. You need to know where to look, and need to be into networks where that information is being shared. You also, in most cases, need a login to access the pages. So, you need to create personas and you need to do that in a secure way. The threat actors that set up these sites and maintain these sites are very against bots. They’re very against DDoS, all of the things that they’re very familiar with but also, they don’t want people going in and crawling the data. They don’t want people to access it that aren’t there for the purposes that they’ve set it up for. I would say the dark web has some of the most sophisticated captures I have ever seen. I can spend quite a bit of my day just trying to solve math issues or see letters in squiggly lines or putting images together. It is quite difficult to get into those. There is a lot of bot traps on the dark web and a lot of human interaction that is required to get into it. It’s not easy but there is a huge amount of data and intelligence to be found once you do get into those sites.

I also just wanted to touch on before I get into some of what that data is what we call at DarkOwl dark web adjacent sites. These are things that are not necessarily on the dark web. They’re not on Tor or I2P or ZeroNet, or some of the other dark web services that are out there but they are used by the same types of people. They are used in the same kind of way. Telegram is a huge one where we do see a huge amount of marketplaces. We see a lot of fraud being conducted. We see a lot of hacking operations. There’s a lot of hacktivist channels, extremist channels, etc. That’s something that you need to be aware of as well when you’re doing these dark web and OSINT investigations. I’ve also mentioned ICQ and Jabber. But there are other things like Rocket, Tocket.io, Tox and things like that where people are communicating. We also see it on gaming apps. Discord got a lot of publicity last year with the leaks from the Pentagon leak. I believe he was just sentenced, actually, this week. In terms of leaking that information on there, but generally, a lot of threat actors are on Discord actively. It is a gaming site, but you can set up different servers and different channels. And so, we see a lot of people sharing and operating there as well. Then a lot of threat actors these days aren’t as worried about anonymity as they perhaps used to be. There’s been a lot of instances where dark web forums and marketplaces have been taken down by law enforcement action. So, some threat actors, I think, think, why should I go to all of this effort of having a Tor node and a Tor site and setting this up when I could just do it on the surface web with the same risks, almost. There are marketplaces that are vendor shops that are forums that sit on the surface web that’s still used by the same kind of actors for the same kind of use cases. We’re very much monitoring and looking at those as well.

To give you an idea of some of the things that we’re able to find from the darknet. A lot of data comes from the darknet, so we see things, huge amounts of personal data, PII. That is the currency of the dark web at the moment. I would say we see a huge amount of issues being stolen, email addresses, passwords, Social Security numbers, social media accounts, stealer logs becoming really prevalent in the last year or two. There’s cookies in there. There’s two factor authentication sign-ins. There’s key questions, etc. So, there’s a huge amount there. We also see a lot of banking information and fraud. There’s a lot of corporate data, especially with ransomware attacks which are only increasing. I’ve mentioned malware and then also risks. There’s a lot of threat actors on the dark web that are very good at what they do. There’s a lot of cyberattacks. There’s a lot of education, actually, on the dark web about how you can conduct those cyberattacks, leaks, etc. There’s a huge amount of information out there if you know where to look.

Will you be discussing during this webinar the uptick in Drainer as a service (DaaS) or explaining it to those new to dark web marketplaces?

No, that is not in the presentation, but I can definitely get to that at the end.

OSINT 101

OSINT is open-source intelligence. It’s information that’s been found from open-sources. Any information found on the dark web does count as OSINT information but obviously it’s a lot broader than that. These are just some of the sources and information that’s out there that you can use as part of OSINT to find information for whatever kind of investigation you’re trying to conduct.

I did want to highlight some tips in terms of doing OSINT. This is true of looking on social media or looking on the dark web. I created my little AI generated sock puppet. That’s what that’s supposed to be if no one can tell but always use the sock puppet. Always have a persona, always ensure that you’re doing this in a secure way – using VPN or proxies. Use a virtual machine, use burner phones. Don’t use any of your own equipment to do any of these investigations. You should never cross over your real-life persona with what you’re doing online ensuring that you’re recording all of the information you find. I mean, it really depends on if you’re doing this for law enforcement or internally. But I would say most people you need to record what you’re finding with the dates, the timestamp so you are able to validate the data is accurate as of the time that you found it. Because obviously all of these things can change, and particularly with the dark web sites go up and down all of the time. What you find today might not be there tomorrow. It might not be there an hour from now. There are a lot of open-source tools out there that can help you with doing that kind of collection. So I would recommend looking into those and if anyone has any questions, I’m more than happy to share some of the, the tools that I’m aware of that can help you with that collection. There’s lots of other OSINT tips and tricks out there. There’s a huge amount of resources, online and for anyone who’s new to the area, I would recommend having a look at those.

