Examining Recent Telegram Posts from Russia’s “Z Bloggers”

October 05, 2023

Who are the “Z Bloggers” or “Z Army”

The letter “Z” has been heavily used as a pro Russian invasion propaganda motif since the early days of the invasion in 2022. The “Z” symbol is often associated with images of Russian leaders in the government or military.

Image 1: Sergey Mironov wearing a pin with “Z” symbol, Governor of Kuzzbass

The symbol is also commonly associated with Russian war journalists, soldiers, and other Kremlin supporters typically used as vehicles for misinformation campaigns  on chat platforms like Telegram. The media commonly refers to this group of individuals as the “Z bloggers”, the “Z Army”, and more generally as war influencers.

Image 2: Russian soldiers embracing the “Z” symbol on a military vehicle; Source: Moscow Times

The  Z bloggers will sometimes display the “Z” somewhere on their Telegram profile (as seen in the below screenshot for WarJournal). Often these “journalists” are embedded on the frontlines with Russian soldiers, which is how they are able to obtain near real-time conflict footage. These videos provide fuel to propaganda aimed towards increasing Russian enlistments into the Armed Forces or Wagner Group.

Figure 1: Screenshot of WarJounal’s Telegram bio

A recent BBC article reported the sudden increase of Telegram members in various “Z blogger” channels is correlated with a “surge in Telegram’s advertising market” like WarGonzo and Grey_Zone. These war influencers have taken advantage of this trend by selling advertisements through Telegram posts to companies looking to reach a younger target audience. According to Telegram’s website: “Sponsored messages on Telegram are displayed in large public one-to-many channels with 1000+ subscribers and are limited to 160 characters. Sponsored Messages are based solely on the topic of the public channels in which they are shown. This means that no user data is mined or analyzed to display ads, and every user viewing a particular channel on Telegram sees the same sponsored messages.”

This blog will take a look at recent posts from 3 different “Z blogger” channels in an effort to better understand how this content has recently been utilized as a propaganda motif. DarkOwl analysts selected the following Telegram channels for review:

  • WarGonzo, over 1.2 million subscribers
  • WarJournal, over 41,000 subscribers
  • Grey Zone, over 600,000 subscribers

WarGonzo

WarGonzo is one of the most prolific “Z bloggers” with well over 1.2 million Telegram subscribers. This channel is reportedly run by  Russian citizen, Semoyon Pegov, an image of him with Vladimir Putin was posted on X (formerly Twitter) and Telegram in April this year.(see image 3). It is unclear how many individuals are associated with this channel but we have observed multiple “correspondence” posting information and embedded with the military. A representative for ‘WarGonzo” was interviewed by the BBC and reported that they make an estimated £1,550 per Telegram post via advertising revenue. Users are able to submit content to advertise by following the instructions and steps (in Russian) using a Telegram bot, @pegov_bot. It is unclear if there are any restrictions on what can be advertised.

Image 3: Image of Pegov standing with Vladimir Putin; Source: Twitter 04/06/2023

WarGonzo posts at least once a day and often several times a day. For example, on September 26, 2023 there were 10 posts. The content of these posts ranges from interviews from correspondents on the front lines of a conflict in Ukraine or other correspondents reporting on recent escalating events between Azerbaijan and Armenia in Nagorno-Karabakh. The Ukrainian video content is typically more violent often showing images of dead soldiers and civilians immediately following some sort of military kinetic activity (air strike or explosion) whereas in the Azerbaijani videos, the correspondents are dressed in civilian clothes and not on the front lines. This money has helped WarGonzo to expands its coverage to other conflicts such as in Armenia and Azerbaijan. The below screenshot of a WarGonzo post made on Sep 26, 2023 displays a video of a WarGonzo correspondant, named Dmitry Seleznev, reporting on the recent Azerbaijani attack that targeted ethnic Armenians in the town of Goris:

Figure 2: Image from WarGonzo’s Telegram channel
[TRANSLATED IMAGE]
⚡️Refugees are delivered by land and by helicopter⚡️Activation of WG from Goris⚡️
Refugees are arriving in Goris, the closest city to Nagorno-Karabakh. They are registered at the central house of culture, provided with food and water, given medical care to those who need it, and sent to be resettled in the regions and cities of Armenia.
Helicopters fly over the city, delivering victims after yesterday’s explosion of a fuel tank near Stepanakert.
Watch the live broadcast of our special correspondent Dmitry Seleznev from Goris.
@wargonzo
*our project exists on the funds of subscribers, a card for help
4279 3806 9842 9521

WarJournal

WarJournal, is another “Z blogger” Telegram channel,  where the content creators are  embedded with Russian soldiers on the front line, and has a large following with over 41,000 subscribers. Content published on this channel is similar conflict content to WarGonzo, utilized to motivate Russians to enlist in the army.

The following screenshot was taken from a recent post on September 26, 2023, which depicts the Russian Air Force destroying a bridge with a X-38 aircraft missile over the Oskol River. Users reacted 41 times using the “thumbs up” emoji and 14 times using the “fire” emoji. DarkOwl analysts identified the forwarding Telegram channel where this information was originally posted on the same date, РаZвед_ДоZор (t.me/razved_dozor), which is yet another war influencer apart of the “Z blogger” network.

Figure 3: Image from WarJournal’s Telegram channel
[TRANSLATED IMAGE]
The Russian Air Force used an X-38 aircraft missile to destroy (https://t.me/bortzhyrnal/139) the bridge across the Oskol River in Kupyansk and significantly hampered the ability of the Ukrainian Armed Forces to supply its troops in the Kupyansk direction.

Grey Zone

Grey Zone is another “Z blogger” account that identifies as an official channel for the Wagner Group. Open Source reporting has not identified one particular individual running this channel at this time, however, according to its Telegram bio the username, @greyzone_admin, is the channel admin.

Grey_Zone also has a large Telegram following with well over 602,000 subscribers as of September 27, 2023. The BBC also reported that this channel reportedly makes £260 per post. The content shared on this channel is consistent with other “Z bloggers;” they display near real time conflict videos, images honoring dead soldiers, and other Pro-Russian propaganda motifs that are intended to motivate Russian sympathizers to enlist with the Wagner Group.

The below screenshot is an example of this, referring to a Wagner Group “hero of Russia.”

Figure 4: Image from Grey Zone’s Telegram channel
[TRANSLATED IMAGE]
“We are always ready to talk man to man. Moreover, we have known each other since the first and second wars in Chechnya” – commander of the “Wagner Group” Hero of Russia Dmitry Utkin.

The style of this image is reminiscent to the imagery used in Jihadist martyrdom posts from groups affiliated with ISIS or Al Qaeda. The image below illustrates a martyrdom post created by an Indian Al Qaeda affiliate called the Ansar Ghazwat-ul-Hind (AGH) in June 2019:

Figure 5: Image of an AGH martyr, Long War Journal

Conclusion

DarkOwl analysts assert it is highly likely that Russia will continue to expand the reach of its propaganda campaigns through chat platforms like Telegram. Since the outbreak of the Russian invasion of Ukraine, the use of Telegram has been integral to the spread of Russian misinformation by a cohort of supporters that have become known as the “Z bloggers” or “Z army”. The recent BBC article highlighted how influential accounts like WarGonzo and Grey_Zone are able to make hundreds to thousands of dollars a day from Telegram posts. WarGonzo now has the budget to report on conflicts in nearby countries such as the current ethnically charged violence towards Armenians in Goris.


Don’t miss any DarkOwl research > sign me up for emails!

Cybersecurity Awareness Month: Upcoming Content

October 03, 2023

In light of Cybersecurity Awareness month, DarkOwl is committed to sharing research, trends and industry news from our analysts.

Be the first to know as we release new research by entering your email below!

Upcoming Content This Month

BLOG

Z Bloggers

A recent BBC article reported the sudden increase of Telegram members in various “Z blogger” channels is correlated with a “surge in Telegram’s advertising market” like WarGonzo and Grey_Zone. This blog will take a look at recent posts from 3 different “Z blogger” channels in an effort to better understand how this content has recently been utilized as a propaganda motif.

BLOG

Mental Health Strategies for OSINT Investigators

Some types of OSINT research expose analysts to explicit, obscene, extreme, or otherwise uncomfortable content. In honor of World Mental Health Day, the DarkOwl team will be conducting research looking to:

  • Explain the risks that are inherent to some types of OSINT research, primarily taking a mental health perspective.
  • Disseminate the results of some independent research I am conducting, where I can provide to attendees strategies other OSINT researchers use to mitigate the risks to mental health from exposure to extreme content.
  • Facilitate a conversation with attendees who are comfortable sharing what strategies they employ to mitigate risks to their mental health from this exposure.
EVENT

DarkOwl @ ISS Latin America in Panama City, Panama

DarkOwl Senior Intelligence Analyst, Steph Shample will be presenting “Use of Darknet for National Intelligence and Law Enforcement Purposes.” This session details the intelligence available on deep/dark web (DDW) platforms, as well as adjacent platforms such as Telegram and Discord, which can be enriched and used by law enforcement and government officials to reduce criminal activity and simultaneously protect national security. Types of intelligence include: tracing financial transactions to illuminate drug, weapon, human trafficking, and other supply chains that contribute to malicious activity, whether fiat or cryptocurrency transactions; hybrid incidents events that threaten both cyberspace and physical safety; and the kinds of equipment, kits, and material sold by criminal actors that contribute to digital attacks against critical infrastructure and key resources (CIKR), threatening the safety of everyday services.

Attending ISS Latin America? Make sure stop by Table Top #6 and schedule a time meet with a DarkOwl team member here.

BLOG

Q3 Product Updates

Stay tuned for our quarterly update blog highlighting new product features and collection stats updates. Always something exciting coming from our Product and Collections teams!

BLOG

Leak Sites Increase

In May, our analysts noticed and published a piece on the increase in leak sites. Stay tuned for an update this month on this topic and what the team is now noticing.

