Last weekend, REvil’s “Happy Blog” went offline for the second time in less than six months. Instead of the blog Tor service simply not responding to an HTTP request, the page instead displayed the default 404 error displayed by the nginx webserver. According to a REvil representative the ransomware-as-a-service (RaaS) organization’s Tor domain was “hijacked” using the private keys of the domain held by REvil’s previously public-face “Unknown” (who also operates as “UNKN”).

DarkOwl reviewed the group’s history and latest posts about the hijacking and determined that since returning, REvil’s reputation was in jeopardy and many darknet users and RaaS community members suspected the group had been compromised by the FBI.

“This Page Is Not Found”

Last weekend, Tor users anticipating to connect to the legendary Happy Blog hosted by the infamous REvil RaaS gang, received the default 04 error page for nginx webservers on Fedora, indicating the Tor onion services run by the REvil operation were compromised and corrupted instead of simply taken offline by disconnecting the servers from the network.

The page read:

"nginx error! The page you are looking for is not found. Website Administrator Something has triggered missing webpage on your website. This is the default 404 error page for nginx that is distributed with Fedora. It is located /usr/share/nginx/html/404.html You should customize this error page for your own site or edit the error_page directive in the nginx configuration file /etc/nginx/nginx.conf."

An Insider Job?

In a post titled, “У REvil угнали домены” [Translated: REvil’s domains were stolen”], REvil’s current spokesperson – the persona behind the moniker 0_neday on the darknet underground forum XSS – stated the server had compromised using UNKN’s (a.k.a. Unknown and REvil’s previous representative) private Tor service keys. “To be precise they deleted the path to my hidden service in the torrc file and raised their own so I would go there”.

0_neday went on to further state that the group presumed Unknown had “died” earlier in the summer, when the group went offline in mid-July shortly after the Kaseya supply chain attack successfully encrypted thousands of networks when its ransomware spread through a software auto-update.

There are a number of conflicting theories why REvil disappeared less than a month later.

REvil’s Mysterious Disappearance in July

REvil’s services mysteriously shutoff the Tuesday following a late “Friday phone-call” between US President Biden and Russian President Vladmir Putin, during which REvil and the global ransomware epidemic was reportedly a subject of their conversation. The information security community has theorized any number of reasons the services disappeared after this call:

a.   The US launched an offensive cyber campaign directly against REvil – possibly using sophisticated intelligence or USCYBERCOM resources – and brought the gang’s services offline.

b.   President Putin directed REvil to shut down their operations in response to the conversation he had directly with Biden, where Biden stated he would hold Russia responsible for aiding and abetting the threat actor’s actions on Russian soil.

c.    REvil was feeling the “heat” and international pressure after a series of high-profile attacks, some of which included US military targets. Perhaps the group’s operators voluntarily “took a break” from their ransomware operation.

d.   REvil leader, UNKN “exit scammed” emptying the gang and their affiliate’s cryptocurrency accounts and disabled their Tor services using their administrator privileges.

Reporting from the Washington Post suggested the US was not behind the July shutdown, as some had hypothesized, citing government sources. No “seizure banner” was evident when the Tor services went offline as has historically been the case when law enforcement take down darknet marketplaces. The FBI’s Director, Christopher Wray testified in front of Congress stating how they do not make decisions unilaterally but work directly with allies and other agencies on such matters. The FBI was strongly criticized for their delay in providing a universal decrpytor key for the REvil ransomware after the Kaseya attack they had allegedly obtained.

The FBI provided the key to Kaseya nineteen (19) days after their networks were compromised and a week after the REvil infrastructure went dark. The key was reportedly obtained through direct access to the servers of the REvil operation.

In mid-September, BitDefender announced they had developed a “free universal decrpytor” for the REvil/Sodin ransomware strain in circulation prior to July 13th. According to BitDefender’s blog and social media posts, the decrpytor was “created in collaboration with a trusted law enforcement partner.”

This announcement was the source of many a controversial discussion across darknet malware forums.

REvil’s Return in September

According to the DarkOwl Vision darknet data records, REvil’s Happy Blog returned after their summer hiatus the first week in September 2021. Shortly after the blog was back online, new victims were quickly announced.

Surprisingly, in early October, DarkOwl analysts observed the REvil team sharing a link to RAMP – another ransomware focused forum – announcing that REvil was active on the new Groove ransomware backed forum. RAMP, hosted on a Tor domain previously owned and operated by the Babuk RaaS gang, emerged after many darknet underground forums “banned” ransomware related discussions last summer.

This behavior was noteworthy as REvil had historically not shown any affiliation with other RaaS groups, making their endorsement of RAMP unusual to many in the darknet.

