December 30, 2025

As 2025 draws to a close, as we do every year, our content and marketing teams are taking a moment to reflect on the exciting events, trends, and changes the DarkOwl team experienced throughout the year. From major product advancements to strategic partnerships and thought leadership in the darknet intelligence space, this year has been marked by progress and momentum. We’re grateful to our customers, partners, and community for your continued engagement and support — and we look forward to building on these successes in 2026!

We hope you continue to find the topics we explore valuable, enlightening, and engaging. One final marketing reminder for the year: be sure to sign up for our weekly newsletter to stay updated on the latest insights from our research and content teams!

Around the World & Across the Industry

In 2025, DarkOwl continued its commitment to engaging with the global cybersecurity community. The team was active at leading industry events, including the RSA Conference in San Francisco, where we showcased our platform capabilities and met with peers and customers to discuss the evolving threat landscape. Check out where we will be in 2026 and request time to meet here.

Beyond trade shows, DarkOwl shared insights through webinars and blog posts on cutting-edge topics — from artificial intelligence’s role in threat intelligence to emerging darknet trends — providing thought leadership to practitioners and analysts worldwide.

And don’t worry! The team also made time for some fun. This summer, in our annual company get-together, we got to meet our adopted owl. 3 years ago, we adopted an owl! He jumped early from his Michigan nest in 2015 and fractured his right wing in two places and was on the ground for about a week next to a barn before he was picked up by the landowners and brought to a rehabilitation center. He was sent to the Raptor Education Foundation in Denver in August, 2016 where he now lives. You can learn more about him on his dedicated adoption page. 

We love our #Pets!

Gotta show some pet love as well from our Pets Slack Channel (the best channel).😻

Yearly reminder: DarkOwl analysts and their pets recommend you never use your pet’s name in any password combination as it is a popular term for threat actors using brute force attacks.

Product Enhancements & Platform Innovations

Throughout 2025, our Product Team rolled out significant updates designed to empower analysts and security teams with deeper, more actionable darknet intelligence:

• Enhanced Case Management: Vision UI now supports improved team workflows and collaboration with enhanced Case Findings features that include inline annotation and visual summary dashboards.
• Leak Visualizations & Timeline Analytics: New visualizations help users grasp leak compositions and alert trends over time — enabling richer analysis and faster decision making.
• Marketplace Intelligence: A major expansion of darknet marketplace capabilities incorporates rich structured data across dozens of fields — from vendor info to pricing and shipping — directly in Vision UI and API.
• Universal Phone Query Builder & Export Flexibility: We introduced a Universal Phone Number Builder and expanded reporting formats — including Word export — to support a variety of operational needs.

These enhancements reflect our ongoing commitment to refining workflows, increasing visibility into complex data, and enabling faster, smarter insights for our users. These are just a few of the product updates made throughout the year! You can check out more in our quarterly blogs, starting here.

---

Community & Education: Sharing Knowledge

DarkOwl’s blog continued to be a hub for expert analysis on darknet intelligence, cyber threats, and cybersecurity trends. Notable posts from late 2025 included practical guides on cyber hygiene, explorations of how threat actors operate, and even insights into unique aspects of darknet ecosystems like vendor shipping choices.

In addition, DarkOwl was selected as the darknet technology of choice for Channel 4’s series Hunted, offering real-world demonstrations of how darknet intelligence supports investigative work.

Partnerships & Strategic Collaborations

2025 saw DarkOwl strengthen its global reach through a series of partnerships aimed at bringing darknet intelligence to more organizations:

• Strategic Alliance with Ticura: A collaboration to simplify dark web monitoring workflows and broaden operational accessibility for security teams and MSSPs alike.
• 8com GmbH & Co. KG Partnership: 8com integrated DarkOwl’s Vision UI and Search API into its SOC workflows to enhance early detection of compromised data and proactive defense measures.
• Global Reseller Partnerships: Authorized reseller agreements — including with Hottolink in Japan — expanded access to DarkOwl’s threat intelligence solutions across international markets.

These collaborations underline DarkOwl’s role as a trusted provider of darknet intelligence to enterprises, security practitioners, and service providers around the globe.

Looking Ahead to 2026

As we close out 2025, we are energized by the rapid evolution of both cybersecurity challenges and the tools needed to address them. DarkOwl is committed to pushing the frontier of darknet intelligence — delivering deeper insights, smarter workflows, and stronger partnerships that equip our customers to stay ahead of threats.

Thank you for being part of our 2025 journey. Stay connected by subscribing to our newsletter, engaging with our content, and joining us at events in the year ahead!

---

Don’t miss any updates from DarkOwl in 2026 and get weekly content delivered to your inbox every Thursday.

December 18, 2025

The darknet is a hidden part of the internet that operates beyond the reach of traditional search engines and mainstream platforms. Within this space, darknet marketplaces have emerged as virtual bazaars where anonymous buyers and sellers trade goods and services, often illicit, using privacy-focused technologies like Tor and cryptocurrencies such as Monero and Bitcoin. These markets are structured much like legitimate e-commerce sites, featuring product listings, vendor ratings, customer reviews, and even dispute resolution systems.

DarkOwl collects data from a wide range of marketplaces, capturing the breadth of listings, vendor activity, and community interactions. In this blog, we explore the state of darknet markets in 2025, highlighting which platforms lead in listings and vendor count, how products are distributed across categories, the flow of shipments around the world, and patterns of user engagement through reviews.

By examining these factors, we aim to provide a window into the scale, structure, and dynamics of this hidden economy, revealing both the major players and the underlying trends shaping the market landscape.

Top Darknet Marketplaces in 2025

In 2025, we collected unique listings from the leading darknet marketplaces, summarized in Figure 1(a). Vendor activity is shown separately in Figure 1(b).

Based on listing volume, the most active markets in our dataset were Black-Pyramid, Ares, Dark-Matter, Zelenka-Lolzteam, Nexus-Market, and Drughub. These platforms consistently generated high volumes of product posts across a wide range of categories, from narcotics and fraud services to digital goods and hacking tools. However, when ranking markets by the number of distinct vendors rather than total listings, a slightly different picture emerges. Zelenka-Lolzteam, Archetyp, Drughub, Dark-Matter, Blackopps, and Black-Pyramid attracted the largest number of sellers overall, illustrating how some markets excel at breadth of vendors even if they generate fewer listings per seller.