Why is Dark Web Important to OSINT Investigations

Basically, there’s a lot of illicit information and activity that’s happening on the dark web, so it can be a really good starting point for investigations in terms of finding out what’s going on. You can see what people are discussing, you can see trends, you can see victims, you can see how things are operating. Then moving into more surface web OSINT investigations, you can sometimes expand on that and build out a really big picture. I would say they’re very complementary of each other and especially if you’re looking at fraud or extremism or drugs or weapons trafficking or human trafficking, the dark web is going to be a really valuable source for you to find information and data points to help you in your investigation.

LockBit

Now I’m hopefully going to go on to some of the interesting bits and walk you through a couple of recent case studies that we have. I’m going to start with Lockbit. Obviously, this has been in the news a lot recently. Kathy is going to share in the chat a blog that we recently did on Lockbit. I think it’s been about two weeks now, Lockbit leak site was taken down by law enforcement. Really interestingly, I thought, rather than just seizing the site as they usually do, they actually had fun with it and started posting on the leak site things about the Lockbit group themselves. One of the things that they did share was that there were two Lockbit affiliates that they had sanctioned and put indictments against. This is after the fact, but I wanted to highlight how you can get really good information from government sources and official sources about threat actors, and then use that and pivot into other data.

So here we have this individual, Ivan, I’m not going to attempt to say, but Vassalord. We’ve got all his usernames and things that he’s using here, and we can pivot in our own data. We were able to identify that he was active on a number of dark web Russian speaking forums. Here we can see him, this is in Russian, I haven’t translated it, but he is selling malware. He is giving people advice on different malware and also selling it within the group. So, through looking at this you know obviously it’s after the fact, but we can see what his activity was. We can see this dates back to 2022, but we can also see who he was interacting with. We can see kind of what tools he was operating, and we can see more information about him. You can also then take that information and put it into social media tools. This is What’s My Name app, where you can put in usernames, and it will search across social media sites and identify if an account exists. So here we can see that there’s some old Twitter accounts. There’s a telegram account which I already mentioned. The threat actors are very active on. We’ve got a Roblox account. You know, threat actors love gaming.  It’s giving you these other areas to go and look and to go and research and investigate and can give you more information to build that picture about that individual.

One thing I was just going to highlight, just because I thought it was kind of funny, was that Lockbit actually put something out a few months ago, I believe it’s a few months ago. It might have been a bit longer, saying they would pay anyone who got Lockbit tattooed on them, and several people did it. And they shared that online, and we were able to see those tattoos, which they probably regret quite a lot now.

There was a second Lockbit affiliate, also that I wanted to highlight. This is just highlighting the usefulness of leaked data. We collect data breaches and leaked information and have that within our system. Here you can see there’s two separate leaks. One includes an email address with the full name of the individual. If you only knew this email address was linked to someone who was doing bad things, you could put that into a leak and see if you can get more information about them. And here we’ve got their full name in Cyrillic, which I’ve translated, and also their telephone number. And then pivoting on that telephone number, we’re able to see another leak, which I believe is linked to Yandex app for ordering food. So, you can see kind of the payments information. You can see his name again in Cyrillic as Arthur, you’ve got the phone number there. But also interestingly, you’ve got the iOS version.

So, there’s a lot of information that you can find within these leaks with information about threat actors. And then what I’ve shown below is again, using open-source tools, these are two freely available Python tools that you can use, where you can search on the email address or on the phone number, and it will go and look across social media sites to see if they appear there. And it won’t share that information with the email or the phone number holder. So, you still have OpSec, but here you can see that email address. It has a LastPass account, it has a Nike account, it has a Twitter account so you can start to see where this individual is operating.