Complex Cast of Characters

Unknown/UNKN

Unknown/UNKN was the original spokesperson for the REvil gang when they first branded as Sodinokibi in early 2019. They spoke with measured cadence and subtle humor. One of their last posts was early July after the Kaseya attack, where they simply shared a video of a typical older, angry Russian gentleman.

The admin from XSS banned Unknown’s forum account on July 8th, the week in between the Kaseya attack and the REvil servers were shutdown in July. It’s unclear if the justification was retribution for ransomware (as the topic was banned from the forum at that time), or the admin knew something else was awry.

In May, Unknown announced they were going to leave XSS, have limited activity on their account on exploit.in, and move their discussions to “private.”

At the time of their account ban, Unknown had 0.0022 Bitcoin in escrow on XSS.

0_neday

0_neday emerged as a representative of REvil on XSS after users evilcore and Lockbitsupp challenged the origination of the REvil decryptor key released by Bitdefendor on the public forum. They created their account earlier this month on October 5, 2021, depositing a significant amount of Bitcoin (i.e. account value of 1 BTC in escrow or approximately $50,800 USD on 10/5/2021) to legitimize their status. On October 12th, 0_neday posted on evilcore’s XSS member profile, “my boss agreed to offer you a 10% discount” suggesting 0_neday is a front for someone much more authoritative in the REvil gang. This contrasts with a claim they made a few days later that only he and Unknown had private keys to the Tor onion service domains. As of 19 October, 0_neday indicated they were leaving the forum, signing their last post with

[Translated] “Good luck everyone, I’m off.” 

evilcore

evilcore is a relatively long-time user of XSS with registration on the forum in late 2018. They claim they have no connection to any ransomware gang, but vocal in criticizing the operations of the groups, especially most recently REvil. They posted a comment to 0_neday’s thread this week about REvil’s domains getting stolen suggesting the leak of the decryption key was intentional and the entire infrastructure was merged and not compromised by Unknown as indicated, with a bit of “told you so” attitude and stark warning for users not to get fooled.

[Translated] "Ahaha)))))

fuck, I told you that they merged the entire infrastructure))))) and you didn't believe. I'm not a competitor and I don't care, they just really leaked the keys! people don't get fooled." 

evilcore have been vocal against the legitimacy of REvil since they reappeared in September and the story that supposed a REvil developer “misclicked” accidently releasing the decryptor key. In a comment on a thread titled, “Атака вымогателей на больницу привела к гибели ребенка” [Translated: “The ransomware attack on the hospital led to the death of a child”], evilcore closes with [Translated: “where is UNKN?”] after claiming the FBI likely had control of REvil’s admin panel.

[Translated] "0_neday do the rebranding:) and I can bet on 5 bits, but the point is) the conversation was about backdoor keys, I gave evidence that the backdoor key had nothing to do with it, it started about fictional gspch misklik checkout and - there it was already clear that the FBI had taken the admin panel.

Where is UNKN going???" 

The controversial October 12 thread continued with bickering between directly between 0_neday and evilcore, with LockBit’s forum representative, LockBitSupp, and forum users, 1MG, and ev4ng3liya, chiming in including critiques of REvil’s desperation to draw in affiliates with a 90/10 percent split – unheard of in the RaaS industry. evilcore eventually even accused 0_neday of being FBI.

LockBitSupp

LockBitSupp is competitive RaaS gang, LockBit 2.0’s public representative on the XSS forum. This alias is also active for the same group on another darknet forum, exploit.in and highly critical of REvil, stating they had recruited many REvil affiliates due to their lousy partner programs (PP).  On exploit, they added lengthy posts with concerns that REvil had been compromised by the FBI and that the current REvil coders and affiliates needed to be checked to verify their allegiance to the RaaS industry:

[Translated] "In connection with the above, I propose to check the coders who are now allegedly running the REvil affiliate program, for example:

- so that they somehow showed the locker source codes through the same TeamViewer or AnyDesk and made a test build from the source, providing this build to the public for reverse and comparison with old builds;

- so that the coders show the history of correspondence with the former management;

- any other evidence that will allow us to verify the coders and show that they are not undercover FBI agents.

Verification can be entrusted to any independent and authoritative people on the forums, for example, those who do reviews of malware."

They concluded their post with the realization that if the FBI has infiltrated the REvil RaaS gang or their affiliates, that the damage to the advertisers was far less than the suffering caused to “our cozy and warm community.”

REvil brand trustworthiness continues to decline

In late September, darknet forum users began expressing concerns over REvil’s unpredictable and scandalous behavior. One exploit user, Signature, claimed they had evidence that REvil had installed a “cryptobackdoor” which allowed REvil operators to take over negotiations between their affiliates and their victims, usurping ransomware payments thereby scamming money from their affiliates. It’s unclear how long this backdoor existed – some researchers state the backdoor was present for months, but removed from the September codebase.