Market stability in 2025 remained a challenge, as several high-profile platforms experienced abrupt shutdowns. MGM-Grand, Archetyp, Abacus, and Elysium-Market all disappeared mid-year, either due to law enforcement intervention or suspected exit scams. Their closures caused sudden shifts in vendor migration patterns and contributed to the overall volatility of the ecosystem. These dynamics highlight the importance of tracking not just market size but also operational longevity, resilience, and community trust.

Figure 1: Top Markets by (a) Unique product listings and (b) unique vendors

Market reviews

Reviews play a crucial role in darknet marketplaces because they are one of the few publicly visible indicators of community engagement, trust, and transaction legitimacy. In environments where users operate anonymously and traditional reputation systems are absent, reviews help buyers gauge vendor reliability, product quality, and the likelihood of receiving what they paid for. They also offer insight into vendor longevity and buyer satisfaction—information that listing counts alone cannot provide.

On these markets, review activity becomes a broader marker of community health. Reviews show that buyers are active, transactions are taking place, and vendors are accumulating reputational signals that others can verify. When users take the time to leave feedback, it fosters a shared sense of accountability within an otherwise anonymous ecosystem. Markets with consistent review activity tend to feel more dynamic and trustworthy: buyers rely on collective experience to avoid scams, vendors depend on feedback to differentiate themselves, and the community becomes more informed and resilient. In this way, engagement acts as a stabilizing force, shaping user behavior and contributing to the long-term viability of a market. Measuring review activity, therefore, offers more than a participation metric—it provides a window into the social dynamics that influence market stability, consumer decision-making, and the overall trust architecture of the darknet ecosystem. Although it must also be considered that the reviews may be created by the vendors to make it appear as if they are active and deliver good services.

To quantify these dynamics, we examined review activity across markets. Overall, 68% of the markets we collected included some form of user review or feedback mechanism. Among those markets, 23% of listings had at least one review; across all markets (including those without review systems), 16% of listings received reviews. On markets that supported reviews, listings averaged 7 reviews per post, rising to 16 reviews when considering only listings that had reviews. Notably, ten of the fourteen top markets discussed above offered review functionality. Figure 2 shows the percentage of listings with reviews across these top markets, illustrating the varying levels of community engagement.

Figure 2: Markets with the highest customer engagement based on percentage of listings with reviews

Category Breakdown

In addition to examining overall activity and community engagement, we conducted a category-level analysis across the full DarkMart dataset, not just the top markets. Whenever markets provided category labels, we extracted and normalized them into 11 high-level categories to create a consistent taxonomy across platforms. For listings without explicit category metadata, we applied a clustering-based classification approach to assign them to the most likely category based on listing text and semantic similarity. This allowed us to produce a unified view of the thematic composition of the ecosystem.

Figure 3 presents the distribution of these categories across all markets in our dataset. The landscape is dominated by Drugs and Chemicals, which account for 68% of all listings. This aligns with longstanding trends in darknet commerce, where narcotics represent the bulk of transactional activity. The next largest categories are Fraud (13%) and Counterfeit Items (7%). The Fraud category encompasses offerings such as stolen payment-card data, phishing kits, account takeovers, and forged or altered identification documents. Counterfeit items include fake currency, imitation branded goods (e.g., luxury watches, designer bags), and various forged certificates or documentation.

Because drugs and chemicals dominate the darknet marketplace landscape, we took a closer look at the different types of products within this category. The right side of Figure 3 shows the distribution of subcategories, offering insight into the variety of goods vendors specialize in.

Cannabis leads the subcategories, accounting for 41% of listings, and includes traditional cannabis as well as THC-infused products. Following cannabis are opioids (14%), including powerful painkillers like Fentanyl and Heroin, which act on the body’s opioid receptors. Psychedelics (11%), including LSD, psilocybin mushrooms, and Ketamine, also make up a significant portion, designed to alter perception, mood, and cognition.

Stimulants (12%), including Methamphetamine, Cocaine, and other “speed” drugs, increase alertness and energy, while depressants (3%), such as Xanax and GHB, slow brain activity and are often prescribed for anxiety or sleep disorders. Party drugs (7%), such as MDMA and Ecstasy, are designed to enhance sociability and create feelings of empathy, often used in recreational settings. Finally, miscellaneous drugs (3%) cover a variety of specialized items, from hormonal treatments and sexual enhancement products to vaping-related substances.

Taken together, this subcategory breakdown illustrates not just the sheer volume of drug-related listings, but also the diversity of products and specialization among vendors. It shows how darknet marketplaces cater to a wide range of consumer needs, from medical and recreational to niche and experimental.

Figure 3: DarkMart category and subcategory breakdown (Drugs and Chemicals)

Shipping Breakdown

We also examined the shipping data available for our 2025 product listings. Figure 4 illustrates the flow of shipments from source countries to destination countries. For clarity, we excluded listings where the source or destination was listed as “worldwide” and aggregated countries into broader continents or regions.

Unsurprisingly, the bulk of shipments occur within North America. Europe follows a similar pattern, with many shipments staying within the continent, but European vendors also reach a wide range of international destinations. North America, too, sends products across the globe, including to regions like Africa—even though Africa itself contributes very few listings as a point of origin.

Some patterns are particularly striking. A small subset of products reportedly ships from and to Antarctica, highlighting the unusual and niche nature of certain listings. Asia exhibits a more modest version of Europe’s international reach, with most shipments staying regional but a smaller proportion traveling worldwide.

Overall, the shipping data reveals that while most transactions remain regional, darknet markets are capable of supporting truly global commerce. The map also underscores the asymmetry of trade: some regions are primarily exporters, others primarily importers, and a few see very limited activity despite being part of the network. These flows offer a window into how products, and by extension, vendors, connect distant parts of the world in a complex, global ecosystem.