Cryptocurrency and Extremism

Another use case I just wanted to highlight. I mentioned cryptocurrencies are used extensively on the dark web. I also wanted to highlight some of the extremist activity that we see. I’m not going to highlight any particular threads on this page because I personally don’t find them to be, I don’t agree with their point of view, but Kiwi Farms is an open forum where people share information about different things. It’s similar to a chan. It does have, some not so nice threads on it but just highlighting that with our Vision platform you’re able to find that information and then also view it through our direct to darknet feature as it would look on the site, and you can see this is their homepage. But one of the things that Kiwi Farms do is they have a donation address, so the people that maintain the account are asking individuals to provide them money to keep the site going. So I wanted to see if I could find out anything about that cryptocurrency address and how the funds are being used. I used an open-source blockchain explorer. This is called breadcrumbs; you can get a basic free account and it allows you to do some kind of network analysis. You can see we’ve got the Kiwi Farms bitcoin address right at the beginning with some of the people that are paying into that. But I was more interested in seeing where that money went and a lot of it was circling back. I have removed some of the nodes on this just to make it a little bit more visually easy to see but a lot of it was going back into Kiwi’s Farm, but then I was able to find areas where it was being cashed out; Kraken, Binance. And then Bravada, were some of the areas where we were seeing that the funds were actually being cashed out. And you can see that the site, breadcrumbs, does also give you an overview of the Bitcoin address and how much funds have gone in and out. You can see it’s quite a high volume and it’s been active for the last three years. You can also see that it plugs into bitcoin abuse. Bitcoin abuse, which I believe its name has changed now to Chain abuse, but it’s another really good source for looking at any cryptocurrency addresses you come across and seeing if they’ve previously been reported as linked to nefarious activity. One of the addresses in the Bravada exchange is actually been reported to be linked to terrorism and sponsoring groups in Russia. It’s interesting that an extremist forum, Kiwi Farms is utilizing and sending funds out that way. Obviously, I can’t say for definite that that’s what’s happening, but we can see that those funds are being trickled out that area and it’s another area for us to investigate and look into.

Israel-Hamas Conflict

The Israel-Hamas conflict has obviously been ongoing for a while now and it’s been all over telegram. So, as I mentioned, telegram is a really useful place to see a lot of hacktivism, a lot of threat groups. There’s also marketing there, but it’s also being used more and more as a new source and whether that news is factually accurate or is disinformation is always up for debate, but it’s been a really good source of being able to see what is happening on both sides of the conflict. Actually, on October 7th, it was one of the first places that anyone saw that something was happening. You can see one of the images here is them going through the wall into Israel.

This was on telegram almost immediately and anecdotally; I know that people in Israel were watching telegram for news updates because they were coming through quicker than they were on traditional media sources. But as I said, there’s also been a lot of information that’s been shared there that is probably not accurate. There were definitely videos that were being posted at the beginning of the conflict that actually came from video games and things like that but there’s also been a lot of the hacktivist groups on both sides, saying who they’re going to target or saying that they have successfully targeted someone showing evidence of DDoS attacks, showing evidence of defacement attacks, showing documents that have been stolen and leaks. A huge amount of leaks are being shared on telegram but one of the things I wanted to highlight, and I don’t necessarily have a good example here, but you definitely can do it, is taking some of these images and the videos that are being shared. Telegram, unlike Facebook, Instagram, Snapchat doesn’t always strip out the metadata on the images.  There are a lot of open-source tools that can kind of help you to see what the metadata is, and if there is any Exif data that’s going to help you there but also you can get hints of where things are occurring and what’s happening by looking at the images and matching them up with satellite imagery or previous images that have been shared as well.

Scattered Spider

I’m conscious I’m running out of time, so I’m going to go quickly. Scattered spider is another group, threat actor group that we’ve been monitoring. They are a financial crime group. Scattered spider is the name that’s been given to them by one of the cyber security threat actors, but they’ve been responsible for some very high-profile attacks in recent years, including taking down Vegas with the MGM and Caesars Palace ransomware attacks. They do a lot of social engineering and phishing techniques; we expect those to probably increase in sophistication. Not that they aren’t already, but we know that AI is being used to assist with those attacks but they are very active on telegram and discord and part of what is known within the community as the comm. We’re doing some analysis on who is active in those groups, who is interacting with each other, and what information can we find out about them. So, there’s a lot you can do with the data that’s in telegram to do analysis, to do that link analysis to, to find out who the individuals are and of course the main ones you can go and look in other sources to see if they have other social media profiles or other areas that you would want to be looking into.

Conclusion and Questions

So, I ran through that really, really quickly.  I’ll just leave the key takeaways up here for people to read.  Hopefully, that’s what you’ve taken away from it. I think the question about the Drainer service highlights that there’s a huge amount of things that you could cover here. This is very much designed to be an initial overview and an introduction but if there’s topics and interests that people would like to know more about, please put those into the chat and we can look at providing more information on that in the future. 

But with that being said I just wanted to highlight we do provide investigation services at DarkOwl for dark web and OSINT investigations so we can assist you with any investigations that you currently have. With that, I will open it up for questions.

What data sources are considered dark web?

Dark web traditionally is sites that are accessed through Tor, so the Onion router, but you also have things like I2P and ZeroNet, which are also dark web providers and there’s a few more out there, but they’re not as used as regularly, such as Magnesium. As I mentioned in the presentation, we also view things as dark web adjacent when it’s the same kind of use case and the same kind of individuals that are operating. So, we definitely consider that to be Telegram, to be Discord, ICQ and then some surface websites as well which are there. So, I think it’s open to interpretation. It depends how narrow you want to be but I think with OSINT Investigations you always need to be open to all of the information that’s out there and being able to validate it against different sources. So, the more data points that you have, the more likely that you’ll be able to do that.