Signature had launched a previous dispute on the forum with REvil’s UNKN in May 2021, when they claimed they had been contracted to provide network access to REvil victims, Quanta and Apex, and was never paid their 7 Million USD for the work provided. The thread resulted in a gross airing of RaaS dirty laundry to the public with private chats from qTox shared on the forum thread.

Up until last weekend, REvil had been active on the same Tor v3 domain address for over 22 months, excluding their summer vacation and active in the ransomware market since April 2019. Most RaaS groups change addresses regularly and even rebrand with new logos and aliases to maintain their operational security.

EvilCorp RaaS gang’’s representative on the XSS forum suggested REvil should have rebranded a long time ago. In the most recent thread of the REvil domain hijacking, user Krypt0n, admittedly late to the conversation, stated it was stupid for REvil to return in September to the same Tor domain address with the same keys. They added there was no way for REvil to restore their reputation and status achieved by UNKN.

Despite the fact elite hacker forum members can easily spot law enforcement and rippers, REvil’s brand is renowned and other copycat services will likely emerge in their likeness. In November last year, DarkOwl detected a non-REvil related domain advertising they were the “REvil Team” and were offering to sell Managed.com’s website hosting company’s database.

The REvil imposters included a protonmail.com e-mail address for contacting them and the domain was online for barely a month.

DarkOwl will continue to monitor this situation as it develops.

Curious about something you’ve read? Contact us to learn how darknet data applies to your use case

DarkOwl has recently discovered a cyber-criminal group offering to hack hospitals located across the European Union (EU) to access and falsify vaccination records for willing buyers on the darknet.

In contrast to the paper-based vaccination cards that continue to be the standard across the United States, the EU recently launched a “Digital COVID Certificate” that features a mobile app for quickly verifying one’s COVID vaccination, PCR testing, or virus recovery status. The EU’s program features a QR code with a unique digital signature for each individual, to supposedly prevent falsification and facilitate free movement throughout 27 countries within the EU. Sixteen (16) non-EU countries have also been added to the digital passport scheme including Israel, Norway, Turkey, and Panama.

False digital vaccination records listed at $600 USD in bitcoin

Known simply as “xgroup,” the criminals behind this EU-centric fraud scheme claim to be able to access EU-based local hospital digital vaccination records on behalf of their darknet customers. All the process claims to require of the customer is that they submit their personal information (along with payment) so that it can then supposedly be added to their local hospital’s vaccination records database. This information is then theoretically accessible by the EU Digital Certificate application as each issuing body – such as a hospital, test center, or health authority – has its own digital signature key that communicates with the program.

Who is Xgroup?

Xgroup hosts a dedicated V3 hidden service on Tor where they advertise a range of “hacking services.” In addition to the COVID vaccination record hack, they claim to offer school grade alterations, social media account hacking, and financial debt clearing.

There is no proof of the legitimacy of xgroup’s skills. DarkOwl has captured mentions of their email address across various forums and services on Tor since July 2021, though it is unclear how long they were in operation before that. Our analysts also observed that in mid-July, xgroup were recruiting members with “social engineering skills,” and in late August they were raising donations for their next attack – including quotes from hacktivist organizations like Anonymous.

"Message for all the governments of the world. We recognize you as serious opponents, and do not expect our campaign to be completed in a short time frame. However, you will not prevail forever against the angry masses of the body politic. Your choice of methods, your hypocrisy, and the general artlessness of your organization have sounded its death knell. You have nowhere to hide because we are everywhere." - Xgroup (Sourced from DarkOwl Vision Darknet Data)

The group self-promotes their abilities to “hack social networks” and “destroy someones life” including creating financial and legal issues and spreading disinformation on social media.

Another COVID Scam?

DarkOwl has long observed scammers on darknet and continues to see fraudsters offer goods and services for sale, take a customer’s money, and then never deliver the purchased product. Thus it has not been surprising to see this same tactic being applied rampantly as it has throughout the pandemic, during which time we’ve seen a surge in COVID related scams for things like KN95 masks, coronavirus-infected blood, and black-market COVID vaccines

Xgroup’s fraud scheme is only applicable to European countries as the United States does not have nation-wide digital vaccine record system nor vaccination records stored at local hospitals. The scheme also explicitly refers to the EU Digital COVID Certificate program.

Given that this scheme targets EU-based customers, it is peculiar that the offer lists the address requirements using the US mailing address format and not European which require postcodes instead of zip codes, listed before the city or town, and house names and multi-lined street addresses.

This, along with the fact that the price listed in US Dollars, suggests this could very well be simply a scam originating from criminals located in the United States.