Figure 4: Shipping flows within DarkMart

Conclusions

Our 2025 analysis of darknet marketplaces paints a picture of a highly active and evolving ecosystem. Some markets dominate in listings, while others attract the largest communities of vendors. Drug-related listings continue to account for most of the activity, with fraud and counterfeit items forming significant secondary categories. Shipping data highlights both regional concentration and surprising international reach, while review metrics reveal the importance of community engagement in fostering trust and reliability in an otherwise anonymous environment.

Taken together, these insights offer a comprehensive snapshot of the darknet economy, one that shows both the scale of activity and the social dynamics that sustain it. As markets rise, fall, and adapt, ongoing monitoring is essential to understand the forces shaping this hidden corner of global commerce.

---

Don’t miss any of our research! Follow us on LinkedIn.

December 16, 2025

The dark web often gets portrayed as a lawless digital bazaar where you can buy anything — from stolen identities to malware, services, how-to-guides, hit men and even human organs – as long as you know where to look. The assumption is that all illegal things are available to purchase on the dark web.  

But how much of that reputation is true? Especially during the holiday season when sensational headlines tend to resurface and most are looking for a few stocking fillers! So, as we approach the holiday shopping season, we wanted to explore the myths and realities of dark web “holiday shopping,” what is truly available to criminals, how do they find it, and what can we do to combat this through dark web monitoring.  

The Myth: “You Can Buy Absolutely Anything If You Know Where to Look”

This is the biggest misconception. Movies and tabloids love to exaggerate the dark web’s capabilities and the activities that take place there.

The Reality:

The dark web is messy, unreliable, and full of scams. Many “products” that criminal forums advertise are fake, recycled, or outright frauds designed to steal from other criminals. Law-enforcement stings, exit scams, and disappearing marketplaces happen constantly. And most things are not readily available. The criminals still require access to these goods – meaning they need a supply chain, and they have to have the means of sending these goods or services to their customers.

That is not to say that you can’t buy nefarious goods on the dark web – it is well known for its booming drug markets, and hacking and tools are readily available lowering the barrier to conducting some attacks. Furthermore, the sale of stolen data only continues to grow as we move into 2026.

The Myth: “Dark-Web Marketplaces Are Just Like Amazon”

Some people imagine a slick interface full of products and reviews.

The Reality:

This isn’t false. A lot of dark web marketplaces do model themselves after more mainstream commercial retail sites. Most marketplaces have listings, reviews, shipping time frames, and images of their listings. There is even a marketplace called Awazon!

That being said, most dark web markets are also unstable and can be confusing, slow, and filled with phishing mirrors. A lot of listings can also be scams, with vendors offering goods and accepting payments for goods they never intend to ship. Even the markets that try to mimic legitimate platforms collapse frequently — sometimes due to law enforcement, sometimes because operators run off with users’ funds. But this is not always the case – some markets are more mature and stable than others.

The Myth: “Holiday Specials Make It a Busy Time for Buyers”

You’ll occasionally see rumors about festive deals on illicit services or stolen data. Some markets will provide advertisements offering deals for things such as “Black Friday.”

The Reality:

Seasonal themes are mostly cosmetic. Some forums change banners or run small, informal “events,” but the idea of “Cybercriminal Black Friday Sales” is largely sensationalized. What does rise is scam activity — low-effort attempts to take advantage of distracted users. Usually “serious” vendors do not care what time of year it is – the price they set is based on the product they have and what they think people will pay for it. We have seen huge demands for stolen data in this last year – some of which have been paid either as a ransom or by other criminals hoping to use the data for their own gain.

The Myth: “Data Sold on the Dark Web Is Always New and Dangerous”

Headlines often imply a constant flow of fresh, highly sensitive data which is easily accessible to anyone who wants to access it.

The Reality:

Much of what circulates on dark web forums is outdated breach material, repackaged, and resold repeatedly. Combolists are known to pull data from multiple leaks which can be years old. Other threat actors may attempt to make more money by repackaging leaks which have already been sold.

Real, recent data is harder to obtain, tightly controlled, and often monitored by law-enforcement agencies. Ethically, this data should not be purchased; which makes it more difficult to access for those monitoring the leaks of these data sets for protection purposes. What’s more, just because there is a report of a data leak in the media does not mean that the data will be available on the dark web. Some threat actors steal data for their own personal use or negotiate within closed groups.

The Myth: “Everyone Accessing the Dark Web Is Up to Something Criminal”

Dark web content is frequently portrayed as exclusively illegal.

The Reality:

Not all dark web browsing is illicit. Whistleblowers, journalists, and privacy researchers use Tor for legitimate reasons. There are many legitimate sites on the dark web that help share true information and combat censorship. The technology is neutral — it’s the illegal marketplaces that create risk. Therefore, it is important to remember that whenever accessing dark markets to make sure you are doing so in a legal and ethical manner and never purchasing goods without legal authorization. This is why using DarkOwl to track the sale of these goods can be the safest way forward.

Why the Dark Web Can be Especially Dangerous During the Holidays

• Phishing mirrors multiply as scammers impersonate well-known markets.
• Pop-up marketplaces appear, then disappear with users’ money.
• Fake “limited time” offers lure inexperienced users.
• An increase in account-takeover attempts occurs as criminals hunt for holiday shopping creds to resell.

Cybercriminals know people are stressed, rushed, and spending more. It’s prime scamming season. This does not just apply to the dark web. All consumers should be hyper vigilant to scams during the festive time of year.

Final Thoughts

The festive season brings out the creativity — and opportunism — of cybercriminals. But most dark web holiday myths crumble under scrutiny. Understanding the reality helps prevent people from falling for exaggerated stories… and from stumbling into dangerous territory.

---

Check out our recent blog on Black Friday Scams.

A Deep Dive into Shipping Choices on Illicit Marketplaces

December 11, 2025

When we think of darknet marketplaces, the focus is usually on the products: drugs, counterfeit goods, stolen data, and more (linked are just a few of the blogs where DarkOwl has covered these examples). But behind every transaction lies a critical question: how does it get delivered? Shipping choices aren’t just logistical; they reflect trust, risk, and strategy in the underground economy. In this blog, we explore which carriers dominate the darknet, how preferences differ across marketplaces, locations, and product categories, and what these patterns reveal about the hidden infrastructure supporting illicit trade.