EVENT

DarkOwl @ OsmosisCon in New Orleans, LA

DarkOwl’s Damian Hoffman, Product Engineer and Data Analyst, will be leading a discussion on Mental Health Strategies for OSINT Investigators.

Pre-conference, Damian will also be conducting a demo titled “Finding Actionable Intelligence in Dark Web Data for OSINT Investigations.” The goal of this session is to further educate the intelligence community on how threat actors on the darknet pose a threat to national security and showcase Vision UI, the industry leading platform for analysts to simply, safely, and comprehensively search the largest commercially available source of darknet data.

Attending this conference? Stop by Booth #22 and schedule time to meet with us here.

EVENT

DarkOwl @ GITEX in Dubai

Going to be at GITEX, the world’s largest tech show, exploring the latest innovations, products and services within AI, Cybersecurity, Mobility and Sustainable Tech, in Dubai? Make sure to schedule time to meet DarkOwl FZE CEO, David Alley.

BLOG

Internalized Domain Name Homoglyphs: Can You Spot the Difference? 

Homoglyphs are characters from one language set that look like other characters of a different language set. Threat actors use different character sets to cause confusion and register domain names similar to legitimate domains, but with one or more characters from another language, for phishing and credential harvesting campaigns. In this blog, DarkOwl analysts will outline several examples, all including an example screenshot of the fake website.

BLOG

Fraud is inarguably a global problem that is not going away any time soon. The DarkOwl team has published several pieces around fraud and scams, including a blog on their differences. Our October piece will dive into recent trends of fraud specifically.

BLOG

Spooky Findings on the Darknet

The darknet can be a scary place. For Halloween, we will highlight some spooky findings from our analyst team. This is one you will not want to miss!

WEBINAR

As the digital landscape continues to evolve, so do the threats that target it. Staying ahead of cyber adversaries requires a deep understanding of the latest trends and innovations in the cybersecurity space. In this 30-minute session, on Tuesday, October 31 at 12pm ET, Socialgist CRO, Justin Wyman and DarkOwl Co-Founder and CEO, Mark Turnage, will explore a variety of critical topics shaping the cybersecurity landscape:

  • Key VC Raises in Cybersecurity: Capturing Industry Attention
  • Understanding the Major Players: Who’s Raising the Stakes
  • Harnessing Security Solutions: How Organizations Protect Their Assets
  • Addressing the Talent Gap: Scaling with Data Aggregators and Services
  • Pioneering the Use of AI: How do LLMs and AI Come into Play

Save my Spot! (Can’t attending live but want the recording? Register and we will be sure to send it to you)


Curious to see how darknet data can improve your cybersecurity situational awareness? Contact us.

Threat Intelligence RoundUp: September

October 02, 2023

Our analyst team shares a few articles each week in our email newsletter which goes every Thursday. Make sure to register! This blog highlights those articles in order of what was the most popular in our newsletter – what our readers found the most intriguing. Stay tuned for a recap every month. We hope sharing these resources and news articles emphasizes the importance of cybersecurity and sheds light on the latest in threat intelligence.

1. MGM cyberattack claimed by ALPHV/BlackCat ransom gang – Cybernews

ALPHV/Blackcat ransomware group claimed responsibility for the MGM cybersecurity incident this week. Down slot machines, nonfunctioning key cards, and more services were interrupted at MGM resorts and hotels nationwide. News articles broke Wednesday, 13 September, that ALPHV/Blackcat ransomware gang was responsible. However, DarkOWL analysts went to the ALPHV onion page, and no new data was listed yet. MGM data from 2013 were the only results. On 14 September, new rumors emerged that “Scattered Spider” was also involved in the incident. Scattered Spider is an English-speaking cybercrime group which teamed up with ALPHV in early 2023. Additionally, Scattered Spider hit Caesars Entertainment on 7 September. Caesars paid tens of millions to remain operational and did not experience an outage. Read full article.

2. Hackers backdoor telecom providers with new HTTPSnoop malware – Bleeping Computer

Threat actor group “ShroudedSnooper” has installed HTTPSnoop and PipeSnoop malware throughout Middle Eastern telecom providers. HTTPSnoop imitates legitimate URL patterns and blends into legitimate traffic, making detection very difficult; it also targets public servers. PipeSnoop takes advantage of deeper compromise within networks. No attribution has been discovered regarding the country of origin or intention of ShroudedSnooper. Article here.

3. Payment Card-Skimming Campaign Now Targeting Websites in North America – Dark Reading

Attacks starting in May 2023 (or earlier), by a Chinese-speaking threat actor, has exploited vulnerabilities in Web applications in the Asia/Pacific region. This month, they have expanded their targets into Latin and North America. The attacks involve skimming credit card numbers off ecommerce sites and point-of-sale service providers. Read more.

4. GhostSec Leaks Source Code of Alleged Iranian Surveillance Tool – Dark Reading

Hacktivist group GhostSec revealed the source code from Iran’s FANAP group, a technology conglomerate that has ties to the financial, government, and technology sectors in Iran. The source code reveals facial recognition, GPS and tracking systems, car license plate recognition, and other efforts in the surveillance space. DarkOWL analysts have procured the available files from Telegram. GhostSec established two Telegram channels to share with the media covering this event, as well as the files, stating the second channel was a backup in case the first was shut down. Learn more.

5. Vietnamese Cybercriminals Targeting Facebook Business Accounts with Malvertising – The Hacker News

Cybercriminals are using LinkedIn to find accounts tied to the digital marketing space, and compromising those accounts to use in social engineering incidents. Digital marketing accounts often have high numbers of followers and connections, and these numbers are easier to use to expand credential theft operations and reuse that information in malicious operations. After compromising LinkedIn accounts, the Vietnamese cyber group is using Duckport malware to perform information stealing ops, and then moving to other social media platforms such as Facebook, continuing to steal account credentials and in some instances, cookies, to reuse in the operations. Read full article.

6. Finnish Authorities Dismantle Notorious PIILOPUOTI Dark Web Drug Marketplace – The Hacker News

Law enforcement in Finland, including Finnish customs, announced the takedown of illegal dark web narcotic marketplace, Polopuoti on September 20. The drugs came from abroad into Finland, and this was a joint operation that also involved parties from Germany, Romania, and Lithuania. The marketplace had been active since May of 2022. Read full article.

7. FBI, CISA Issue Joint Warning on ‘Snatch’ Ransomware-as-a-Service – Dark Reading

Snatch ransomware employs a method to force Windows computers to go into safe mode and reboot before encrypting. The Snatch group is targeting CI/KR, including IT and agricultural firms, and the defense industrial base. They also purchase stolen data from other ransomware variants. Snatch has a very active extortion blog and has significantly ramped up activity in the past 12 months. Snatch also takes advantage of RDP, using the credentials from other ransomware campaigns to gain access and then move around the network. Learn more.


Make sure to register for our weekly newsletter to get access to what our analysts are reading on a weekly basis.

What is Bullet Proof Hosting?

September 21, 2023

Cybersecurity might has well have its own language. There are so many acronyms, terms, sayings that cybersecurity professionals and threat actors both use that unless you are deeply knowledgeable, have experience in the security field or have a keen interest, one may not know. Understanding what these acronyms and terms mean is the first step to developing a thorough understanding of cybersecurity and in turn better protecting yourself, clients, and employees.

In this blog series, we aim to explain and simplify some of the most commonly used terms.

Bullet proof hosts (BPH) are web hosting providers that are less regulated with the services they allow compared to traditional Internet Service providers (ISPs), hardly restricting any kind of content.  BPH services are frequently used by online casinos and actors who intentionally spam or run other illicit online activities. They generally take all the material and practices that legitimate hosting services prevent (fraud, abuse, pornography, gambling, and hate speech, to name a few) and permit it. Just as legitimate businesses rely on ISPs, criminal and malicious threat actors (including state-sponsored advanced persistent threat [APT] groups) rely on the resilience of bullet proof hosting to conduct their operations.

While traditional ISPs aim to combat cybercriminals and online fraud and abuse, BPH actually empower and aid the criminal ecosystems, offering resilient infrastructure and avoidance of law enforcement operations. Even when there are takedown requests, abuse reports, or law enforcement actions, such as subpoenas, BPH ignore them. BPH will create shell companies or simply move IP ranges to keep questionable activity up and running. In some cases, BPH will even tip subpoena activity or takedown requests to the actors using their infrastructure, which gives them time to react, move their operations and prevent losing financial assets. For these reasons, BPH are crucial to the continuation of the cybercriminal ecosystem. 

The geographical component is essential to the success of a BPH operation. Bullet proof hosts usually establish themselves in areas which have vague or lenient cyber laws and policies towards these practices. Furthermore, they ensure to operate in areas which have no extradition to the Five-Eye countries: The United States, Canada, Australia, New Zealand, and The United Kingdom. Locations that commonly allow for and host BPH include: China, Romania, Bulgaria, Estonia, Panama, and the Seychelles, among others. In China, spamming is a completely sanctioned activity, whereas in the US, the FTC established tight guidelines to differentiate between “spamming” and authorized business activities, such as sending cold emails for business purposes. BPH also rely on the pseudonymity of cryptocurrency payments to operate. In this way, they almost facilitate a “don’t ask, don’t tell” mentality for the criminal underground, allowing actors to carry out nefarious operations while turning a blind eye or pleading ignorance.

Another term for BPH is DCMA-ignored hosting. The Digital Millennium Copyright Act is geared to protect copyright holders from theft of their material and aid in combating copyright infringement online. It only applies to specific ISPs who meet certain regulations. Most BPH do not meet these standards and regulations. The most effective way to combat the material hosted by BPH is to blacklist their entire IP block. 