How do you locate and identify new groups on Telegram or Onion sites?

Manually is the main way. So, telegram you can do searches in the global search or telegram on the desktop app. If you have a keyword or a search that you’re aware of, you can put that in and see what you would find. I would also look at the groups that you’re already tracking and monitoring and search for the links. If you click on the channel page, you can go to links and it will show you other telegram channels that have been shared. I will also sometimes look at other social media sources – people on Twitter or other forums will sometimes say, let’s take this conversation to telegram and they will share an invite link there. You can also use Google Dorking to search telegram, which is quite useful, but I would say it’s a keyword phrase. If you’ve got a particular topic you’re interested in, um, search for that. And then also if you’re looking at individuals in other countries, do you use the native language? So if you’re looking at Russian threat actors search for your turn and Cyrillic as well as in Roman characters because you’ll find more information that way. Onion sites, again, it’s similar. We are already monitoring the major forums and marketplaces, and they will share other areas that they’re accessing. There are sites out there that will track new onion sites that have been created and what they’re being used for. So we can look at those. It is kind of just kind of pulling through the different links that are being found and then reviewing them to make sure that they have actually got useful information on them.

Does DarkOwl have copies of entire sites that can be walked through. For example, could one walk through Silk Road and see the listings and users that were active back then?

Yes and no. We have our data, it goes back to 2016 in earnest. So, we do have all of that information, but we store it in documents and pages. You could search Silk Road and go through it. But one of the things that we don’t do is collect images due to legalities around CSAM material. You would be able to see the postings, you would be able to see the usernames and all of that information from any site that we’ve been collecting since 2016 but it wouldn’t be a walk through in terms of – it wouldn’t look like the site. You couldn’t click on buttons and things like that, but the data is all there.

Other than breadcrumbs and chainabuse, what are some other great sources for tracking crypto and blockchain across the deep and dark web?

I think there’s so many sources out there. Breadcrumbs is the one that I like to use just because it’s free. I mean obviously there’s paid services out there that are very, very good. I’m not aware of many others, especially not on the dark web. They’re not there for tracking purposes. I think one I heard of that I’m not familiar with but was recommended to me recently was Qlue – that is supposed to be quite good for cryptocurrency, monitoring but it really depends if you want to do a paid service or open-source.

---

Don’t miss our next webinar on Big 4 Cyber Adversaries > Register here.

February 09, 2024

Or, watch on YouTube

Due to the layer of anonymity the darknet provides, it is often a hub for illegal activity. The technology DarkOwl leverages to collect and index, 24/7/365 in near real time, hidden digital undergrounds is key in obtaining crucial data and situational awareness for intelligence and government agencies, and law enforcement.

DarkOwl, the leading provider of darknet data, reviews how darknet can be used to:

• Track illicit sales of drugs, human trafficking, and cyber weapons
• Detect potential threats and monitor persons of interest
• Stay one step ahead of foreign Nation-State adversarial activity and attacks
• Learn the latest tactics, techniques, and procedures of threat actors to better prevent future cyberattacks on critical infrastructure

For those that would rather read the presentation, we have transcribed it below.

NOTE: Some content has been edited for length and clarity.

---

Alison: Thank you Carahsoft for putting this together. Thank you all for logging on. I’m going to jump right in. I have a lot of content to cover. And as Erin mentioned, we will field some questions at the end.

So I’m going to go over a little DarkOwl history, specifically dig into why this data set is so crucial for so many areas of the US government and other government partners. We’re going to look at some data examples off of the darknet. It’s always fun to do. So I’m then going to end with the current events that have recently elevated the darknet data set just in a more global way. And then if there’s time, we’ll walk through an interesting data leak that we uncovered. Before I launch in, I did want to mention that DarkOwl will be at the AFCEA West conference, which is in San Diego next week. I would love meet anyone going there.

So history on DarkOWl. We’re based out here in Denver, Colorado. We have been doing darknet collection for over ten years. Essentially we 24 – 7 coverage of collecting data, pulling it off the darknet, parking it in our database, and then we give our clients access to that. Obviously, there’s a bunch of different formats that that can take. We have a user interface, there’s a bunch of different API endpoints. And like everything, the devil’s in the details. And I think the one thing I want all of you to walk away with today is, when we think about darknet collection, by definition, if you were to go out and take a look at, you know, a handful of Tor pages a couple times a month and store those in a database, you are, in fact, a darknet collector. That said, I would argue that DarkOwl’s strength is in how we define the darknet and what our collection efforts are focused on. And I think we do a really good job of walking the line of both automation. You can’t get the scale of data that’s going to be valuable if you’re trying to do this entirely manually. That said, if you’re doing it entirely automated, you’re not going to get into the hard to find sites or be able to maintain personas and get into forums and marketplaces. So we use both those techniques. If you’re looking at this slide here, I know this is a little noisy.