Shipping Options

Shipping is the final connection between vendor and buyer, and on darknet markets the choice of carrier shapes how a transaction is carried out. Vendors consider factors such as reliability, delivery speed, risk of scrutiny, and whether the shipment is domestic or international.

Not all listings specify shipping information. In DarkOwl’s enhanced market dataset within its DarkMart data store, a little over half (55%) of listings collected between January 2025 and November 2025 include any shipping details at all. This suggests that many vendors either keep logistics flexible or negotiate them directly with buyers. Among those listings that do include shipping information, the level of detail varies widely. Some specify a particular carrier, while others use general terms like standard or express without naming a particular service. Listings may include multiple carrier options or alternative delivery methods such as dead drops or digital delivery (see Figure 1). In some cases, only shipping price or estimated delivery time is provided, with no carrier identified.

Figures 1 and 2: Example listings with varied shipping options

For consistency, our analysis focuses on the four major global shipping companies most frequently mentioned:

• USPS – The United States Postal Service (USPS) is the primary postal operator in the U.S., handling nationwide mail and package delivery. Its widespread domestic network makes it a frequent option for shipments within the country. Because USPS handles so much daily mail volume, some vendors may view it as the safest way to blend in.
• DHL – An international courier service headquartered in Germany. DHL maintains a strong global presence, particularly in Europe, and provides express and cross-border shipping to more than 220 countries and territories. DHL has a strong footprint in Europe and is known for smooth cross-border shipping, which makes it appealing for vendors sending goods overseas.
• FedEx – A major U.S.-based courier service offering express, ground, and international delivery. FedEx operates an extensive global logistics network and is well known for its fast turnaround times. Its tight tracking and security can make some vendors hesitant, though others prefer it for speed of delivery.
• UPS – Another large U.S.-based courier and logistics company with a broad ground and air network. UPS provides domestic and international parcel delivery, along with a wide range of supply-chain services. Vendors who want consistent delivery but don’t need overnight speed may lean toward UPS.

In addition to these major carriers, we also tracked references to regional postal services such as Deutsche Post, Royal Mail, and GLS, as well as nontraditional delivery methods like digital delivery and dead drops. While these alternative methods were less common than standard shipping, they illustrate the variety of strategies vendors use to move goods.  Below, figure 3 shows the distribution of all delivery types.

Overall, USPS was the most frequently mentioned carrier mentioned in 34% of listings naming a shipping vendor, followed by DHL (24%), FedEx (14%), and UPS (7%). Royal Mail, dead drop, Deutsche post, and GLS appeared in a smaller subset of listings with a combined total of 8%. While we considered all these shipping methods in our analysis, the rest of this blog will focus specifically on the top four main carriers: USPS, DHL, FedEx, and UPS.

Figure 3: shipping type distribution, based on number of listings within DarkOwl’s DarkMart data store

Market Breakdown

Shipping patterns vary noticeably across darknet marketplaces. Some sites show clear loyalty to certain carriers, while others provide a mix of options. For example, MGM Grand, Dark Matter, Mars Market, and Velox Market are dominated by USPS listings, suggesting a preference for this domestic carrier. On the other hand, Crown Market, TorZon Market, and DrugHub display a more balanced mix, with FedEx and DHL appearing frequently. Certain markets, such as Courier Market, Halfbreed, and King Market, lean more heavily toward DHL, particularly for international shipments. Meanwhile, Revolution Market and Ares offer a fairly even spread across at least three of the four major carriers. Notably, UPS does not dominate in any marketplace, appearing more sporadically across listings. Figure 4 illustrates the distribution of shipping options across these top markets.

Figure 4: Distribution of shipping types across the top markets

Location Breakdown

Beyond marketplace-level trends, we also examined the origins and destinations of shipments for each major carrier. For this analysis, we focused on listings specifying country-to-country routes, rather than broader “country-to-worldwide” entries. Each country was mapped to its corresponding region or continent to simplify the view. Figure 5 presents these flows using Sankey diagrams, which visually show the volume of shipments between source and destination regions.

USPS listings show a heavy concentration of domestic deliveries within North America, along with a notable stream of transatlantic shipments to Europe. DHL’s activity is also centered around Europe, but it distinguishes itself as the primary carrier facilitating large volumes of shipments moving from Europe to Asia and Oceania. FedEx, by contrast, is dominated by routes from North America to Africa and Europe, with comparatively fewer packages staying within North America. UPS displays yet another pattern: most of its activity remains within Europe, with a smaller, though visible, share of shipments originating in North America and heading primarily to African destinations.

These patterns highlight the distinct regional footprints of each carrier. North American vendors rely heavily on USPS and FedEx for both domestic and transatlantic shipments, while European markets are served mainly by UPS and DHL. DHL’s broader international reach underscores its role in longer-distance trade, particularly to Asia and Oceania. Overall, the flow patterns reveal how vendors align carrier choice with both origin and destination regions, reflecting practical considerations like geographic coverage, shipping speed, and the global nature of darknet commerce.

Figure 5: Shipping to/from for (a) USPS ,(b) DHL, (c) Fedex, (b), and (d) UPS

Category Breakdown

We also reviewed which types of products were being shipped by each carrier. To do this, we looked at the product categories listed in each shipment and normalized them for consistency, focusing only on listings that included both a category and one of the major carriers. Figure 6 shows how each carrier is distributed across the top three categories.

Unsurprisingly, Drugs and Chemicals made up the largest share of shipments, followed by Fraud and Counterfeit items. Drugs and Chemicals include illicit narcotics, prescription medications, and psychoactive substances, as well as, precursor chemicals.  Fraud includes items such as stolen credit card data, phishing kits, and fake IDs. While counterfeit items include counterfeit currency, fake branded goods (ie, watches, bags, etc..), and forged documents. USPS clearly dominates the drugs and chemicals category, with DHL and FedEx appearing less frequently. DHL stands out as the primary carrier for fraud and counterfeit goods.

Figure 6: Category shipping by type

These patterns hint at how vendors match products to carriers based on shipping needs. USPS’s prominence in drugs and chemicals suggests a focus on domestic or shorter-range shipments, whereas DHL’s role in fraud and counterfeit items highlights its reach for international deliveries. FedEx’s presence across multiple categories may indicate its flexibility for both speed and cross-border logistics. Overall, the distribution of products across carriers gives a window into the practical considerations shaping darknet shipping—showing how the type of product can influence both the choice of carrier and the geographic scope of the shipment.