In August of 2023, researchers in the cyber threat field broke the news that Cloudzy, a New York company actually run out of Tehran, Iran, was providing infrastructure to both nation state and criminal cyber actors. Researchers estimated that 40 – 60% of Cloudzy activity was malicious. Like other BPH, Cloudzy takes payment in cryptocurrency and claims to protect the privacy of its users. Cloudzy also ignored takedown requests and abuse reports. However, Cloudzy goes above and beyond a normal BPH profile, hiding its company ties to known governments and criminal conglomerates worldwide and masquerading as a legitimate provider. In addition to known nation state actors tied to using Cloudzy infrastructure, ransomware affiliates and initial access brokers were observed using Cloudzy services in their operations.   

Examples in DarkOwl Vision

After the Cloudzy research broke, DarkOwl analysts observed some of the latest trends for BPH in 2023. It is a competitive market where the actors using these services expect full time support, dedicated servers, and protection from online threats such as DDoS attacks, while also expecting protection from law enforcement. They want cheap and reliable service as well. Promises like live time are critical because of efforts to remove BPH from operation. It takes time for criminals to set up what they want to use the BPH for – if they are immediately taken down, that is lost revenue and opportunity for the cybercriminals. Several screenshots from DarkOwl Vision below:

Figure 1: Threat actor “darknite23” advertises BPH services with a guaranteed live time; Source: DarkOwl Vision
Figure 2: An actor solicits BPH services in a Telegram channel; Source: DarkOwl Vision

Actors on discord discuss the merits of having either a virtual private server (VPS) or dedicated BPH, and name CrazyRDP and Privatealps as bonafide BPH. A VPS can be easily moved or relocated in the instance of abuse or if they are targeted by law enforcement: 

Figure 3: Actors on a chat platform server discuss some of the believed better BPH service providers; Source: DarkOwl Vision
Figure 4: Actors discuss BPH costs and services to use in their various operations; Source: DarkOwl Vision
Figure 5: Users discuss merits of a BPH on Exploit, one of the top criminal markets; Source: DarkOwl Vision

Conclusion

Bullet proof hosting providers are known to facilitate the cybercriminal underground, their actors, front companies, and all types of illicit activities. In an ever-connected world where humans are looking to express themselves, promote their causes, cling to freedom of expression, or even make extra money, balancing online freedom and preventing invasions of privacy is crucial. However, freedom of expression cannot be lumped in with inciting violence, promoting continuing online hate, terrorism, and violent campaigns, in addition to attempting to compromise and extort businesses, critical infrastructure bodies, and government entities. Bullet proof hosts facilitate and enable some of the worst actors in the space. They must be studied and observed in order to prevent them from gaining more momentum and enabling additional compromising activities online. 


Questions or comments? Put me in touch!

Chatting with DarkOwl Analysts: Who Are They and What Do They Do?

September 19, 2023

The darknet is a haven for illicit activities many of which can pose a direct threat to organizations and individuals with stolen data being made available for purchase, access to illicit goods, and hacking activities. In addition, forums are used to discuss all manner of topics from extremism to CSAM to hacking practices and education.

Accessing and analyzing data from the darknet is challenging, even for the most experienced of analysts. DarkOwl is the darknet expert, with access to the largest database of darknet content. Our customizable service options allow customers to leverage our in-house expertise to save time, keep their employees safe, and fulfill the need for actionable threat intelligence.

Interview with the DarkOwl Darknet Analyst Team

DarkOwl’s Director of Marketing, Dustin Smith, sat down with Erin, Director of Intelligence, Senior Threat Analyst, Steph Shample, and Darknet Intelligence Analyst, Richard Hancock, to understand a little more about their backgrounds, why they love cyber, projects they’re working on, and some tips and tricks for new analysts.

Editors Note: Some content has been edited for length and clarity.


Why did you get into cyber security and the darknet space in particular? 

Erin: I kind of fell into it. I worked for the government and I was put onto cyber work, so that’s kind of how I started in cybersecurity. And I really enjoyed it. There’s a lot of fascinating characters and interesting people to investigate in that area. It’s very much been, in the 15 years or so that I’ve been doing it, a growth space with more information and more techniques and things happening all the time. So there’s always new stuff going on. And then the dark web has always been something that people are utilizing and using as a means of communicating. It’s always been fascinating in terms of its darkness, I guess, for want of a better phrase. 

Rich: For my entrance into cyber security, I also kind of fell into it. It’s interesting because a lot of people who have a background in government contracting, working directly for the government and counterterrorism and linguistics, like myself, transitioned into cyber threat hunting. And I think that reflects a level of how foreign policy and national security interests are evolving as well. But actually, my first entrance into open source intelligence investigations was actually through a recruiting job where I had to get really good at finding people’s contact information online. That’s where I developed a lot of my Google dorking, Boolean skills is in the recruiting world. I didn’t study computer science or anything science related in college, I studied Arabic and international studies and something I tell a lot of younger people that are trying to get into cybersecurity is just because you didn’t study something technical, doesn’t mean you can’t work in cybersecurity. 

Steph: So we all kind of fell into it because I was also government. What’s interesting is that I have almost the exact same start as Rich, in that I was doing counterterrorism work. You take those investigation skills for online patterns of terrorists and kind of trying to get into closed networks and you have to take that to the cyber world as well. But same situation – I had no computer science, I was  studying humanities in college. And then it was the linguistic aspect that… the needs were like, hey, Iranian cyber actors are coming online, African terrorists are using French forums… Can you translate this? Do you know what’s going on? So I think getting into it was accidental, but staying in it was definitely intentional because there is never a dull day.  

There’s never a dull moment. You have to learn something new. It’s not a matter of, “oh, I like learning new things.” If you want to stay competitive in the field and if you want to stay on top of your game, you have to advance with technology. And so that makes it really exciting. Furthermore, to come into the Internet world that none of us had a background in, no computer science is one thing, but when you start seeing TORs and these closed down platforms and these kind of CAPTCHAs and you’re just like, “how did these people come up with this and how can they navigate this?” And then also wreak havoc across the world on every industry. From what Rich said, it influences policy, the defense sector, but it also influences the financial sector and industry of all kinds. And what these people can do, cyber criminals, namely on the dark web from remote places. It’s fascinating. And do you want to be part of the good or do you want to be part of the bad? Do you want to combat that and the damage they have internationally, or do you want to just let them go? So that’s why I stayed in it. And it’s amazing, especially the dark web. It’s fascinating. 

I love how you transitioned into why you stay in cyber. Rich and Erin, do you have comments to add? 

Rich: I’ll draw back to the link that Steph and I have, which is our cultural interests and linguistic interests, which got us into the industry. Why I’m going to be staying in it is because I’m constantly learning. I’ve had darknet experience at previous jobs, but the amount of information that I’ve learned since being here [at DarkOwl] and how much better I’ve gotten at doing cyber investigations and the exposure to different industries is because we’re not just selling to one particular type of client. It has been incredible. Developing darknet subject matter expertise is a really, really valuable skill that can be used in so many different ways moving forward. 

Erin: I just really enjoy it, honestly, that’s why I stayed in it. I love figuring stuff out. I love a puzzle of, you’ve got to find something and how do you go and find it? And one of the things I think in the industry that’s so different from government is it’s really on you to go and find that information. I think in government and military, you’re getting SIGNIT [signals intelligence], you’re getting all of this information coming to you, and then you just do stuff with it. Whereas in the jobs that we do, it’s a case of: what can we find and what places are we going to look and who do we need to talk to find out that information? Steph and Rich say it’s having those linguistic abilities or having that knowledge of the different cultures and knowing the kind of subsectors of the groups within the dark web and what they’re interested in and what you need to talk about in order to kind of to get in with them. It’s just interesting. I enjoy it. And as the other guys have said, it’s constant learning. It’s a constant challenge. There’s always new things to do. It always keeps you on your toes. 

Dustin: Erin, do you come from a computer science or tech background or more humanities? 

Erin: Humanities. I always say to people when I’m talking about my job and what I do is that I’m not technical but I have the ability to translate technical stuff to other people. I can take the technical information and tell you what it means in clear English. 

Steph: Can I piggyback off of that? I think another side skill that emerges when you talk about backgrounds, like Rich said, you don’t have to be from a computer science background or be a programmer, but all of us have the ability from government customers to industry customers to be able to translate what cyber actors are doing, nation states, governments at every level to C-Suites, Generals to HR [human resources] and everybody that has hands-on information. We get better at that every time there’s a new group or a new tactic because we have to essentially translate, how does this impact you? What is your risk and how can we help you make your environment better and safer? And it really is circumlocution direct approach, translation, running it off of each other. It’s a foreign language and its own lexicon in and of itself. And it’s really cool. 

Switching gears a little bit, now that we know who you guys are. Explain the concept of Darknet Services and why DarkOwl launched this offering. 

Erin: I think what Steph just said is a really great segue into this. One of the things that we’re able to do is take that technical information, take the trends that we’re seeing, take the groups that we’re seeing and put it into a report or presentation for people to understand what it is they’re looking at. The dark web is a very complex place, there are a lot of different groups on there, a lot of different individuals using it for a lot of different purposes. It can sometimes be kind of tricky to understand everything that’s going on and what that actually means and how that fits into the wider context of what’s going on in the cyber world and in the criminal world more widely and in geopolitical politics. And all of those things depend on what background you’re coming from or what and who you’re looking at.  

So the idea with Darknet Services at DarkOwl is we really wanted to support our existing customers and any new customers that come on board with our expertise of investigations and the dark web. We can help explain what they are looking at, what risks they should be concerned about, what remediation, if any, action that they can take, and really support them throughout any investigation needs. 