Everything in red is our data sources that we collect from. DarkOwl obviously we’ve been collecting from Tor forever, that’s been our bread and butter. We have really focused in the last year or so on a lot of the peer to peer networks. I’m getting so many questions from law enforcement, government, commercial on telegram collections. So we’re going to go into that a little bit further on. But you can see here telegram, discord, I2P, ZeroNet. Our collection team is always trying to figure out what the next platform is – where can we start to collect? And all these take different efforts from a collection standpoint. A lot of skill behind the behind the scenes here in navigating all of these, regardless of where we get it, it’s all parked in our database. And then you’re able to access it as a DarkOwl client.

So this slides this is just kind of a visualization of how the data flows through.

So as I mentioned, we’re doing all the collection. We park it in our database. And then as we bring that data in, we’re trying to tokenize and add as much structure and value as we can to make the searching and finding from all of your end a more streamlined process. We we will tokenize information such as email addresses, IPS, crypto wallets, credit cards, usernames. And then depending on what that tokenization looks like, the bottom line here is the product set that we, DarkOwl, spit out of that data. So on the far left hand side is our user interface. So that’s going to be an analyst dashboard. And then we have a lot of different API endpoints ranging from you know Scores which we call DarkSonar, which is a relative risk measurement of an organization or an agency or a government group’s presence on the dark web just numerically represented all the way down to DataFeeds, where we are just pushing data every couple of minutes to clients. So it runs the gamut. But the important takeaway here is that the collections is done by us. We do the tokenization, and then we let you search and filter that depending on what information you’re specifically looking for.

On the left hand side – these are our these are our sources. And as you can see by the numbers, we’re really trying to scale at all times. These numbers were just updated – 28 million records from telegram channels. All of these documents are coming in, being tokenized, and then and then accessible. And, you know, at the end of the day, I feel like we’re solving two problems. Number one, there is no reason any of you can’t go out and do this on your own. You can download Tor, you can have a burner device. It’s just extremely inefficient. Right? It’s going to take time for you to do that. Collection sites go up and down. So it’s an efficiency play. And then number two, especially in looking at the attendee list here, I know most of you are US government. There’s a real safety feature here in that DarkOwl has done the collection. You are only playing in the DarkOwl data set so you don’t run the risk of exposing your own organization or burning a persona. We’re doing all of that in the backend, so it’s efficiency and safety at the end of the day.

So thinking about the the darknet in regards to US government use cases.

And I kind of boiled it down to three here. I’m sure all of you can can come up with more, but the first one I think of is just the force protection side – looking out for our own exposure, monitoring for email exposure, looking for PII of prominent folks and alerting them and making sure that we have an understanding as a government of what potential vulnerabilities are out there. And that could run the gamut from exposed PII for someone in a senior position to military part numbers being sold or darknet forums discussing ways to penetrate organizations.

The middle one here – identity management. So I think of that as the investigation side of it – really using the data set to conduct research, to look into identities. How are people talking about this? What can we find? What can we correlate? Who can we associate with this? A lot of red team activities.

And then on the right hand side here, targeting and thinking about what can this data set tell us about nation states and other folks, threat actors, what’s trending, ransomware, there’s so much content out there that is powerful to be in the know on how that’s being talked about and presented.

So without further ado, let’s jump into some data data examples. And again, I highlighted before we do that, why is this data set so challenging to get your hands on. Part of it is just the time and effort that it takes to do this, these sites go up and down all the time, they move locations. Access to these forums and marketplaces – it’s not as simple as just signing in and you can’t scrape page one, scrape page two and park it in a database. You need to be very strategic about how you do that. So these are some of the skills that we possess and have been doing for a long time. CAPTCHAs. And I’m not going to do a live demo today, but I do continue to fail CAPTCHAs on the darknet. They are extremely hard. I’m always laughing at that piece. So we’re doing these collection efforts in the background and basically taking that time suck and that risk off of all of you. Then the evolution of where people are moving to, I mentioned these peer to peer networks. You know, we’ve seen such popularity there, especially with the start of the Russia conflict breaking out in Russia and Ukraine. Following those trends is something that we’re always staying on top of as well.

Alright. Darknet data. What’s out there? Um, I just pulled together some slides of examples that I thought might be compelling for some of you on the phone, and to just give you a sense for what we’re looking for. So, no surprise, a ton of PII, all sorts of banking and transaction data, credit cards for sale, exploit kits, malware. And remember, by definition, the reason to be on the darknet is to remain anonymous. So anyone trying to sell or transact or trade in any illegal goods or services is going to be attracted to that. So there’s forums and marketplaces on how to do these things. It’s a it’s a colorful space.