Risk to the EU Digital COVID Certification Program

The EU Digital COVID Certificate program and the idea of “digital vaccination passports” is cause of increasing controversy across the world with many claiming an invasion of health privacy, a threat to personal freedom, and opportunity for discrimination against those without ready access to vaccination centers and mobile smartphones. Similar digital vaccination records systems are in place across the US such as New York’s Excelsior Pass that queries the state’s centralized department of health records. California has a similar online portal for residents to verify their vaccination status with a QR code, called “Digital COVID-19 Vaccination Record.”

While any such digitally-based record system is susceptible to hackers or threat-actors, DarkOwl assesses the overall risk to the EU Digital COVID Certificate program is minimal. As ominous a threat as criminals offering to “hack local hospitals” may seem, we suspect there is a low probability that many darknet fraudsters are actively attempting to gain illicit access to local healthcare computer networks in order to deliver what has been advertised to their customers. In contrast, ransomware groups originating in the darknet pose a legitimate risk to hospitals and healthcare groups worldwide.

Curious about something you’ve read? Contact us to learn more about how darknet data applies to your use-case.

DarkOwl’s historical archive of darknet marketplace data provides a unique opportunity to look-back and compare the AlphaBay Market that was taken down by authorities in 2017 to the features associated with this newly launched marketplace, which shares the same name and is purportedly being ran by the same circle of people.

Lookback: AlphaBay Market and Operation Bayonet Takedown

During the summer of 2017, one of the most intriguing and well-orchestrated international law enforcement efforts in history converged to take down some of the most successful darknet markets to-date. One of these, AlphaBay Market, was the most prominent and popular darknet market since the Silk Road. At its height, AlphaBay’s daily sales ranged between $600,000 and $800,000 USD across 300,000 listings for illicit goods, offered by over 40,000 vendors and viewed by some 200,000 users.

Operation Bayonet, which would ultimately lead to the shutdown of several prominent marketplaces, began with Dutch police seizing another lesser-known market called Hansa Market. After compromising Hansa, authorities secretly operated the market for almost a month. While the Dutch focussed their efforts on Hansa, United States FBI operatives coordinated with international police to DDoS AlphaBay and seize its assets, enabling the Royal Thai Police to locate and arrest its administrator, Alexander Cazes (a.k.a. alpha02).

When AlphaBay became inaccessible as a result, thousands of its buyers and vendors flocked to the then law enforcement-ran Hansa market to continue their operations. Dutch police, operating servers across the Netherlands, Lithuania, and Germany, capitalized on the eight-fold surge of users visiting the market in the weeks following. The authorities used the time to gather information on high value targets and identified delivery addresses for sizable orders, passing along 10,000 international addresses of buyers to Europol.

In cooperation with the FBI, the Royal Thai Police took steps to organize the extradition of the 24-year old Canadian administrator back to the United States. However, after Cazes was held for exactly a week at the Narcotics Suppression Bureau in Bangkok, reports of his apparent suicide surfaced. Bangkok vowed to conduct an autopsy, while US authorities had no interest in verifying the legitimacy of the suspect’s death.

Alexander Cazes’ criminal indictment details how the US Justice Department successfully confiscated his and his wife’s assets, including bank accounts, personal and market cryptocurrency accounts, and luxurious personal possessions in Bangkok – all by supposedly linking his online personas to his real life through a haphazardly leaked email address, [email protected].

When authorities carried out the warrant and arrest in his apartment in Bangkok, his laptop was left unencrypted and the admin account for the market and server logged in. Authorities also simultaneously executed search warrants for the market’s server hardware located in Quebec, Canada.

AlphaBay Organization: Key Players

Cazes did not run AlphaBay singlehandedly. They worked closely with a “security administrator” and second in command known as DeSnake, or simply “DS” for short. According to our historical darknet records, DeSnake had connections in Russia although his true identity and location was not publicly known.

In 2016, an angry user of AlphaBay known as “Kinger” stated that alpha02 had left the market in late 2015, sold his stake to DeSnake, and DeSnake was supposedly acting as admin for its final two years. Kinger’s ominous threat suggested they knew his real life identity and his citizenship was actually Dutch.

“PS: DeSnake, if you read this, we know who you are and where you reside. We know you're a Dutch guy who acts like he's Russian. Should you attempt to exit scam with AlphaBay, rest assured your dox will be posted.” - user known as "Kinger"

There were also at least half a dozen moderators that helped administer the market and its discussion forum, moderated disputes between buyers and vendors, and promoted the market on Reddit (prior to the shutdown of the DNM subreddit). The indictment from 2017 listed them individually by their monikers and many have been arrested.