Steph: It’s everything that she just said. Absolutely. Darknet Services is also a really great offering because let’s face it, the tech and the dark web especially is intimidating and there’s a security risk. So we [DarkOwl analysts] assume that risk because we know it. Most of us have dealt with it for over a decade, if not two decades. So if you are an individual who isn’t comfortable with the darknet, you don’t know what you’re exposing inadvertently, you don’t want to be the weakest link in your organization, but you want to know what’s out there. We take that risk and we can do it as far as one website, or we can do it for a whole host of threats, a specific industry that you want to look into or a specific group that you want to look into. And we take being able to do those services very seriously because we want to make a positive contribution and a positive change.  

Furthermore, let’s be serious about the fact that there’s new stuff emerging that even we [DarkOwl analysts] need outside assistance with doing. The platforms are ever-emerging and ever-changing. So, let the services team assume the risk to keep your organization protected because it is intimidating out there. But we do know the dark web, where to go, and how to be safe. 

Rich: I think one point to add to that is the ideal audience for Darknet Services at DarkOwl could be somebody who’s more beginner when it comes to darknet knowledge, or somebody on the more veteran experience side. To explain that further, let’s say you’re trying to better understand what the main risks are to you as an organization, and doing some ongoing monitoring. It could be a more simple engagement for somebody who’s newer to the darknet and with the eventual hope that they’ll be able to do some of the investigating on their own within our platform. But also there’s opportunities for people who might have more complicated queries about what’s going on in the darknet and maybe specific asks for what is going on in this particular community or things like that as well. So I think it’s just important to note that there’s not one ideal audience for Darknet Services. It can be somebody who’s more experienced on the darknet or not as well. 

Steph: Great point. Can I also add to that, like you said, it’s varied audiences and you might be a veteran, or you might be brand new. Furthermore, maybe you know that your company or organization is fairly safe and has good cyber hygiene, but your suppliers or your vendors or your third-party don’t. And maybe you don’t know how to investigate them and you don’t want to have that awkward conversation of like, “Hi, are you subjecting us to ransomware or credential theft?” So that’s another place where we come in and we can look at your supply chain and your vendors and that way you can have a more robust picture of all potential risks. 

Erin: The other thing I just thought of as well is it’s not just about doing that investigation and looking at groups or looking at your exposure. We can also do data acquisition as well. So we’ve had a lot of customers that have come to us and said “we’ve been told our information is out there or we’ve seen someone advertising this particular piece of information. Can you please go and get it for us or can you confirm that it’s there and what’s in it?” And that’s a really tricky thing for a lot of people to do as well, because it involves interacting with threat actors, which most corporations don’t allow their employees to do and you probably wouldn’t want to do. There’s a lot of other factors that go into that. We are experienced in working with those factors in order to get that information that the customer wants. So there are several use cases that we can support. 

Why is darknet data important in cyber investigations and risk monitoring? 

Rich: Dark web data is just another component of open-source intelligence. There’s darknet intelligence, open-source intelligence, different forms of intelligence, and in order to conduct all source intelligence analysis, you need a factor in dark web intelligence  into your picture. 

Steph: I think there’s an evolution of intel. Rich is right, darknet intelligence is a component. We’re not saying only focus on the dark web, but you do need a robust picture. Additionally, cyber actors in the evolution of technology follow the trends too. In the 2010s, when I first got on the darknet, these actors, and it’s still true to this day to an extent, feel safer on the dark web. They feel that it’s not as monitored as the open net or the clear net so they reveal TTPs [techniques, tactics and procedures], usernames, aliases, their whole criminal ecosystem. And now we were seeing threat actors on darknet adjacent sites, like chat platforms such as Telegram. You have to keep moving with them because they’re not as open on the dark web anymore, but they are on Telegram and other platforms and we can follow that evolution and follow that chatter to get some really deep insight that they don’t think is being monitored. 

Erin: Just to echo that, although we’re a dark web company, we also cover a lot of dark web adjacent sources and we’re seeing them becoming more and more integral to the investigations that we’re doing. With the Russia-Ukraine War, we’re seeing a lot of pro-Russian and pro-Ukrainian Telegram channels that have thousands of followers. Telegram is becoming a really important vector. Seeing how threat actors communicate is going to always be a key aspect to knowing what they’re doing so we need to be aware of those communications, and also look at things on the dark web like marketplaces and forums, to gather trends. By doing this, we’re able to see what types of cryptocurrency actors are using, how they’re doing their escrow services, how are they doing financial transactions, what drugs are most popular at the moment, etc. One of the things that we’ve seen recently is there’s been an increase in black market pharmaceuticals of things like Ozempic because people want to lose weight rather than the more traditional drugs that people would think of. We’re seeing increases in counterfeit and things like that.  

To just touch on ransomware- ransomware is increasing exponentially and has been throughout last year and into this year. Ransomware groups are using the dark web to advertise the victims that they’re targeting. Then when they don’t get their ransom, the data from those victims is released. There’s a huge amount of information there. For corporations to know what exposure they have, it’s really important to be checking through all of those things because as Steph said, it’s third parties and vendors as well. Just because you didn’t get a ransomware attack doesn’t mean that your data hasn’t been exposed. Again, as Rich says, darknet data is part of the whole ecosystem of doing open investigations, and it’s something that should be covered. The Darknet is an area that a lot of people forget about. They tend to focus on social media, surface web forums, data brokers, and things like that and aren’t looking below the surface, and I think that’s where you find most of the useful information. 

Rich: I have one quick point I want to add about our data collection and why we equally collect from places like Telegram and darknet forums like Exploit. One threat actor I can speak about that’s gotten a lot of attention in the media recently is this guy Canadian Kingpin who’s selling services that take advantage of ChatGPT and using them for fraudulent products and services and selling them on places like Exploit and other forums. But one of the main ways this vendor first gained a reputation was through their Telegram channel, which goes by a different name. They also include the name Canadian Kingpin in there. But this threat actor is actually mostly involved with bank logs, targeting fraudulent products, targeting banks. But they’re also now involved with ChatGPT fraud bots and things like that. And they equally have a presence on Telegram and from what we were seeing in our research about 5 or 6 other darknet marketplaces, deep web forums and darknet forums as well. 

Steph: I have to jump in on that because Rich killed that. Not only are industries going to move to AI, but so are criminals. We have to watch that. Rich is exactly right and we are so aligned on our team – without even comparing notes, I had noticed Canadian Kingpin and his Telegram channel and then I got with Rich to see if he had any notes about it and he already had this threat actor mapped out into all of the forums that he just talked about. So I had seen his Telegram and Rich was like, here he is in 6 or 7 different forums and we were like, we have to watch this guy. His services are out there, he’s ahead of the curve. 

Any other themes and trends that you are seeing on the darknet? 

Steph: I think Erin really nailed it with the mention of Russia and Ukraine that put Telegram as well as the dark web and other adjacent services on everyone’s radar. I think a lot of people were a little doubtful of the dark web or OSINT contributions until that conflict started. And then it was basically a hybrid conflict taking place physically, but then also taking place on the dark web and on social media. When Afghanistan fell two years ago, the Taliban had some similar use cases. They were more on social media. It just goes to show you the absolute importance and trends of these actors and groups that once banned technology, and that’s in more regions of the world than just Afghanistan. Now you can track their checkpoints by Snapchat traffic and then you can go to Telegram and confirm if they’re talking about, “yeah, we’ve set up this checkpoint here. We’ve killed 30 people trying to escape.” This is going to continue. It’s going to be the same on Telegram and the dark web and keeping track of this is really going to be disparate. And we have to follow all of those disparate sources and continue to follow the trends that are emerging. 

Erin: Ransomware is a huge one, the growth of this area is massive and I think people aren’t really sure about it and want to understand what their exposure is. I would say leaks, in general leaks are not going away. We are seeing hundreds of them daily, information that’s being shared. Generally, some of the things that we’re seeing and since we’ve started the services is people are worried generally about what their exposure is. In this digital age with regulation and media – if anything goes wrong, it’s all over the news. People are really concerned about what exposure they have and want to make sure that they’re getting as much coverage as possible, which is great. But obviously, we would always err towards prevention rather than the cleanup. Another one that I’ve seen growing is physical security. With a lot of protests happening in recent years and other events, people are very concerned about when their employees are traveling to certain areas and making sure that they know if people are talking about that area or that building or any kind of attacks that they might take. And as always, phishing is not going away – phishing and smishing. We’re seeing actors getting more sophisticated with that, and through some of the other data sets that are out there from ransomware, data leaks, etcetera, they’re able to garner more information that they can use for those phishing attacks to make them more likely to work.  

Rich: I have one more trend I’ve noticed as well, and that is more from an industry level, from a threat intelligence perspective, investigations perspective. There’s an increasing appetite for digesting dark web data. We’ve observed this is larger tech companies that are actually creating their own dark web investigations departments with their own budgets. When large tech companies are making decisions like that, I think it shows a bit more maturity in the industry. Then, the type of data that we’re seeing would be most mentioning those type of companies, we’ll go back to Telegram one more time because the most the most common threat we’re seeing on Telegram and consequently also dark web marketplaces right now would be any company that facilitates or has a large mobile application user base. Those kind of companies are the most targeted on the dark web and Telegram right now in terms of fraudulent products. So whether it’s a Netflix account, a Spotify account, Amazon Prime, Pizza Hut, you name it, those are the most common threats on the dark web because it’s so easy to sell that information on there. 

Steph: I would add hacktivism as well. Early on it was like actors would log on, maybe deface a website and put an obnoxious picture. But now to the ransomware point, which we’ve discussed, is continuing to just explode. Actors are now, if they can get inside of an organization and no matter what their viewpoint, no matter where they stand on an issue, an actor takes umbrage with that and then goes after it and exposes that company for supporting a cause, disputing a cause. So hacktivism is tying into ransomware. It’s tying into all of the fraudulent campaigns, for example, if Netflix takes a stand on some issue that’s common in the US, somebody’s going to go after that because they disagree and say, “Well, I have 8,000 Netflix accounts that I can sell. Netflix doesn’t support cause xyz. Here they are.” Hacktivism is also bleeding into the other cybercriminal ecosystems. It’s very interesting. 