The next bunch of slides are going to be screenshots from our platform, which we call Vision. And I’ll highlight just some of the findings here.

So I know it’s a little small on the background here, but if you look up at the top in caps it says DHS traders home addresses. So this is a hacker that’s uncovered some PII and is posting it out there, maybe in anger, unclear. And they’ve listed everything from title, home address, phone numbers. This is just someone posting this on a Tor page and we were able to capture that. And then this is a result right out of DarkOwl Vision.

Here’s another one. This is someone who is promoting their skills around making custom IDs, utility bills, bank statements and other documents, passports for sale. You can see the price here in in Bitcoin. This is this is very, very common – people trying to gain business and sell IDs and everything you can think of.

So here’s one that, um, I thought would be good for today.

This is a counterfeit item. They’re selling DOD ID cards and editable templates. You can even choose your own name and picture.

Alright, moving along – event and personnel protection. I looked at the registration list and I think some of you are tasked with some of these directives.

These are screenshots here of folks that, this one in the middle is actually a telegram group. You can see there’s 32,893 members in it. It’s entitled the Ultra Patriot Voice. You can see some words down here at the bottom. So these may be channels that would be worth monitoring. We’re collecting from them on an ongoing basis. We’re able to identify what users are are in those telegram channels, what their ID is, what their username is. And then, given some of our other sources, we can oftentimes back that into an actual person.

It wouldn’t be a good darknet presentation without the talk of ransomware. This is such a such a prominent thing for all of us.

Our commercial clients are are always very concerned about this. This is a screenshot of what we would see on the darknet side. So this is not what the victim would see on their own network. It’s important to understand here that the ransomware actors are hosting this content and they call them shame sites. So they’re posting this and saying, hey, and in this case, it was actually a, um, this is actually a grocery chain. And they were saying, you know, here’s the information we have. But why this is so critical is because this is where we can assess and figure out what actual data has been exposed. So monitoring these sites and being able to be there in real time is important.

This is a fun slide.

This was actually an investigation that DarkOwl had done where we identified and tracked a Portuguese speaking threat actor. They were involved in a mobile device malware issue. If you look kind of towards the bottom here, we were able to confirm that the suspect’s activities were in a bunch of these communities and the black part at the bottom here where it says steam, where you can see where it’s grayed out there. That was actually a leaked IP address that we were able to get a potential physical location for this gentleman that was in the Brazil area. I like to highlight this one because I think the first thought a lot of folks have in regards to the darknet is that there’s no geographical location because everyone has obfuscated their identity and their location. That said, there’s enough breadcrumbs in there that you can often back into it. So this was a case where we were able to do so.

Insider threats. So we see a lot of posts in regards to this. This is actually someone who’s looking to recruit insiders. You can see that this site toggles back and forth between English and Russian on the right hand side here towards the bottom – they talk about my team will lock, exfiltrate and pivot with your access keys and with your access, and you’ll keep a percentage of the money for giving access. So they’re recruiting folks to try and get in. This could be government related, commercial related and or both. So insider threat, no surprise there.

Drug and gun sales on the darknet isvery prominent. We see it all the time. There’s marketplaces dedicated to it.

I think there’s some folks on the on the phone from the DEA. Kudos to you guys. It is an uphill battle. And I know you’re fighting this daily. There’s so much and we’ve improved. One of the things we’ve done at DarkOwl very recently, is going into a lot of these forums and marketplaces and really dissecting how the chats are happening. So what I mean by that is looking at timestamps and who’s talking to who and trying to build out these networks so we can try and get to the bottom of some of these. There have been some really great use cases where our clients were able to use this data to solve a case.

One question we get often is what do we do with images, right? There is a lot of content on the darknet that none of us want to have eyes on. And so what we do at DarkOwl is we ingest all of the text into our database.

So on the left hand side here, you see a screenshot from Vision. That’s our platform. And I simply ran a search and said, I think my specific search was “glock”, and then the word “sale”, and I think I put in “Miami” as well, because I was talking to some folks in Florida and this page came up. So you can see we list where it came from, you can see the dot onion and then all of the text here. So if you’re sitting in the DarkOwl platform, you do not need to be concerned about coming across any child exploitation photos or anything in that regard. That said, sometimes the images that are captured can be quite compelling. So we have recently added what we are calling Direct to Darknet. You can see in the middle of the screen, there’s a little light blue bubble there. So if you click that button within the DarkOwl tool, it opens a new window. You’re in a safe, secure sandbox environment. I do it all the time off my DarkOwl laptop. This is not a burner device or anything. And up comes the actual page. And in this case, I’ve taken a screenshot off of the page, and you can see that the bracelet this person’s wearing, to me would help maybe frame the persona of who’s using this. We also have, if you see in the original text, they’ve provided a telegram handle here. So, you know, starting to gather a couple pieces of information that I think could be pretty compelling for an investigation here. So, again, the images won’t be pulled directly into the DarkOwl database intentionally, but you can go back out and capture those if needed.