The authorities were not the only ones to identify and/or attempt to uncover the key players (aka staff) at AlphaBay Market. In the spring of 2017, the Alpha Organization paid an extortionist threatening to dox alpha02 and a couple of his moderators at least $45,000 USD, although the veracity of the information the extortionist had has not been verified.

More information about potential players of FBI interest can be found in historical DarkOwl records, including one that states that the FBI “publicized a list of AlphaBay identities that they had identified, including Trappy, DeSnake, Disc0, and several other members of the Alphabay ‘team.’ From owner (DS) all the way down to public relations manager, Trappy.” (Source: Document Archived in DarkOwl Vision)

As recently as last year, a California Court sentenced Brian Herrell, a Colorado native and AlphaBay moderator who operated under the moniker “Botah” to 11 years in prison for racketeering and for his connections to AlphaBay. Upon his initial arrest, reports suggested he faced up to 20 years for his involvement in the marketplace.

Prior to AlphaBay, Alexander Cazes had a reputable history on the darknet – specifically in the carding community. A senior member from the carding community Ranklez claimed he had evidence to suggest Cazes wasn’t alpha02. Ranklez and alpha02 had a history in the carding community as Ranklez sold alpha02 fullz for conducting identity theft.

For months after its shutdown, users across the darknet theorized whether all of it was an exit scam or something more elaborate and sinister. When AlphaBay’s Reddit moderator and public relations manager, Trappy was arrested, he claimed alpha02 and DeSnake were the same person. The whole saga was confusing and unsettling for many, including Cazes’ parents, who claimed the skill set of Cazes in real life (e.g. his company Canadian EBX, etc) was more in alignment with the qualities DeSnake portrayed than alpha02. (Source: DarkOwl Vision)

AlphaBay Market’s Official Return

In early August 2021, DeSnake resurfaced on Dread, the popular Reddit-like discussion forum on the darknet administrated and moderated by users, Hugbunter and Paris. Dread staff “vouched” for DeSnake to skeptical darknet users with DeSnake signing documents using their historical PGP key.

Interestingly, AlphaBay’s former moderator “Disc0” also chimed in, but using a lowercase “d” this time.

DeSnake promoted the return of the infamous AlphaBay marketplace with services hosted on both Tor and I2P – including detailed instructions and encouragement for users to explore the market on the peer-to-peer network instead of Tor, calling their Tor services “mirrors” of the main market on I2P.

The new AlphaBay market’s Tor service has been unstable since its launch, with frequent 503 errors, user registration issues, and login timeouts. The I2P eepsite also rarely successfully loads. After almost two months of operation, the market has a handful of vendors, with only a couple of hundred listings across drugs and fraud goods. DeSnake claims there have been 15,000 user accounts created, 450 vendors registered, and over 400 listings published as of the time of writing.

The service on Tor appears to be hosted alongside Dread services and features both the Dread waiting queue and clock-captcha for DDoS protection. The marketplace was offline last week, when Dread and its sister services were under heavy DDoS and inaccessible.

While disc0 vouched for DeSnake on Dread they are not Staff on the revived market or its associated forum, claiming they are retired from such work. The new AlphaBay appears to be moderated by the personas TheCypriot, tempest, and wxmaz. All of the moderators speak very formally with impeccable English and gush with unbridled passion about the need for a new concept of decentralized marketplaces, the complex tradeoffs and advantages of peer-to-peer networks, and a deep desire to establish a greater sense of community.  DeSnake’s posts are particularly “wordy” with extensive lengthy posts on Dread and the market’s About and FAQ section. They sign every post and reply officially with the phrase “Thank You.”

Like the historic AlphaBay, the market’s forum is located on the same domain as the market and has limited discussions. Most of the forum is marked private until the user formally introduces themselves in accordance with the rules outlined by DeSnake. There is a “Admin” account as was the case with the historical AlphaBay forum, and DeSnake also has their own personal account. DarkOwl believes this account may be maintained by DeSnake based on the observation that they leave a similar “Thank You.” at the end of every post.

Darknet Users Remain Hesitant and Skeptical

DarkOwl has been unable to assess how the larger darknet community (outside of Dread) feels about the new Alphabay Market. AlphaBay historically had a vocal and persistence presence on Darknet Market Avengers forum which unfortunately, has been offline for several weeks. There are no new threads mentioning AlphaBay’s return on The Hub.

Users on the Russian-speaking forum, XSS have been the most critical of DeSnake and AlphaBay. In a thread titled, “AlphaBay вернулся!” [Translated: “AlphaBay is back!”] users comments were generally critical of the legitimacy of the marketplace, with comical references like “Welcome to the FBI HQ” posts.