Any projects that are coming up that you guys are really excited to dive into? 

Steph: It’s really nerdy to say, but every day. I came back to the dark web, this area for a reason. But ransomware is how I got my start in cyber. It’s what I initially started translating, and I’m absolutely obsessed with it. I can’t believe how it’s evolved, how common it is. It’s not just nation-states, it’s criminal actors. It’s everywhere. It’s going to be increased by AI. So, for me, I am probably most excited about ransomware projects and combating that and doing our part to contribute to lowering that risk globally. I’m really excited about that. 

Erin: I am trying to think what projects we can actually talk about, to be honest. 

As we’ve got the analyst team set up, we’re trying to deep dive more into different areas. We’re looking at different threat actors on the dark web, we’re looking at threat areas like terrorism. As Steph said earlier, the dark web used to be a safe space and now it’s somewhat less of a safe space. A lot of forums have been taken down in this last year or so, and that’s changed the way that people are operating. It’ll be interesting to see what we can find and how things are changing in those areas. 

Steph: Another aspect of excitement is that our analyst team is getting really deep and granular on our projects. We really love it. We have to liaison and have constant back and forth with customers, they’re going to see different things that we also need to be paying attention to. It’ll be great to record what we see in trends, what we’re observing, and then match that with what the customers need and what customers are facing. That feedback from them is also going to be really integral to bettering us and bettering our Services. It’s fun to have a two-way conversation as well. And who you’re having that conversation with isn’t always going to be an analyst. They’re going to be coming at it from a different perspective and we’ll learn a ton from that.  

To wrap up, any tips or tricks for other analysts out there or beginner analysts that are looking to get into a role like this? 

Erin: Be curious. There’s a lot of information out there. There’s a lot of training out there. There’s a lot of free training and reading that you can do. There’s some really great resources on open source training. So I would delve into those. As we said at the beginning, this is a constantly evolving role and you’re always learning. So I’m always looking at those resources and things as well, going to conferences and hearing about new tools and new ways of doing things is always really interesting. So again, be curious, find out as much information as you can and don’t be intimidated by it. If it’s something that you’re interested in, I think you can figure out how to do it. 

Rich: I would say to try to find different parts of the industry that are interesting to you and excite you and maybe are related to some of your other interests. I recently saw a LinkedIn post where somebody was actually hiring open-source investigators that have a background being truck drivers because they need to be familiar with threats to transportation and the logistics industry. Just think about that. A truck driver is now an OSINT investigator. 

Steph: That’s amazing. 

Erin: I like that. 

Steph: Erin took the words right out of my mouth. And Dustin, you’ve heard me say it before, you have to be curious whether you’re brand new to the field or you’re 20 years into this. Your curiosity can’t stop, you’ve got to stay one step ahead. There’s going to be naysayers and people who poo poo the dark web or poo poo OSINT. Don’t be intimidated and always be curious. 

Rich: One point I’ll make is, if you want to get into dark web investigations, threat intelligence investigations, OSINT investigations of any sort, make sure you balance it with having some interests outside of it. I think a lot of us can relate to the fact that sometimes the subject matter of things that we’ve been engaged with in our careers has not been always the most positive. So I think it’s really, really important to balance your interests, your professional interests and aspirations with this stuff equally, with things that are totally opposite of it. 

Erin: You’ve got to have a sense of humor as well. Some of the stuff you can see on the dark web, it’s not for the faint hearted, which is probably another reason why people ask us to do it. 

Steph: Both make good points. And in addition to the sense of humor, you have to take time for your mental health. Have a sense of humor and take breaks. 


Check out DarkOwl Darknet Services and how our team can be an extension of yours.

DarkOwl Furthers International Relationships at ISS World Asia in Singapore

September 15, 2023

Last week, DarkOwl participated in the well-regarded law enforcement conference: ISS World Asia. The annual, training-oriented event describes itself as “the world’s largest gathering of Regional Law Enforcement, Intelligence and Homeland Security Analysts, Telecoms as well as Financial Crime Investigators responsible for Cyber Crime Investigation, Electronic Surveillance and Intelligence Gathering.” 

ISS World events (DarkOwl will be at ISS World Latin America in Panama City in a couple weeks – meet us there!) focus on the latest in cyber tools and methodologies specifically for law enforcement, public safety, government and private sector intelligence communities. The first full day of ISS events are dedicated to training and in-depth sessions. Trainings and topics covered throughout the event include how to use cyber to combat drug trafficking, cyber money laundering, human trafficking, terrorism and other nefarious activity that occurs all across the internet.

Representing DarkOwl at this year’s show was David Alley, CEO of DarkOwl FZE based in Dubai. While at ISS World in Singapore, David lead a seminar on Darknet Intelligence Discovery and Collection, where he demonstrated the importance of darknet data in cyber investigations highlighting the use of DarkOwl Vision UI, and how threat actors on the darknet are evolving in their use of new tools and methodologies.  Vision UI is the industry leading platform for analysts to simply, safely, and comprehensively search darknet data. Investigating crime on the darknet and deep web poses technical challenges to law enforcement, including the fact that darknet sites are continually coming on and offline with pages vanishing from one minute to the next. Vision provides a user-friendly interface with powerful querying capabilities to search, monitor, and create alerts for critical information without having to access the darknet directly. Investigators are able to search and compile evidence about persons or subjects of interest, including usernames, aliases, chatroom activity and other potentially incriminating information, and use that data to compile evidence and solve complex crimes. Countries represented at David’s presentation included Malaysia, Bangladesh, Indonesia, Australia, Kenya, Vietnam, and more.

In addition to presenting, David was able to meet with many current customers, partners, and prospects. Attending events is invaluable for face-to-face time, as expressed by David, “these events are excellent for maintaining and building relationships. We had visitors from Singapore, Malaysia, Bangladesh, Indonesia, Australia, Kenya, Vietnam, Kuwait, Saudi Arabia, Estonia, Brunei, Azerbaijan, and Estonia at our booth.” Connecting with cybersecurity professionals from around the world and hearing the latest trends, concerns and challenges that they are facing is a huge benefit of ISS shows. Being able to meet with clients provides a great opportunity to share new product features, features in development, gather product feedback, and keep up to date with the latest trends. DarkOwl looks forward to continuing our presence at ISS World events as part of our ongoing initiative to support the global law enforcement community in their efforts to police illegal and nefarious activity on the darknet. 


Interested in learning how DarkOwl can help your cyber investigations? Get in touch.

Threat Intelligence RoundUp: August

September 01, 2023

Our analyst team shares a few articles each week in our email newsletter which goes every Thursday. Make sure to register! This blog highlights those articles in order of what was the most popular in our newsletter – what our readers found the most intriguing. Stay tuned for a recap every month. We hope sharing these resources and news articles emphasizes the importance of cybersecurity and sheds light on the latest in threat intelligence.

1. US Gov Rolls Out National Cyber Workforce, Education Strategy – Security Week

At the very end of the month, the Biden administration announced the National Cyber Workforce and Education Strategy (NCWES). This comes as the gap in talent needed to fill cybersecurity jobs remains. The new strategy will include a series of “generational investments” to address the cyber workforce needs, starting with education and making training more accessible. Read full article.

2. Researchers Expose Space Pirates’ Cyber Campaign Across Russia and Serbia – The Hacker News

Research has revealed that Space Pirates, a threat actor linked to attacks against at least 16 organizations in Russia and Serbia over the past year, has been harvesting PST email archives and making use of Deed RAT – showing that they are adding new cyber weapons to their TTPs but their main goals are still espionage and theft of confidential information. Read more.

3. Cuba ransomware group observed exploiting high-severity Veeam bug – SC Media

Cuba ransomware group exploits Veeam bug, targets CIKR. The Cuba ransomware group is actively exploiting CVE-2023-27532, which allows for procurement of stored encrypted credentials. Furthermore, their increase of activity allowed for deeper analysis revealing that the ransomware terminates if Russian language packs or the Russian keyboard is detected, likely indicating this is another Russia-based group. Read more.

4. Attackers Dangle AI-Based Facebook Ad Lures to Hijack Business Accounts – Dark Reading

Credentials were stolen after a Facebook advertisement promised to boost business productivity and revenue using the latest trends in AI. TrendMicro discovered the false Facebook pages and alerted Meta, who took the pages down. Clicking on the false ads led unsuspecting users to an LLM-themed website, which then stole cookies, browser information, user access tokens, and other sensitive data. Community researchers compared this latest campaign to the spring 2023 RedLine stealer campaign. Read full article.

5. Syrian Threat Actor EVLF Unmasked as Creator of CypherRAT and CraxsRAT Android Malware – The Hacker News

Syrian threat actor EVLF reportedly authored several Android remote access trojans (RATs) which he sold on a marketplace since 2022. The RATs can control device cameras and microphones. EVLF runs several Telegram channels in addition to selling on marketplaces. He posted on 23 August 2023 that he would be shutting down, presumably after being publicly outed by the media. Read more.

6. North Korean Affiliates Suspected in $40M Cryptocurrency Heist, FBI Warns – The Hacker News

The US FBI issued a statement indicating that individuals linked with North Korea could make efforts to convert pilfered cryptocurrency valued at over $40 million into actual funds. They attributed the blockchain activity to TraderTraitor, aka Jade Sleet. Read full article.

7. CISA Adds One Known Exploited Vulnerability to Catalog – CISA

CVE-2023-24489 Citrix Content Collaboration ShareFile Improper Access Control Vulnerability has been added. Learn more.


Make sure to register for our weekly newsletter to get access to what our analysts are reading on a weekly basis.