Alright, I’m going to switch gears a little bit. A lot of the examples I’ve provided are ones that folks are pretty aware of – trading, selling, transacting in illegal goods and services is and has been what the darknet has been used for forever. What’s been interesting in the last year or two is really the political climate and how there’s been such an increase in real time chat applications and encrypted communication platforms for people to collaborate both for good and evil. We’ve seen a huge growth in telegram use and therefore the request for telegram data. There’s a lot of these invite only and pay to play architecture that’s been spun up. It’s just such an evolving space. So it’s been really interesting to follow that evolution and start to do some of our collection from these peer to peer networks. So there’s a lot changing. And I would say that one of the catalysts for that was absolutely the Ukraine Russian war. I think our actual data database, so just DarkOwl’s data went up by maybe 10% to 20% just within the first couple months of that. Half a million hacktivists and gray hats were taking on Russia and their allies. We saw just a huge influx of data and communication. It’s been really compelling and interesting to see that evolution in the modern warfare today. In a similar vein, if we think about the Israel-Hamas conflict, very much the same, there’s been a lot of data leaked on both sides.

These images here on the right, the bottom one is, is an attempt to map some of the hacktivist groups that are working together. These top ones are actually images that were shared on a telegram channel. This is this is a whole new way to engage and it’s been just eye opening for us to see the amount of data that’s coming onto the darknet in regards to these conflicts and wars.

Telegram is coming up again and again. There’s so much information being passed through that. We had a concerted effort, right when the conflict broke out, to try and join a lot of these groups, we were able to get 320 of them into our collection efforts that were specific to the conflict. And we actually have a really awesome blog on our website – it’s worth the read.

Russians on the darknet. Interestingly, the second most represented language in our database is Russian. Their ransomware groups are very prominent, very sophisticated. There’s a lot of content that that we have found. I’m actually going to show a couple examples in the next couple slides.

In regards to this was an interesting leak where there was Bushehr nuclear power plant, sometimes referred to as the NPPD leak, came out on a telegram channel. This was a hacktivist group that had come out after the death of that woman and they had posted all of these, download the entire email server and posted a lot of these pictures on a telegram channel. We, DarkOwl, were able to go in and capture some of those. It was posted in a bunch of different parts, but the compelling piece here for you to take away is we were able to go in, we were able to grab these images and, and capture this. And this is the kind of stuff that, given the line of work that you all are in, can be pretty compelling to help with investigations. So these were some internal photos. You can see all of the metadata is captured there as well. Historically this has been a plant that I don’t think folks have had eyes, or at least, you know, we in the US, on the inside.

These were a bunch of passports. So everyone that came in and out of that plant had to submit a passport. All of that was being passed through email communications. And because they had downloaded or had taken down that whole email server, every single itinerary of people that had been in and out of that plant in the last couple of years was captured. So again compelling for anyone that was needing to do research in this area or learn more about what was going on here.

You can see the flag here in the over on the right. This is obviously a Russian aircraft, some equipment, being delivered to this plant. So, again, just compelling information that would not have been able or clearly was not meant to be out into the public had been exposed on this telegram channel, and we were able to capture it and bring it into our data set.

So I’m going to pause there and wanted to take a couple questions.

Knowing that you folks cover Telegram and Discord channels/servers. What are the types of servers and channels that you usually collect from? E.g., are they solely reach groups, criminal groups, or a mixture?

Alison: Great question. So DarkOwl serves both a commercial client base and a government client base. So right now, our telegram and discord collection is focused on what our specific client use cases are. For instance, we had a client join a couple months ago that was concerned about some financial fraud that they were combating, so we joined a bunch of telegram channels on their behalf. So the short answer is it depends on our client’s use case, but I would say the ones that you referenced are all a part of our collection. We also love to do collection by demand. So what I mean is, as we bring on new clients, we always sit down during that onboarding and say, you know what’s of interest to you? What telegram groups can we join on your behalf? What is your use case? So a lot of that collection is customized to what our clients are looking for.

GEOs from the IP. Are you getting IP registration goes through a service like Maxmind or is it a GPS geo from a device using that IP.