Conclusion

Shipping on the darknet is far from random, it’s a carefully chosen part of the trade. Different carriers dominate specific markets, regions, and product types. USPS dominates deliveries within the U.S., especially for drugs and chemicals, while DHL and FedEx handle more international shipments and fraud-related goods. UPS shows up but rarely takes the lead. Across marketplaces, countries, and product types, clear patterns emerge: vendors align their carriers with the practical demands of each shipment, from speed and reliability to geographic reach. These trends reveal that even in illegal markets, logistics and strategy matter. By looking at how goods move, we gain a window into the hidden infrastructure that keeps darknet commerce running smoothly, an underground network that’s as much about moving packages as it is about managing risk and trust.

---

Curious to learn how darknet data is relevant to you? Contact us

December 9, 2025

Hackers are always looking to gain access to sensitive information to ransom or sell. In recent years, there has been a surge in universities being attacked due to their large databases and typically more vulnerable systems. The most common attacks that compromise universities’ systems are phishing, ransomware, and denial of service (DDoS) attacks. Phishing involves tricking users into revealing login credentials, ransomware locks critical data until a payment is made, and DDoS attacks overwhelm systems to disrupt services.

Why Should Universities Take Precautions?

Universities can face major disruptions if their network is compromised by threat actors. There have been multiple cases where universities have had to shut down their networks to solve the problem, causing huge disruption to their staff and students. If a university deems it necessary to shut down their network, the immediate effects are an annoyed student body, frustrated staff, and long term can cost the school millions. Students expect their university to stay on schedule throughout the year, which is why a network shutdown can reflect poorly on the university.

Ransomware groups especially put pressure on universities because attackers assume they will receive a payment shortly after ransoming data due to a universities’ low tolerance of leaked information being made public and possible long periods of downtime. Furthermore, the school can face lawsuits from students if information is not handled correctly. This is why often when a ransomware group successfully attacks a university, the ransom appears to be paid within a few days.

Universities are required by law to keep any sensitive information like social security numbers, banking accounts, and health records secure. One example of laws that govern universities and how they handle information is FERPA (Family Educational Rights and Privacy Act). Since this is in the context of students who are above the age of 18, this law ensures that schools do not release any information without a student’s consent. This is why when breaches occur, universities tend to face lawsuits for not properly securing their students’ and or alumni’s data. Even when the ransom is paid and not leaked, students, alumni, or faculty can still pursue legal action on the grounds of negligence.

Recent Cyberattacks on Universities

University of Michigan

In August 2023, a major data breach occurred at the University of Michigan. Around 230,000 students, alumni, and employees were affected by the breach. The threat actors stole financial accounts, social security numbers, driver’s license details, and health information.

While the vulnerability that the attackers exploited was never released to the public, the University found the attackers stole the information from the University’s Health Service and School of Dentistry. Once the attack was detected by the University, they immediately shut down their network. The internet shutdown across all three of their campuses ultimately lasted four days during the first week of classes and stopped University operations during that period. The University of Michigan faced two lawsuits after the attack. Both claim that the University was negligent with the security of information. It is unknown if this information was released or who was behind the attack.

Stanford University

Another 2023 cyberattack, coming only a month after The University of Michigan breach was the cyberattack on Stanford University. Unlike Michigan, this attack on Stanford University was claimed by a ransomware group called Akira.

The data Akira gathered was from Stanford’s Department of Public Safety. They claimed to have 430GB of data that would be released unless a ransom was paid. The group later released a link in order for others to download this data. The data they claimed to have was “private information and confidential documents”. Stanford never released the information stolen or if they paid Akira. What we do know is that the FBI has advised companies and universities not to pay ransoms and instead immediately report it to law enforcement.

The below image shows Akira announcing information about the leak on their leak site, as well as the download link which is not shown in the image below.

Ransomware groups will make data available if victims do not pay, this can lead to further attacks against the victims or organizations in their supply chain as information found in this data can be used for further phishing or social engineering attacks.

Figure 1: Akira announcing information about the leak on their leak site; Source: DarkOwl Vision

Multi University Attack

The ransomware group Cl0p was responsible for a series of attacks on universities in May of 2023. They were able to exploit the software called MOVEit which is a file transferring tool. MOVEit at the time was known to have a high level of security, especially because many of the files moved within the software contained sensitive information. MOVEit handled file transferring of many other organizations, meaning this attack was not limited to just universities.

Some of the universities that reported the attack included UCLA, Rutgers, and Missouri. These universities reported student and faculty Social Security numbers and financial account information being posted online.

Some analysts believe this attack should not be considered a ransomware attack since the compromised data was never encrypted. However, Cl0p still demanded payments from some universities for the return of data. Recently, some ransomware groups like Cl0p have not been encrypting stolen data and instead pressure people or organizations into paying purely on the threat of releasing the data online.

Have These Attacks Increased?

A company called Netwrix, surveyed 1,309 IT and security professionals globally during 2024, finding that 77% of organizations in the education sector reported an attack on their systems within the past 12 months. This number was up 8% from 2023, which suggests a trend upwards of cyberattacks on schools and universities.

In 2025, the education sector has been the number 1 target for cyber-criminals and ransom groups. Specifically, DeepStrike reported that the two main threats are phishing and ransomware, while explaining that schools and universities typically have high vulnerability in their systems and have large amounts of data, two characteristics that make them top targets.

Protection Against These Attacks

The easiest way for universities to protect against an attack is to have strong authentication requirements. When trying to access the network, the university should require a login via student ID/faculty ID – a second layer to this is multi-factor authentication. This method can also make it easier to track malicious activity by linking activity on the network to an ID.

Another measure that can be overlooked is security software on school computers. These computers are often directly connected to the network, therefore exploiting one can give an attacker access to all of them. The main problem with updating all the software is that it takes a lot of time and most of the time this can’t be done all at once. A good time to update systems would be over Fall, Thanksgiving, Winter, or Spring break when these computers are not being used.