Highlighting Women in Cyber for Women’s Equality Day

Interview with DarkOwl’s Caryn Farino and Steph Shample

August 28, 2023

For the second year in a row, in honor of Women’s Equality Day this past Saturday, August 26th, the DarkOwl Marketing team interviews our Director of Client Engagement, Caryn Farino, and Senior Intelligence Analyst, Steph Shample. Last year, we sat down with Chief Business Officer, Alison Halland, and Director of Technology, Sarah Prime – check out that blog here. DarkOwl is very proud of our women leadership and workforce, with 45% of our staff being female and strives to continue to build a balanced workforce with the most talented and effective team possible.

Interview: Thoughts on Being a Women in Cybersecurity from Two Members of DarkOwl’s Team

To commemorate Women’s Equality Day, DarkOwl’s Director of Marketing, Dustin Smith sat down with Caryn Farino, Director of Client Engagement and Steph Shample, Senior Intelligence Analyst for a candid interview about working in the cybersecurity industry.

Editors Note: Some content has been edited for length and clarity.

The (ISC)2 2022 Cybersecurity Workforce report reported that pathways to cybersecurity are changing, “Traditional habits are being broken and diverse perspectives are entering the field, as the next generation uses new pathways to jump-start their careers.” (ISC)2 estimates the global cybersecurity workforce in 2022 at 4.7 million, an 11.1% increase over 2021, but still reports a gap of 3.4 million cybersecurity workers worldwide, a 26.2% year-over-year increase.

Tell me about your background and your journey to where you are now – did you know you always wanted to be in cyber?

Caryn: I did not. I am definitely one of those individuals that fell into cyber by accident. I was working at a small firm conducting corporate due diligence research, when our clients started asking us for assistance with investigations into individuals who were causing them problems online. I found that the skill set of identifying problems in someone’s background translated really well to uncovering someone’s digital footprint and tracking that anonymous person’s activity. Those one-off research projects blossomed into a full career tracking threat communities and helping clients mitigate the biggest risks to their organizations and their intellectual property.

I would say this career has provided me with a lot of exposure to the different aspects of the cyber world, which includes both open and closed source intelligence, brand protection, insider threats, anti-piracy, and even physical investigations. Now I help DarkOwl’s clients use the darknet to feed their security programs.

Steph: That’s such a great answer. I did not always want to be in cyber, but I can’t imagine not having ended up here. I was also accidental. When I started off, my entire career was based on foreign language translation, so I was a translator for the US army and then ended up at the Department of Defense. Everything was dictated by what languages I spoke, and I’d spent two years in Afghanistan fighting terrorism and narcotics and weapons smuggling. I always concentrated on physical aspects of the mission.

And then, when cyber capabilities started to emerge in the world, those of us in who could speak foreign languages were needed; What are these people saying? What are they doing online? And it was interesting for me because as a Farsi linguist with Iran, we don’t have a lot of physical interactions with them. You know, we can’t really meet up. We don’t have diplomatic representation. We knew they were in Afghanistan in certain places, but that was it, that was the extent. But in cyber, they are all over the place. They are in every chat room and stealing intellectual property and stealing weapons manuals and all of this. So that was really interesting to have the digital and physical, kind of hybrid instance, where we could finally see that. I learned even more about Iran and started understanding their cyber capabilities.

So then I left the government and I went commercial in 2019, and I have done everything from OSINT [open source intelligence] to ransomware campaigns, tracking IOCs [indicators of compromise] and now really following the space with the hybrid conflict, which is where maybe there’s a DDoS [distributed denial of service] attack over one place because they’re physically attacking everything like on the border of Syria or in Iraq, where there’s kind of sectarian violence. So, I love cyber, and it’s everywhere and it’s contributing to a lot bigger conflict space.

Has working in this field dispelled any misconceptions you had about your own abilities or interests?

Caryn: For me, it definitely has. I always joke that I do not actually consider myself a technical resource. However, I find I’m able to bridge the gap between the technology and the business side of the house based on the kind of exposure I’ve had during my career. I was an analyst with a business background. It surprised me that in a lot of meetings people are often making false assumptions about what everybody else understands in the room. And I really enjoy working cross-functionally with those teams and making sure that everyone understands the problems, the solutions, and the course of action from the security teams and though legal recourse.

Steph: I also was floored with the opportunities in cyber for people who are not “on the wire”, don’t program, don’t code. It really requires every kind of thinking and every kind of background, especially analytical. And, you know, Caryn’s exactly right. I think what we might share there is we have to take what we witness and see in our day to day and translate that to every entity of a business, right? Cyber actors are going to target HR [human resources] and finance with personal information all the way up to the C-suite. So, you’ve got to be able to explain and make your case for why we need tools, resources, analysis and how we can protect ourselves as well as our industry, starting with every level employee of every company. It really does require every kind of background and every kind of personality and every kind of skill set. And it’s wonderful to see them all meld together, especially now that AI has come into the picture. That’s going to require even more creativity and divergent thinking. It’s really exciting to be in the space at this time.

The (ISC)2 2022 Cybersecurity Workforce report reported that 43% of organizations reporting a shortage of cybersecurity staff reported the reason being that they can’t find enough qualified talent. Other main reasons included: not prioritizing cybersecurity and not training staff sufficiently.

Can you talk about your professional development? What courses or certifications would you recommend? What advice would you give to a woman who is at the entry-level in the cybersecurity industry? 

Steph: There are a lot of groups being established. For women especially, I would join a WiCys, a women in cybersecurity group – there are chapters all over the country. There’s also a national chapter. I would be happy to be that point of contact – feel free to contact me on LinkedIn, I’d love to get people set up. And then there’s also Women in Security and Privacy [WISP]. Two different groups with national chapters and they sponsor conferences. There are scholarships for SANS courses or certificates as well. It’s really wonderful to have those resources.

And then I would say, just put yourself out there. There’s always going to be naysayers. There’s always going to be people who tell you that you don’t belong in any industry… ignore it. And I know that’s hard. But as you get used to ignoring it and as you build yourself up, lean on your crew, right? Lean on your coworkers. Lean on those women’s groups. Lean on any group that wants to support you. And for entry-level, you just have to be curious. If you are somebody who needs routine and does the same thing every day, cyber might not be your calling. You’ve got to be curious. You’ve got to be constantly wanting to learn.

Also, start off with, CompTIA Network+ and Security+ – they’re easy courses that you can do on your own time. They provide guides and visuals and manuals. It really is a good way to introduce yourself by fire hose to basic security concepts to see if cybersecurity is for you. And those ones are not as expensive. If you decide to stay in the space and in the industry, it is worth going after a SANs course. They are pricey, but they are very hands-on, and you will apply them to your job. Those are some of the courses that you can do. And for the SANs courses, use those websites or the women in cybersecurity scholarships or opportunities.

Caryn: I definitely don’t want to undervalue certificates, but I’m a big believer in more of that hands-on experience as the best method for learning. Those cybersecurity courses, especially the ones that Steph mentioned, are so important to build the foundation in this space. And I’m sure, we’ve all read the Michael Bazzell’s books and done his courses. However, the tactics used by these criminal organizations are constantly changing, so it’s really important to embed yourself in those real life situations and investigations and learn as much as possible from them. I encourage everyone to get involved in as many different types of cases as possible within your organization and really embed yourself in the start to finish of working a case.

The other thing I do outside of that is I regularly listen to a variety of cyber podcasts so I can hear what others in the industry are experiencing and make sure I understand those different issues. So when we’re working with our clients, I know what they might be going through that may be unique to their space.

As for the advice portion of what I would give to somebody entering into the cybersecurity industry – find a mentor, somebody who can help guide you through your career. And don’t be afraid to fail. I know for me, personally, most of the biggest wins I’ve had in my career have come out of my biggest fails. They were incredible opportunities for me to learn. Lastly, we want to make sure that we are getting different viewpoints and looking at things from different angles. So the other advice I have is to listen just as much as you contribute during these conversations.

Steph: She brings up amazing points on that. In cyber, you’re going to be wrong, right? I know in medicine and science and other fields, they’re very unforgiving and the preciseness is there because it has to be. But in cyber, the actors and the people you’re working against to keep yourself safe, they’re setting you up for failure. They want you to be wrong and they’re trying to mislead you. And she’s exactly right. You’ve got to be resilient and bounce back from that. That’s a great point.

The data from the 2021 Cybersecurity Workforce study from (ISC)2 suggests that a reliable estimate of women in the cybersecurity workforce globally remains at 25%. The (ISC)2 2022 Cybersecurity Workforce report states that 57% of organizations are investing in diversity, equity, and inclusion initiatives, to decrease staff turnover and lower the gap.

What is it like as a woman working in the cybersecurity industry?  Are there any challenges or advantages to working in a male-dominated industry?

Caryn: I feel very fortunate to work at DarkOwl as this company really empowers their female staff. It’s not like that everywhere. I have been in so many situations where I am the only female voice in the room but I don’t really want to feed into like that gender bias. I think the biggest challenge we face as women in the industry is overcoming that imposter syndrome, right? So that feeling that we don’t belong. We do belong and I want to keep stressing that different perspectives are often the key to solving these complex issues we face. And as a whole, I want to see more diversity, not only in the cybersecurity space, but also at the management level and above at companies. I think women will really be surprised how receptive anyone, not just males, are to their thoughts and ideas if they’re choosing to participate in areas outside of their comfort zone.

Steph: She’s right. It’s not just a gender thing. There’s conflict in every industry. What’s really hard in infosec and cyber is that it started off male dominated, and the interest and the push early on for math, science and stem was more for men. And it was just accepted in society that women can have careers, but cyber and networks and computers really are a man’s world. And that’s categorically false.

I will say in the military intelligence community, I really didn’t experience a ton of male versus female conflict or sentiment. In the military, you all suck it up and suffer and experience together, in Intel at least. I’m not saying women in other fields like Infantry, Artillery, and more don’t experience misogyny – they do, let me recognize my sisters in uniform for that. But intelligence is different. I did see more inappropriate behavior and open hostility towards women emerge when I came into DOD cyber and the commercial infosec world. But I do think that the message has been received, women are pushing back, stand up for themselves and one another.