DeSnake joined the conversation, creating an account with his moniker on September 12, 2021 in attempts to mitigate the marketplace’s potential reputation damage. DeSnake repeatedly pointed to their vouches from Dread and old PGP key pasted to Ghostbin, paste site.

Unfortunately, DeSnake’s contributions written in a mixture of English and Russian backfired and senior members of XSS berated them for their lack of operational security and inability to properly understand the dynamics of the Russian language.

“Your brand is irrelevant, long forgotten, your missing period as you should know is a lifetime in these circles, your name means nothing, you actually start with negative trust and momentum rather than popping up with a completely new name and brand not linked to the dumpster fire that went down before. So your either dAFeDz, or you have fallen victim to a serious and advanced case of autism after getting your covid vaccination. Either way none of your weird over explanation means anything because before we get to any of that we have to deal with the mental retardation and poor judgment that lead you to relaunch like this. But since youre not who youre trying to be we can skip it" 

– XSS user’s reply to DeSnake directly on the AlphaBay is back thread

Even Reddit users on the surface web have mixed feedback. One user openly joked they would stick to purchasing their drugs on social media.

Drama Begins and Scammers Take Advantage

During this research, DarkOwl discovered a surface web domain that mirrors much of the information DeSnake shared on Dread, but with a Tor link to the market that is not in the mirrors.txt verified links list from AlphaBay. The surface web domain is likely setup specifically to direct users to a phishing site where their credential information can be stolen.

There is a Dread thread in the AlphaBay subdreadit stating that AlphaBay is not on Telegram or the surface web validating the theory this is likely a phishing domain. No information about the domain could be ascertained as it is protected by Cloudflare.

The links section on the surface web AlphaBay domain asserts that all the information on Dread is false, stating that DeSnake’s Dread account had been compromised by “mr_white.” The moniker mr_white belongs to the administrator and owner of the popular darknet marketplace, White House Market (WHM) themed after Breaking Bad’s main character, Mr. White.

Some users claim that mr_white and his team from WHM are to blame for last week’s DDoS while others speculate that HugBunter himself could be mr_white.

Is the “New” AlphaBay What it Claims to be? Observations from DarkOwl’s Analysts

While DarkOwl generally avoids engaging in or commenting on speculative darknet drama, there are several things about the re-emergence of AlphaBay and DeSnake that don’t add up. While DeSnake very well could be legitimate, the sheer fact the authorities confiscated the market’s servers and Cazes’s unencrypted laptop should bring significant suspicion whether this new darknet marketplace is legitimate, or simply another covert law enforcement operation.

For this reason, our analysts have shared some observations of note that potentially point to something larger transpiring than a simple relaunch of the former marketplace. Notably:

• Registration for the market and the forum seem unnecessarily complicated, including errors if the pin code started with ‘0’ and asking for the user’s “real name.” The concept of a real name is irrelevant in the darknet unless the administration is possibly trying to catch someone not in the “right-state-of-mind” slip-up and actually put their real name into that field.

• The DDoS protection and bot detection measures are excessive for a brand new marketplace. While navigating the domain manually, DarkOwl analysts regularly had to reset their Tor circuit and refresh their identity to simply view the vendor listings.

• The market includes an outrageous number of strict rules delineated as “global AlphaBay” versus rules specifically for “buyers” and “vendors.” There are no weapons allowed (where the previous AlphaBay had a weapons category), no Fentanyl sales allowed (where the previous AlphaBay had a ‘Fent and RCs’ category), no COVID-19 vaccine or cures can be offered, no ransomware sold or advertised, and no Commonwealth of Independent States (CIS) related countries activities allowed.

• The “About-Us” and Frequently Asked Questions (FAQ) sections are a laborious read with over 13,000 words combined – 8,200 for the FAQ section alone. Conversely, the original AlphaBay’s FAQ was a mere 277 words.

• The overt exclusion of CIS countries is peculiar, especially given that DeSnake and alpha02 were openly active in Russian carding communities. According to DarkOwl Vision’s archived documents, Russian speakers were present on the original AlphayBay forum and in interviews alpha02 spoke of how they “work with our Russian colleagues to enable each of us to enrich our base of vendors and buyers,” and clearly was not excluding users located in Russia.

• AlphaBay now only accepts the cryptocurrency Monero, and heavily promotes that users access it via I2P instead of Tor, calling their Tor services “mirrors” to the main I2P eepsite. DeSnake’s detailed instructions for installing I2P on Dread fail to mention the potential risks of peer discovery and de-anonymization through known techniques like Eclipse and Sybil attacks in conjunction with flood-fill takeovers. Interestingly, the last known Monero-I2P-centric market was Liberitas, which went offline in June 2019 after a very short stint on the I2P network.

• DarkOwl could not confirm any prior darknet experience from the moderators DeSnake has installed as Staff on the market and forum.