Finally, make sure faculty and students are aware of phishing emails. Humans can be just as vulnerable as a computer – make sure to always keep your passwords secure and do not download suspicious looking files.

---

To read more about security best practices, check out this blog.

December 01, 2025

Our analyst team shares a few articles each week in our email newsletter which goes every Thursday. Make sure to register! This blog highlights those articles in order of what was the most popular in our newsletter – what our readers found the most intriguing. Stay tuned for a recap every month. We hope sharing these resources and news articles emphasizes the importance of cybersecurity and sheds light on the latest in threat intelligence.

1. U.S. Prosecutors Indict Cybersecurity Insiders Accused of BlackCat Ransomware Attacks – The Hacker News

On November 03, three former employees of the cybersecurity companies DigitalMint and Sygnia were indicted in district court for “allegedly hacking the networks of five U.S. companies with BlackCat (aka ALPHV) ransomware between May and November 2023 and extorting them.” The individuals Kevin Tyler Martin of Roanoke, Texas, and Ryan Clifford Goldberg of Watkinsville, Georgia, and an unnamed accomplice are facing multiple charges including interference with interstate commerce by extortion, and intentional damage to protected computers. During the aforementioned time period, BlackCat gained access to victims networks, stole data, employed malware and demanded cryptocurrency in exchange for decryption keys and to not leak the stolen data. Read full article.

2. Active Exploits Hit Dassault and XWiki — CISA Confirms Critical Flaws Under Attack – The Hacker News

On October 28, the U.S. Cybersecurity and Infrastructure Security Agency (CISA) listed three new vulnerabilities that have impacted Dassault Systèmes DELMIA Apriso and XWiki. The vulnerabilities CVE-2025-6204, CVE-2025-6205, and CVE-2025-24893 allow threat actors to execute arbitrary code and gain access to applications. Both CVE-2025-6204 and CVE-2025-6205 affect versions of DELMIA Apriso dating back to 2020. Combining these vulnerabilities allow creation of accounts that obtain elevated privileges and deposit executable files into a web-served directory, resulting in complete compromise of the application. Starting in March, CVE-2025-24893 impacted XWiki by using a two-stage attack chain that delivers a cryptocurrency miner. Article here.

3. University of Pennsylvania confirms data stolen in cyberattack – Bleeping Computer

On October 31, the University of Pennsylvania announced their information systems for development and alumni activities had been compromised. Using an employee’s PennKey SSO account the threat actor was able to gain access to “the university’s Salesforce instance, Qlik analytics platform, SAP business intelligence system, and SharePoint files.” This access provided the threat actors with 1.71 GB of internal documents as well as 1.2 million records of donor information. The hackers claim the attack was not politically motivated but posted on hacking forums that they targeted the university due to its “alleged DEI practices, admissions policies, and love of nepobabies.” Read more here.

4. “Bitcoin Queen” gets 11 years in prison for $7.3 billion Bitcoin scam – Bleeping Computer

Following a seven-year investigation by the Met’s Economic Crime team, 47-year-old woman, Zhimin Qian (also known as Yadi Zhang), was found guilty of a large-scale fraud campaign that defrauded over 128,000 victims in China between 2014 and 2017. Qian earned the name “Bitcoin Queen” in China after promoting the currency as “digital gold”. After her scheme was uncovered in 2017, she converted the proceeds into Bitcoin and fled to the United Kingdom, where, with the help of an associate named Jian Wen, she attempted to launder the cryptocurrency through property purchases. Qian was arrested in 2024 where law enforcement seized assets worth $14.4 million, as well as cryptocurrency wallets, encrypted devices, cash, and gold. Read here.

6. APT37 hackers abuse Google Find Hub in Android data-wiping attacks – Bleeping Computer

North Korean hackers, APT37, have been discovered abusing Google’s Find Hub Tool to target South Koreans. Victims are approached through KakaoTalk messenger, a popular instant messaging app. Spear-phishing messages transmitted through KakaoTalk impersonate South Korea’s National Tax Service, the police, and other agencies to deceive recipients into interacting. If someone opens the attached MSI file (or a ZIP that contains it), the program runs two hidden scripts: one to install the malicious code and one that pops up a fake “language pack error” to fool the user. Meanwhile the malware grabs the victim’s Google and Naver login details, signs into their email accounts, changes security settings, and deletes traces of the break-in. Read full article.

7. Iranian Hackers Use DEEPROOT and TWOSTROKE Malware in Aerospace and Defense Attacks – The Hacker News

Iranian threat actors, known for espionage driven attacks, have been observed deploying backdoors TWOSTROKE and DEEPROOT against Middle East industries. Mandiant attributes the activity to UNC1549 (aka Numbus Manticore and Subtle Snail). According to Google, these infection chains blend phishing campaigns aimed at stealing credentials with malware delivery operations that exploit trusted relationships with third-party vendors. Although the primary targets maintain strong security defenses, some third-party partners remain vulnerable, creating a ‘weak link’ that groups like UNC1549 can exploit. Read full article.

8. Meet ShinySp1d3r: New Ransomware-as-a-Service created by ShinyHunters – Bleeping Computer

The threat actor group, Scattered Lapsus$ Hunters, has announced the development of a Ransomware-as-a-Service (RaaS) platform named, ShinySp1d3r. The group announced on their Telegram channel that the ransomware was in development and will be led by ShinyHunters but operated under the “Scattered Lapsus$ Hunters” brand. Samples of the ransomware have been uploaded to VirusTotal and show a mix of common features and new features developed by the group. The encrypted files will contain “information on what happened to a victim’s files, how to negotiate the ransom, and a TOX address for communications”. Learn more.

---

Make sure to register for our weekly newsletter to get access to what our analysts are reading on a weekly basis.

November 25, 2025

The eighth series of the popular, BAFTA-nominated TV show ‘Hunted’ came to a dramatic end this month.  

Hunted is a gripping reality series that pits volunteer civilian ‘fugitives’ against a professional team of ‘Hunters’ – comprising former intelligence officers, police detectives, and cyber analysts – who employ real-world investigative techniques to try track them down within 28 days. 

The TV show regularly attracts over 2 million viewers per episode. 

In this series, the Hunters were able to catch 13 out the 14 original fugitives within the time frame. This the most successful capture record in history of the show. 