I, too, would like to shout out DarkOwl. When I was looking to change jobs and looked at the org chart for this company, I was blown away at women’s leadership because I will tell you, in previous jobs, there were no women above a team lead, if that. There were no women execs, no VPs, nothing, and I would be lying to you if I said at times I had thought of leaving cyber because it just seemed like I was running myself up against a brick wall where you were just getting shot down and shut down. And that’s hard. That takes a toll on you. I know of companies where they won’t even let people acknowledge days like this, the reason we’re doing the interview, and they wouldn’t acknowledge International Women’s Day in March.

Slowly, that is changing. And how do we combat that? Nominate women for conferences, push them to present, get out there publicly. Caryn made a great point about mentorship. Male or female, have a mentor. When I first started, I had a technical person on every single project that I would go to and say, “Where am I wrong? Can you sanity check me? What writing do I need to change?” And that is how you’re going to learn, when you find that constructive criticism. We need to stick together.

Caryn: It’s definitely our responsibility as women to help bring other women up with us. We don’t want to be in the position where we’re not part of the solution. We want to empower other females in our organization and our industry.

Steph: Let me add to that, too. I was really fortunate. The very first boss that I had in cyber in the DOD was a male, and I went to him and said, “Are you sure I belong here? Like I can barely work a computer. You positive?” He sat me down and built me up and then put me on special projects to help me learn. And then when I was thinking about grad school to up my credentials because I was hooked by cyber, he had done the same program and I went to him and I said, “Do you think I can hack this program? Do you think I can do this?” And he was like, “absolutely”. And that was seconded by my husband. So I want to say, I have really great male role models. And there are men in WISP and it’s wonderful. So we’re getting there.

What do we not understand about cybersecurity as a field and its job opportunities? What does cybersecurity mean to you?

Steph: I think there is a community failure of understanding how many different perspectives it takes to make sense of cyber. That’s because you need the people who are on the network speaking only ones and zeros, you need the people who can speak mainly to computers and make them “do” and build the tools that we need. But we also need translators, etc. At a conference last year in Saudi Arabia, I was floored that the biggest topic of conversation was the cyber psychology of online actors. Why do people act the way they do behind the scenes? Why do they act one way on the computer and then differently in public? There’s a whole emerging neuroscience and psychology aspect behind the actors on cyber criminals.

Furthermore, geopolitics enters into this in a huge way. We are now seeing, of course, people take sides with Russia and then people take sides with Ukraine. And you have to understand why entities come after American or Western businesses or go after Five Eyes businesses to try to hurt them because of the geopolitics physically playing out. And then we’re also seeing that in Syria, where there’s all kinds of different interests and entities and sectarian violence. It cannot be overstated the amount of expertise, you have to have a mixture of thinking, you have to have thought groups collectively working together.

This year, actually just at Defcon and Black Hat, the private public partnerships are essential. Maybe back 30, 40 years ago, the military was considered perfect at conflict, no one else contributed. Doctors were doctors and that was their expertise. Cyber doesn’t silo everything like that. Cyber requires every perspective to have an informed and intelligent conversation and adequate problem solving. We need academia, we need government, and we need the commercial sector. We truly need everybody from all backgrounds.

Caryn: 100% agree with that. Cybersecurity nowadays is just a very broad term and it encompasses so many different aspects. I think a lot of people still look at cybersecurity from the vulnerability management perspective and the hacker in the basement, right? But organizations have to worry about so much more because not only do you have insider threats and external threats, but then you have these unintentional threats. And they are really your biggest weakness, in my opinion. That is going to be those non-malicious events where an employee exposes an organization by reusing a password, accidentally sharing IP [intellectual property] to a public facing system, or clicking on a malicious link. There are just thousands of human error type activities out there, and they’re really difficult for this industry to account for. So for me, cybersecurity is really more about the OPSEC [operations security]. That opens up so many different career paths.

Steph: I have to pivot off of that because she again, makes wonderful points. So you have the practitioners who are working against the malicious forces. But she’s [Caryn’s] exactly right. There are people who are just in this operating day-to-day and to them it’s benign, they don’t realize that they’re exposing themselves or their families. So kids on Facebook accidentally posting vacation pictures, opens up targets of opportunity. An employee who just wants to maybe get good press for their company and doesn’t realize that what they’re exposing is personal or sensitive information, corporate speaking. So that is a risk. These is, of course, the malicious factor, but the human factor is what everybody talks about. It takes a human to click on a spear-phishing link. It’s a human to post accidental information. So everybody, I think, sees cybersecurity and cyber and thinks of a computer and they think networks, they think “I have no part to play in this.” The human element will never, ever go away, even with AI. Cyber is so broad and I think we’re only a decade into this, but now we’re going to have specialties. People are going to step up and say, “I’m an AI expert. I’m a crypto expert. I can talk about the blockchain and smart contracts and the underlying tech. I can talk about cyber psychology compared to human psychology.” So it’s just an endless opportunity for cybersecurity. It’s going to keep broadening.

Caryn: I want to make one more point to wrap this up. It’s important for organizations to have that holistic view of their threat landscape, because as cybersecurity professionals, we not only have to consider the inside perception of what is most damaging to our organization if it’s exposed, but also the consumer perception. So what do people outside your organization perceive as the most valuable data to obtain from you? Make sure we’re looking at it from both perspectives. A lot of people just want to batten down the hatches and protect their networks, but they’re not really considering what those outsiders are looking for – you know what your organization’s crown jewels are, but that might not be what somebody else is going after. So it could be that they’re going after your financial data, not your intellectual property. No one is immune anymore. And that human error component I mentioned earlier is really evident on the darknet.

At DarkOwl, we’re regularly seeing the results of those social engineering and phishing campaigns that result from those kind of attacks. The education piece is really important here, is your operational security and training your staff and your family members at the same level? Steph mentioned earlier if somebody has sloppy OpSec [operational security] out of your organization, the chances that they’ll have sloppy OpSec inside your organization increases. And we really want to make sure that people are approaching it in both directions. So my last comment here would be to really encourage all organizations to make sure they have a comprehensive monitoring program that includes a variety of data sources, including darknet data.

Key Takeaways from Caryn and Steph’s Perspectives

There is no perfect background or one way to have a successful career in cyber. Individuals interested in a career in cybersecurity need, above all, curiosity and determination. Individuals should not underestimate their potential to contribute to the cybersecurity realm. The diverse array of skills required to tackle current and future threats necessitates a range of expertise and backgrounds.

Efforts to bridge the gender and representation gaps in the cybersecurity field are underway, but these disparities do still exist and women need to continue to raise each other up. As always, it is important to look into an organization and make sure that they align with your own beliefs, morals and goals – if these align, it will be so much easier to be a supportive, hardworking and happy employee, no matter what field or role you are in.


Looking for a career in cybersecurity? DarkOwl is hiring! Check out our open positions here.

[Developing] Updates on Wagner Group from the Darknet

Last Updated August 28, 2023 – 9:00 EST
August 28, 2023 – 9:00 EST

Over the weekend, on Sunday, it was reported that Russian investigators officially stated that genetic tests confirmed that Yevgeny Prigozhin, was in fact in the plane crash and a victim of that crash. As mentioned in the previous posting, conclusions should not be made until confirmation from a source outside of Russia has also confirmed the death. More can be read on the Russian investigators statement here.


August 25, 2023

The leader of Russian Mercenary Group Wagner, Yevgeny Viktorovich Prigozhin’s life reportedly ended on 23 August in a plane crash outside of Moscow near Tver, Russia. The world witnessed Prigozhin try to undermine, betray, and even overthrow Russia’s Vladimir Putin when he orchestrated a coup in June 2023. Anyone following Russian geopolitics knows that even questioning Putin earns a jail sentence or torture session; to openly declare mutiny against Putin and march on Moscow almost certainly sealed Prigozhin’s death, with many in the global community awaiting an announcement of Prigozhin’s death sooner rather than later.

However, there is another more complicated, vague aspect to this. Russia is one of the most sophisticated intelligence actors in the world. Putin himself, as a former high ranking KGB intelligence officer, has crafted successful intelligence operations his entire life, even after leaving the KGB. Is all this a distraction, or a ploy to mislead the West, and those who support Ukraine? Prigozhin is only suspected to have been onboard the plane. It is not outside of the norm or capability, in Russian intelligence operations, to falsify a plane’s passenger manifest. Much of the global community was surprised that Prigozhin stayed alive as long as he did after his declared mutiny, and furthermore, taking “refuge” in a Putin-sympathetic country, Belarus, was also questionable. Many think that Prigozhin and Putin were working together to stage this event, and that same suspicion surrounds Prigozhin’s purported death.  

DarkOwl analysts outline chatter on the darknet and darknet adjacent sites using DarkOwl Vision and will continue to do as developments occur.

What is Russia’s End Goal?

In 2019, rumors also circulated about the death of Prigozhin, and it was also purportedly caused by a plane crash. Until there is cemented intelligence and pictures from outside of Russian sources, this entire event and surrounding should be considered unconfirmed. Prigozhin has multiple passports, and even has body doubles that travel for him to remain elusive and shrouded in mystery. On Telegram channels, speculation surrounding the Prigozhin event is running rampant, even within the Wagner channels: 

Figure 1: Conspiracy theorists on 4Chan debate who was involved in causing Prigozhin’s death; Source: DarkOwl Vision
Figure 2: Additional theories circulate regarding the actual reasons for the death of Prigozhin; Source: DarkOwl Vision

Regardless of the final outcome of Prigozhin, what happens to Wagner now? Whether dead or alive, Prigozhin will likely not publicly lead Wagner.  