Alison: So if you’re referencing the slide where I was talking about that actual investigation, we pulled the the actual IP address off of a post that we saw and then that we couldn’t we weren’t geo locating that within our tool so that that would have to be done outside of the Vision tool.

If Tor sites are always going up and down, how do you track this and find the news sites/markets?

Alison: I talked about this early in the presentation. It’s a combination of both manual and automated. So if we’re on a Tor site and crawling that and we see that there’s links to other pages, we will immediately spider and go to those pages and start collection there. Sometimes we’ll use one of our analysts to find a forum or marketplace. And oftentimes if those forums or marketplaces go down, they’ll post, hey, we’re moving it to this, or this has been taken down by law enforcement, we’re going to stand it up here. So it’s a combination of both spidering within the pages we collect and following those links, and then also our analysts just knowing the space and navigating to new forums and marketplaces. And the nice thing is, once we’ve captured the information, it’s retained in our data set. So if we were on a marketplace last week and we pulled down all the listings for, Glocks for sale in Miami, and then that site were to go down today, if you went into DarkOwl Vision, it would still be there. So there’s a nice lookback feature here because we don’t age off any data. So that’s, that’s where the capturing and looking back can be helpful.

Our unit’s focus is the commercial exploitation of children in the US, specifically California. How is your coverage of that topic?

Alison: We should talk because we actually have a partnership with a couple nonprofits that are in a similar line of work as you. We’re collecting this information at scale. So I guarantee we are going to have some sites of interest for you. The piece that would be important for you is that direct to darknet piece, where you would probably have to go out and actually capture some images there. I would want you to sit with our product team and walk through what that looks like. But my guess is we do have content that would help you with your work.

If we are looking for a particular chat, such as those including child exploitation, will your company actively search topics or is it only the data that has already been pulled available?

Alison: No, we will actively search sites if for some reason there’s a site that we are not already collecting from, whether that be a telegram group of discord server, a dot onion. We will go out and collect from it, per your request, as long as we’re able to do so.

What data sources are considered dark web?

Alison: It depends on your definition. I feel like everyone’s definition of dark web is a little different. We at DarkOwl consider that to be, Tor, I2P, ZeroNet. And then, as I mentioned, we collect from a lot of these dark web adjacent peer to peer networks. So telegram, discord, and some others. But the short answer is I think the definition of dark web can vary depending on who you ask. Ours is fairly broad, and we try and collect from a lot of adjacent sites as well.

How do you legally collect all this information? Is it Osint?

I’ll answer the first part – legally everything that we collect at DarkOwl is considered Osint, so open source we are able to do so with the right skill set. Any of you could go and find this information. A couple lines we will not cross. We will not purchase data. We won’t go behind firewalls. We follow very strictly the Department of Justice guidelines around data. Everything is done ethically. And again, we’re not purchasing data and or going behind firewalls. So we’re able to collect it because it’s open source information.

Can we search the data you collect by name, date of birth, etc.? Can you show how the application works live?

I can absolutely show how the application works live, not on this webinar because they’re recording it and going to be sending it out. I’d be happy to give you a demo outside of this webinar to answer the first part of your question. You can search for anything in our data set. Think of it as the Google of the darknet. So there’s a big search bar you can type in a term, an email address, a phrase, and hit search. And we’re going to show you all the results that are relevant to that, that have come out of all these varied collection sources. So yes, you can search for a date of birth, you can search for Social Security number, a phrase, whatever you want.

What are upcoming trends security practitioners should be looking out for?

I’m definitely not the best person to answer that question, but I would tell you that our collection team is always trying to stay ahead of what’s coming up next. And a lot of these forums and groups are talking about what the next technique is. I think the best we can do is all come together. Those of us that are on the the right side of the coin here and share what we’re seeing and hope that by sharing those practices and sharing what each of us is coming up against, we can make some headway. But I feel like I’m not the best one at DarkOwl to to field that question.

Do you have a newsletter, an email of examples of cases which were sought and closed and how they were investigated and the outcome?

Absolutely. We have a extremely comprehensive blog that we put out and there are white papers. I will tell you that if this topic is of interest in any capacity, any of the slides I showed, whether it’s in regards to some of the recent conflicts or very specific drug sales. Our blog is incredible. There’s so much information in there. All of those pieces were months and months of research.

Would you be able to say if any departments in new Jersey are currently using Dark Owl? I just want to see if this is something that would be beneficial to our detectives.

Off the top of my head, I don’t I don’t think we have any New Jersey specific clients, but I will tell you that we absolutely have state agencies and state departments that are using this. We have both federal clients and a lot of SLEDs. So I’m happy to make a referral to another state that is using it and see if that would be helpful to talk to them and learn more about their use case.

---

Don’t miss our next webinar on Big 4 Cyber Adversaries > Register here.