Copyright Shine TV/ Channel 4 

In the programme, the ‘fugitives’ must try to evade simulated capture by Hunters who leverage an impressive arsenal of capabilities: CCTV networks, ANPR systems, mobile phone tracking, financial surveillance, OSINT and behavioural profiling.  

The Hunters establish pattern-of-life analysis, exploit OPSEC failures, conduct tactical ground operations, and demonstrate how modern surveillance infrastructure creates a near-inescapable digital dragnet.  

OSINT specialist and DarkOwl super-user Daisy Hickman appearing in Series 8 (copyright Shine TV/Channel 4) 

The show illustrates the investigative challenges of resource allocation, intelligence fusion, and the cat-and-mouse dynamics between human behaviour and technical collection, while exposing how difficult it truly is to disappear in a modern surveillance state. 

In this series, DarkOwl was selected as one of the handful of intelligence tools (and the sole Darknet technology) to assist the Hunters in their London HQ. 

Daisy Hickman – an OSINT specialist Hunter who holds a MSc in Forensic Investigation – commented on her experience with DarkOwl (in capacity as a DarkOwl super-user during the show): 

“DarkOwl proved critical to our time-sensitive fugitive operations, and the easy to use interface and comprehensive data was an invaluable part of our OSINT analysis.” 

By continuously indexing high-value darknet websites, fora, marketplaces, chans, leak databases, Telegram channels and beyond, DarkOwl reconciles underground activities and personas with real-world events and people for all levels of intelligence analyst. 

DarkOwl was pleased to support Hunted, not least as it provided a good opportunity to showcase the power of DARKINT techniques for fast paced criminal investigations. 

---

Watch the latest series of Shine TV/Channel 4’s Hunted, and find out more about DarkOwl Vision.

November 18, 2025

In anticipation of the year’s busiest shopping day, scammers employ a variety of deceptive tactics designed to exploit eager shoppers, continually adapting their schemes to stay ahead of detection. 

From fake online stores advertising bogus discounts to scammers sending fraudulent delivery notifications during the busy shopping season, consumers face plenty of risks to watch out for. The rise of deceptive scams during the holidays highlights the many tactics fraudsters use to exploit consumers and dampen the festive spirit. The following provides an overview of prevalent scams and guidance on how consumers can protect themselves during their shopping activities. 

Fake Online Stores 

One of the most common scams cybercriminals will establish are fake shopping sites that mimic real sites of well-known retailers. These deceptive websites often imitate legitimate domain names and lure unsuspecting shoppers with seemingly irresistible discounts. To enhance their credibility, they frequently run fake social media ads that direct victims to counterfeit pages, adding a false sense of legitimacy to the scam. 

Once shoppers enter their personal information and check out, scammers receive the personal data, which usually involves banking details. These scams can lead to financial loss and identity theft, which can affect people more severely during the holiday season.  

How to Protect Yourself: 

• Double check website URLS. 
• Visit retailers’ official websites, rather than clicking an unaffiliated link. 
• If possible, use secure payment methods that offer fraud protection.  

Phishing Emails and Texts Offering “Exclusive Deals” 

With the rise in online shopping, promotional emails are utilized by most stores to promote their Black Friday sales. Darktrace’s global analyst team revealed that Christmas-themed phishing attacks for Black Friday and Cyber Monday “deals” soar throughout the month of November (over 600%!).  

To capitalize on this, one method used by cybercriminals is sending phishing emails promoting “exclusive offers” or “limited-time flash sales”. The emails typically contain links to malicious sites that steal personal information and can infect your device with malware. These emails can also lead to fake stores, as mentioned above.  An additional example includes emails claiming a user’s account is “locked or disabled”. 

How To Protect Yourself: 

• Ensure the sender has a trusted email address, showing the correct domain. 
• Trust your instincts if the message seems “off” and possibly written by AI. 
• Do not give any personal information via email, the majority of retailers would not require this information via email correspondence.  

Online Order and Delivery Scams via Text Messaging 

In recent years scammers have begun sending fake text messages that claim to be from carriers like UPS, FedEx, and USPS stating there is an issue with deliveries. These messages include a fake tracking link that if clicked puts your data at risk. The links may prompt you to a site to enter your personal data or could install malware onto your phone or computer. 

With most holiday shopping being online, these types of scams may increase throughout the holiday season. According to the FCC “If you receive suspicious email, text or phone messages, go to the delivery carrier’s website directly or use the retailer’s tracking tools to verify”. Carriers also offer advice and protocols on their websites with things to look out for and ways they legitimately contact individuals.  

How To Protect Yourself: 

• If there is any doubt of validity contact the company directly.  
• Verify independently, this can be done by going to the carrier’s website. 
• Do not reply or click on any links. 

Fraudulent Charity Appeals 

Traditionally, the Tuesday following Black Friday is known as Giving Tuesday, when non-profits and charities intensify their outreach efforts to meet seasonal fundraising goals. When donating during the holiday season, it’s important to exercise caution before giving to any charity online. Just as scammers create fake online stores, they also design fraudulent charity websites that imitate legitimate organizations to steal money and collect personal information. 

Additionally, scammers may reach out through unsolicited phone calls, using high-pressure tactics to push victims into making quick donations. They often refuse to provide clear or detailed information and may insist on unconventional payment methods, such as gift cards or wire transfers. 

How To Protect Yourself: 

• Prior to donating, research the charity.  
• Donate directly through the charity or organizations website. 
• Don’t let scammers rush you in to donating. 

Conclusion

According to the Federal Trade Commission (FTC), shopping fraud ranked as the second most prevalent form of fraud in 2024, with consumers losing more than $12.5 billion. Within this category, online shopping issues represented the second most commonly reported type of fraud. The report from the FTC claims the overall number of scams has remained relatively stable, but more individuals are becoming victims. This indicates that scams are evolving and becoming increasingly difficult to recognize. 

If you fall victim to a scam, remember to protect your finances, contact your bank or credit company, and monitor financial accounts for further suspicious activity. The most important thing for victims to remember is that scams can happen to anyone — and there’s no shame in taking extra precautions. The best defense against Black Friday scams is to stay alert and verify retailers before interacting or making a purchase. By following these steps and keeping this advice in mind, you’ll set yourself up for a safe and successful Black Friday, ensuring your holiday gifts bring only joy this season. 