Figure 3: Telegram chatter speculating what the next steps of Wagner might be; Source: DarkOwl Vision

Emotional outpourings and memorials have also popped up, both within and outside of Russia, demonstrating some sympathy for Wagner members: 

Figure 4: A telegram post detailing memorials for Prigozhin and Utkin; Source: DarkOwl Vision
Figure 5: More chatter and commentary about the memorials for the likely deceased Wagner members; Source: DarkOwl Vision

Speculation Runs Rampant

Speculation is rampant among the community following Wagner: 

  • Will they completely disband? Not only was their number one leader possibly killed, but reportedly, Wagner’s number two, Dmitriy Utkin was also onboard the plane, and presumed dead along with Prigozhin. A top aide of Prigozhin, Valeriy Chekalov, is the third rumored high ranking Wagner member on board. In addition to the high ranking Wagner members, other suspected Wagner mercenaries were also reportedly on board. The exact number is not confirmed as the passenger manifest is still being compared to the Wagner member manifest. 
  • Will Wagner exact revenge against the Kremlin? Prigozhin and several Wagner members were openly critical against Russia’s handling of the war in Ukraine. The death of several members could galvanize support for a bloody Wagner rebellion, especially since the Ukraine war is not going in Russia’s favor. 
  • Will Wagner move operations completely? Perhaps they abandon the risky area of operation, which is Eastern Europe. Russian personnel are all over that area. Belarus, which was temporarily Prigozhin’s safe space after his attempted mutiny, is led by Putin friend and sympathizer Alexander Lukashenko. Wagner already has several African strongholds: Libya, Mali, Sudan, and the Central African Republic (CAR). Shortly before his death, Prigozhin even encouraged Wagner to move operations and all focus to Africa. This is a strong possibility, and a potential safer area of operation for Wagner. 
  • On the complete opposite spectrum, perhaps Wagner will establish a stronghold in Belarus. They are still present in the country in large numbers. Belarus has also acted as a staging area for Russian troops during the entire invasion of Ukraine, with trains, military members, and weapons often originating from Belarus before going into Ukraine. Russian and Belarusian ally Iran also has a footprint in Belarus, and could assist with Wagner operations. 
  • Who will replace Prigozhin? 

Monitoring the Situation

DarkOwl is closely monitoring the official Telegram channels of the Wagner group to see what unfolds after the crash that claimed the lives of multiple Wagner members. While rumors emerged that Wagner would be quick to avenge Prigozhin, and act against the Kremlin, DarkOwl does not see any reflection of this chatter in the Wagner Telegram channels. They are instead urging caution and to wait for official reports to confirm the death:  

Figure 6: Official WAGNER Telegram channel cautions waiting for the official announcement regarding Prigozhin’s death, intimating even Wagner members do not yet believe the incident is complete; Source: DarkOwl Vision

Be the first see to get our research updates. Subscribe to email here.

How Cyber Criminals Exploit AI Large Language Models like ChatGPT

August 24, 2023

Artificial Intelligence (AI) has become a popular topic recently with the launch of ChatGPT and Bard. In this blog, DarkOwl analysts explore how it is being used by cyber criminals.

Criminal discussions around AI chat bots like ChatGPT do not discuss creating new AI systems from scratch, but rather building from current language models and finding ways to by-pass ethical standards around prompting. Cybercriminal applications of ChatGPT and other AI applications are still in their infancy and our assessment will continue to evolve as the technology and its varying applications evolve.

Despite increased media coverage of fraudster AI chat bots like WormGPT, FraudGPT, and DarkBard, there is skepticism within both the underground cybercriminal community and the threat intelligence community that the output from these fraudulent chatbots is effective as it still appears to be rudimentary. While services like WormGPT and FraudGPT can be effective for generating phishing campaigns, we have also observed darknet users discuss ChatGPT in a non-criminal manner such as automating pen testing tools.

Jailbreaking ChatGPT

DarkOwl analysts searched our Vision UI database and found over 2,000 results mentioning “jailbreak” AND “GPT” across various darknet forums, marketplaces, and Telegram channels. The number of results returned for this search was significantly higher than when searching for “WormGPT”, “FraudGPT”, or “DarkBard.” We have recently observed discussion of “jailbreaking” ChatGPT to by-pass ethical standards around prompting to engage in various activities being discussed in various formats.

One example, as seen in figure 1 below, is from the hacking forum called, Crax.Pro, where a user titled a thread as, “[GPT 4] WORKING PROMT JAILBREAK.” The user, Sadex, initially shared a link to a video tutorial allegedly instructing one how to “jailbreak” the prompt for GPT 4. Other users commented and validated that the video tutorial was effective, claiming: “Yoooooooo!!!! This is so legit thank you so much.”

Figure 1: Source: DarkOwl Vision

In another example, a Breach Forums user inquires how to jailbreak ChatGPT and claims tools like WormGPT are a scam. While another user suggests using a fraudster chatbot service called EvilGPT, which is similar to FraudGPT:

Figure 2: Breach Forums users discuss jailbreaking ChatGPT

DarkOwl analysts have also observed members of the extreme right-wing militants in the United States discuss jailbreaking Chat GPT to bypass “censorship.” One Telegram group chat shared links to a video tutorial of for jailbreaking ChatGPT:

Figure 3: Telegram users discuss jailbreaking ChatGPT; Source: DarkOwl Vision 

However, DarkOwl analysts have also observed the underground community discuss bypassing the ethical standards around GPT prompting to automate pen testing tasks. One GITHUB repository is called GreyDGL/Pentest GPT. PentestGPT describes itself as, “A penetration testing tool empowered by Large Language Models (LLMs). It is designed to automate the penetration testing process. It is built on top of ChatGPT and operates in an interactive mode to guide penetration testers in both overall progress and specific operations.” PentestGPT is like WormGPT in that both are building off previously created language models.

Figure 4: Above screenshot taken from the Pentest GPT Github repository

Fraudster Chatbots Exchanged on Darknet Marketplaces, Forums, and Telegram 

FraudGPT

Fraud GPT is an AI chatbot that uses popular language models created by Google, Microsoft, and OpenAI and strips away any kind of ethical barriers around prompting the AI. Thus, tools like FraudGPT are commonly used by fraudsters and cybercriminals to generate authentic looking phishing emails, texts, or fake websites that can fool users into sharing PII.

A recent advertisement on carding forum Carder.uk was allegedly selling a FraudGPT service for $200 USD monthly or $1700 USD annually and includes the following capabilities:

Figure 5: Carder UK user advertising the FraudGPT service 

Despite the proliferation of fraudster chat bots being sold on darknet forums and markets, some users are skeptical of the price of tools like FraudGPT. In the below screenshot from the predominantly Russian speaking cybercrime forum, XSS, a user discourages others from purchasing FraudGPT as recently as 8/7/2023 and claims to be able to provide proof as to why the service is ineffective:

Figure 6: XSS user criticizes the effectiveness of FraudGPT 

WormGPT

WormGPT is an alternative fraudster chatbot originally discussed on Hack Forums in March 2023. It only recently started being sold on various darknet forums and marketplaces as of June 2023. Recently, the 2021 GPT-J open-source language model was leveraged for creating this hacker chatbot. WormGPT reportedly writes malware using Python. The moniker, CanadianKingpin12 (also previously known as canadiansmoker), has been observed selling access to WormGPT across various cybercriminal forums and marketplaces.

Figure 7: CanadianKingpin12 advertisment on Club2Crd carding forum 

The above screenshot shows the user, CanadianKingpin12, selling the FraudGPT service on a well-known carding forum called crd2club.

CanadianKingpin12 has recently gained quite a bit of attention in the media for their involvement in advertising GPT fraud services (FraudGPT, WormGPT, DarkBard, DarkGPT) on various forums and markets, such as: Club2Crd, Libre Flrum, Sinisterly, Kingdom Market, for Chat GPT, Fraud Bot and Worm GPT. The following screenshot shows CanadianKingpin12, selling 12-month access to a ChatGPT Fraud Bot for $70 USD on Kingdom Marketplace.

Figure 8: CanadianKingpin12 selling Chat GPT Fraud Bot on Kingdom Marketplace – this post was removed from the actual marketplace; Source: DarkOwl Vision

DarkBard

DarkBard is yet another alternative fraudster chatbot, but less popular than those mentioned above, that is also being sold by CanadianKingpin12. The following screenshot shows CanadianKingpin12 selling access to yet another fraudster AI chat bot, DarkBard, for $100 a month on the hacking forum called Demon Forums.

Figure 9: canadiansmoker (aka CanadianKingpin12) selling DarkBARD on DemonForums; Source: DarkOwl Vision 

Conclusion

CanadianKingpin12 is also tempting users with “DarkBART” and “DarkBERT” advertisements. Purportedly, these tools trained completely on Dark Web lexicons will be more sophisticated than the aforementioned bots and can also integrate with various Google services to add images to output, instead of offering text only output. Researchers also anticipate eventual API integration, further fortifying and automating cybercrime efforts. DarkBERT is also the name of a benign LLM developed by Korean researchers. CanadianKingpin12 claims to have access to this LLM, using it for the foundation of the malevolent tool. DarkOwl analysts are unable to verify these claims, as South Korea claims DarkBERT is only available to academics.

As AI emerges, its use cases, both legitimate and criminal, will continue to evolve. This is the nature of technology – as tech emerges, so too do legitimate and fraudulent use cases. Companies must start a proactive response to newly generated fraud and scams powered by AI, chatbots, LLMs, and anything else that eases the barrier to entry for cybercriminals to attack.


Interested in learning how darknet data applies to your use case? Contact us.

Copyright © 2024 DarkOwl, LLC All rights reserved.
Privacy Policy
DarkOwl is a Denver-based company that provides the world’s largest index of darknet content and the tools to efficiently find leaked or otherwise compromised sensitive data. We shorten the timeframe to detection of compromised data on the darknet, empowering organizations to swiftly detect security gaps and mitigate damage prior to misuse of their data.