• The new AlphaBay Marketplace refuses donations. It is unheard of that a darknet service would decline and discourage donations. A fully-functional darknet marketplace will indeed provide sufficient financial resources in the future; yet refusing them from the start is unreal.

Additional language analysis reveals other questionable inconsistencies. For example, in the FAQ and About-Us, there are several mentions of DeSnake’s operational security (OPSEC) prowess and over-the-top digs at law enforcement, e.g. “dirty playing by LE with their parallel construction.” Interestingly, the phrase “parallel construction” has appeared many times in post-AlphayBay (2017) conversations on other English-speaking and Russian forums.

Given how security conscious DeSnake was previously, which they self-proclaimed as operating under the mindset of ‘the agencies are after me’,” it is unlikely that they would have been comfortable writing in such recognizable patterns and thereby potentially exposing speech and language nuances.

In a similar vein, DeSnake’s extensive writing samples include multiple instances where the “British” spellings of words like “honoured” and “minimised” are included similar to how alpha02 wrote in his interview with Joshua G in April 2015 on Deep Dot Web, but “decentralized” is still spelled with a “z.” While there are very few English-speaking historical writing samples from DeSnake, as they were most active on Russian-speaking forums like TCF and Evolution, an analysis of historical AlphaBay market records never included any British-English spellings such as these.

Furthermore, darknet users rarely draw so much attention to themselves. DeSnake has broken this mold with their dramatic return to the public eye that included interviews with the media and identity verification through a potentially compromised PGP key.

DarkOwl has assigned assets to monitoring and collecting data from the new AlphaBay Marketplace, despite their increased crawler detection measures and ongoing server instability. Our analysts will continue to follow this market’s presence and reputation on the darknet, and provide further updates as this story unfolds.

Curious about something you read? Interested in learning more? Contact us to find out how darknet data applies to your use-case

DarkOwl’s unparalleled reach into the Darknet Illuminates Threat To IoT as Realized with Recent CCTV Attack on Prison Security System.

In recent years, the cybersecurity industry has repeatedly warned of an increase threat against Internet of Things (IoT) devices. With Ring doorbells, smart refrigerators, IP-enabled cameras and baby monitors, and wi-fi enabled programmable thermostats, the modern western home is a hacker’s playground with multiple attack vectors to choose from. Cybercriminals and hacktivists readily seize upon more lucrative and scalable victims, with cloud-based IoT servers regularly targeted and databases of IoT data exposed – like that of enterprise security camera system provider Verkada, which had 150,000 systems compromised back in the spring of this year during #OperationPanopticon.

Iranian-based cyber hacktivists, known as Edalat-e Ali, or “Ali’s Justice” elevated such vulnerabilities last month, compromising an Iranian prison system’s closed-circuit television (CCTV) to expose widespread abuse and inhumane prison conditions.

DarkOwl has also discovered that the tools to carry out such IoT exploitation campaigns are readily available for sale on the darknet.

Background: The Iranian hacktivists who compromised the CCTV networks

The Edalat-e Ali hacktivist’s Telegram channel, created on August 19th, launched their attack against the Evin Prison and a photo surfaced of the prison control room with their logo on the screens in their earliest posts. They claim to have “hundreds” of gigabytes of data. In less than two weeks, the Telegram channel has amassed over 30,000 followers and includes numerous leaked videos.

The description provided in their Telegram channel reads as follows:

ما تصمیم به بر ملا کردن جنایات رژیم گرفته و به سیستمهای زندان اوین حمله سایبری کردیم.جهان را از نقض بارز حقوق بشر در پشت دیوارهای زندان اوین مطلع کنید (ویدیو،عکس،پرونده های زندانیان سیاسی و مدارک مختلف از زندان).

زندانی سیاسی آزاد باید گردد!

«عدالت علی»

[Translated to English]

We decided to resolve the regime’s crimes and attacked Evin prison systems. Inform the world of obvious human rights violations behind the walls of Evin prison (video, photo, political prisoner records and various documents from prison).

Free political prisoner must be!

“Justice Ali.”

The group also leaked documents from the prison from early 2020, where Evin Prison officials expressed concern over potential foreign military attack. This leak suggests that Edaalate-Ali possibly accessed their internal data storage systems in addition to their CCTV security footage. (Source)

Darknet Tools of the Trade to Exploit IoT

Coincidentally, on the same day that the Edalat-e Ali group appeared on Telegram, a vendor known as “thedangeroustomato” posted an offer for a 2021 CCTV exploit on the new Canadian-centric darknet marketplace called “We The North.”

The CCTV exploit is available for a mere $10.50 USD and claims it is “skid-friendly” with the exploit delivered to the victim network via a malicious PDF and two python scripts.