---

Curious to learn how DarkOwl can help? Contact us.

November 13, 2025

Cybersecurity might as well have its own language. There are so many acronyms, terms, sayings that cybersecurity professionals and threat actors both use that unless you are deeply knowledgeable, have experience in the security field or have a keen interest, one may not know. Understanding what these acronyms and terms mean is the first step to developing a thorough understanding of cybersecurity and in turn better protecting yourself, clients, and employees. 

In this blog series, we aim to explain and simplify some of the most commonly used terms. Previously, we have covered bullet proof hosting, CVEs, APIs, brute force attacks, zero-day exploits, doxing, and data harvesting, indicators of compromise. In this edition, we dive into indicators of attack.

Indicators of Attack (IoAs) 101 

An Indicator of Attack (IoA) is a behavioral pattern or activity that reveals a cyberattack is in progress or about to occur. IoAs focus on detecting an attacker’s intent and methods in real time, enabling organizations to identify and stop malicious actions before they cause major harm.

Rather than relying on evidence of past breaches, IoAs highlight the attacker’s tactics, techniques, and procedures (TTPs) as they unfold, providing early warning of active or emerging threats.

IoA vs IoC

It’s important to distinguish IoAs from indicators of compromise (IoCs). IoAs focus on the behaviors and tactics that suggest an attack is currently in progress or about to occur, while indicators of compromise tell you that a compromise has already happened. Both are crucial for a comprehensive cybersecurity strategy.

DarkOwl and IoAs

Examples of IoAs in the Darknet that DarkOwl Monitors

• Malware and exploit kits: Advertisements for or discussion of high-quality malware designed to evade detection or exploits that can be used in an attack.
• Tools for malicious activity: Evidence of groups using specific tools to disable security software, like an EDR (endpoint detection and response) killer, to facilitate an attack.
• TTPs: Discussion and sharing of attack techniques on darknet forums, which indicates active development and use of new methods. 

How DarkOwl Helps Identify IoAs

• Entity API: This tool helps identify and contextualize entities like IP addresses and domains within the collected darknet data, which is crucial for correlating indicators and assessing threats in real-time. With Entity API, users can quickly and efficiently identify, monitor, and target particular threats in the darknet that are relevant to their particular needs and use-cases.
• Vision platform: This platform collects and indexes vast amounts of darknet data, allowing for the identification of potential attacks in progress by searching for relevant keywords and patterns. Vision UI is the industry leading platform for analysts to simply, safely, and comprehensively search darknet data.
• Threat intelligence: By monitoring forums, marketplaces, and other sources, DarkOwl can identify the latest threats and attack methods being discussed and sold on the darknet. With 227,500 pages of darknet content scraped and indexed every hour, DarkOwl’s collection database is continuously expanding.

DarkOwl helps detect both through its darknet intelligence by identifying attacker tactics, techniques, and procedures (TTPs). Examples include advertisements for malware or exploit kits, discussions of attacks on darknet forums, or the use of tools, all of which indicate a potential or ongoing attack.

Product Highlight: Actor Explore

In today’s digitally driven world, the landscape of cyber threats is ever-evolving and increasingly sophisticated. As businesses and individuals become more dependent on technology, the need to protect sensitive data and critical infrastructure from cyber attacks has never been more critical.  

One effective approach to enhancing cybersecurity is to track and monitor cyber threat actors. The actors that are responsible for conducting attacks; individuals or groups with malicious intent, often targeting organizations, governments, or individuals. Understanding why they are operating, what they hope to achieve and what methodologies they are using can assist analysts in protecting infrastructure and predicting future activities. Identifying and monitoring the tactics, techniques, and procedures (TTPs) of cyber threat actors, is also an important step to gain insights into actor’s strategies. This information can be invaluable in understanding how attacks are executed and identifying potential vulnerabilities in an organization’s defense.  

With DarkOwl’s Actor Explore users can review analyst curated insights into active threat actor groups on the darknet and wider. We explore the motivations behind the groups, the tools they have used and searchable attributes to pivot on within DarkOwl Vision. Tracking available information about threat actors such as their motivations, TTPs, victims and activities can provide valuable intelligence which allows analysts to predict behavior and take proactive steps to protect their organizations.  

Product Highlight: DarkSonar API

With cyberattacks increasingly on the rise, organizations need better intelligence to safeguard themselves, employees and customers from incidents such as data breaches and ransomware attacks. This rise in illicit cyber activity only increases the need to protect against and determine the likelihood of these attacks. The darknet contains data critical to understanding criminal behavior and security risk, and companies need an understanding of their exposure on the darknet to determine risk and take mitigating actions.

DarkSonar, a relative risk rating based on darknet intelligence, measures an organization’s credential exposure on the darknet. DarkSonar enables companies to model risk, understand their weaknesses and anticipate potential cyber incidents. In turn, organizations are able to take mitigating actions to protect themselves from loss of data, profits, and brand reputation.

DarkSonar in the Wild

General Motors

In April 2022, General Motors disclosed that it suffered a credential stuffing attack. ​The attackers accessed customers’ personally identifiable information (PII)and redeemed reward points for gift cards.

Takeaway: DarkSonar’s email exposure signal detected an abnormal increase in plaintext and hashed credentials in the months leading up to the attack.

Colonial Pipeline

In late April 2021, hackers gained entry into the networks of Colonial Pipeline Co. The hack took down the largest fuel pipeline in the U.S. and led to shortages across the East Coast was the result of a single compromised password, according to a cybersecurity consultant who responded to the attack.​ The virtual private network account was no longer in use at the time of the attack but could still be used to access Colonial’s network, he said.​

Takeaway: DarkSonar detects plain text credentials available on the darknet.

FujiFilm

In early June 2021, Fujifilm’s company servers were infected by Ransomware. While they have never released the specific details, it is believed to be the Qbot Ransomware.​ Qbot is typically initiated by phishing.​

Takeaway: DarkSonar detected an increase in email exposure which can be used as part of a phishing attack.​

---

Contact us to learn more.