According to DarkOwl Vision’s database, the vendor has very few listings and not much history using that moniker across other darknet forums and marketplaces.

DarkOwl assesses with medium confidence that the “We The North” darknet marketplace is likely a thematic spin-off of Canadian Headquarters, another Canadian-based darknet marketplace that reportedly “exit scammed” a few weeks ago, but has recently resurfaced on a new v3 Tor onion service. The new Canadian HQ market has a new user database (e.g. old credentials do not work) with a “Coming Soon” banner on the main shop front.

Cyber Threat Actors Will Continue to Target CCTV Vulnerabilities

DarkOwl has not confirmed whether this specific exploit was employed against the Iranian Evin Prison hack. However, the low cost to procure, ready availability of such tools via python scripts, and flurry of international news media covering the prison CCTV hack success, suggest further attacks against similar CCTV security systems are likely if not highly encouraged by darknet cyber criminals.

For example, darknet forum and chatroom members celebrated the Verkada attack against Tesla and Cloudflare earlier this year in March, 2021. A member of the DDoSSecrets Telegram group, known for releasing geopolitically controversial content on the darknet, claimed that APT-69420, known as “Arson Cats” were responsible for the IoT device breach and shared images from the victim devices in defiance against global mass surveillance. According to one chatroom, employees at Verkada supposedly revealed the use of the Verkada’s “Super Admin Tool” was widespread and a compromised admin credential could have been the origins of the device attack.

The U.S. Justice Department indicted 21-year-old Swiss-based female hacker Till Kottman with the crimes against Verkada shortly after the leaks appeared. According to open-source reports, her group, designated APT-69420 Arson Cats, is a small collective of “primarily queer hackers, not backed by any nation state, is motivated by the desire for fun, being gay and a better world.”

Curious about something you read? Interested in learning more? Contact us to find out how darknet data applies to your use-case

To learn more about the technology habits of ransomware operators, DarkOwl analysts conducted a brief survey of content issued by RaaS groups over the last few years and collated mentions of any email domains they provided for victims to initiate contact with them. The data we analyzed included ransomware notes harvested from multiple darknet sources from 2016 through the first two quarters of 2021.

The chart below depicts the results of our findings, and demonstrates which email services were and/or are popular amongst ransomware gangs over the past several years.

Quick Takeaways

• Since 2019, ransomware criminal gangs prefer the Swiss-based Protonmail and German-based Tutanota encrypted e-mail services over other e-mail service providers. The data included in this analysis summed the domains mentioned across all service provider TLDs, e.g. .ch, .io, .pm, etc.

• E-mail service providers AOL and India.com were most popular in 2016 and 2017 but use of these providers have dropped off considerably in recent years.

• Google’s Gmail has experienced moderate, alibeit consistent use by many ransomware criminal groups.

Tutonata emerges as most popular email service in 2021 thus far

For the first half of 2021, Tutonata appears to be leading Protonmail in total email accounts mentioned across notes published in the first two Quarters of 2021. Both email services have been the subject of controversy over recent years, including last December when open source reporting indicated that the German government had been forcing Tutanota to setup backdoors, enabling law enforcement to monitor and read e-mails in plain text.

While the reason for the decline in Protonmail’s popularity can not be stated definitively, the fact that the service has been the subject of debate is likely a contributing factor. In 2019, some users across the darknet and Reddit began spreading rumors that ProtonMail was likely a law enforcement honeypot – citing how its Tor service redirects back to the surface web upon account creation. Theories that developers at MIT with oversight from the NSA, CIA, and DARPA assisted CERN with Protonmail’s source code and encryption development. Further arguments included how Protonmail stores email data and metadata in formats similar to those that Edward Snowden had stated the CIA requires. (Source)

This debate is heated and greatly divided with many stating the Privacy WatchDog Blog detailing how Protonmail is a honeypot is anti-Protonmail propaganda website, spreading FUD and baseless conspiracy theories. Additional reports suggest that the CIA for decades has utilized front-companies and technical organizations based in Switzerland to spy on European governments, adding fuel to the paranoia and conspiratorial chatter.

Future Predictions

While the trends for email address domains observed during the first two quarters of 2021 are consistent with preferences in recent years, this data analysis further predicts that the total number of email addresses from ransomware victim notes for 2021 will be likely less than totals observed from previous years.

We predict this due to the volume of ransomware groups utilizing alternative communication methods with their victims. DarkOwl has observed numerous links to Telegram accounts and real-time chats directly hosted Tor darknet onion services to conduct ransom payment negotiations in lieu of traditional e-mail based communications.

Curious about something you read? Interested in learning more? Contact us to find out how darknet data applies to your use-case