First appearing on the scene in December 2023, Handala Hack Team (Handala) established their presence as a pro-Palestinian hacktivist group via a Telegram channel and X account. The group described itself as a “small fighter of Hamas,” suggesting it was formed in response to the October 7 attacks that marked the start of the Israel–Hamas war. It was widely regarded as a front for Iran’s cyberwarfare operations and as one of several personas employed by the Iranian Ministry of Intelligence to claim responsibility for cyberattacks, a conclusion later confirmed by the Justice Department.
Early activity suggested the group primarily targeted the Israeli government and its citizens. Following Operation Epic Fury in February 2026, it carried out two significant attacks targeting the U.S.-affiliated Stryker medical manufacturer and FBI Director Kash Patel.
The Start
The first large scale attack by Handala targeted Israel’s Iron Dome. A high-level target for many hacktivist groups, Handala claimed to have successfully hacked into a “multi-purpose tactical radars company” – DRS RADA. The group shared several screenshots that appear to show internal system interfaces, along with evidence of defaced websites (specifically rada[.]com and rada[.]co[.]il). They also issued a threat to release up to 2 terabytes of data. At first glance, this suggested a potentially serious breach. However, a closer look revealed some important gaps. The official website for DRS RADA (drsrada.com) was not on the list of domains that were defaced. No actual data leaks or downloadable files were made available to support the claim of a large-scale exfiltration leaving researchers with questions of the groups claims to be “taken seriously”.
In 2024, the group also shifted its focus toward disrupting infrastructure targeting Israeli civilians. Using a spear-phishing tactic, residents of the Ma’ala Yosef Regional Council received text messages that appeared to come from the MyCity mobile app, a crisis management platform used by local authorities. The messages urged recipients to click a link and download an application which raised concerns about a targeted attempt to compromise personal devices. In the same month, Handala reportedly carried out a ransomware attack against Ma’agan Michael Kibbutz, exfiltrating approximately 22GB of data and sending more than 5,000 warning text messages. The ransom note included criticism of both the kibbutz and Israel, underscoring the group’s political motivations. Ma’agan Michael is widely regarded as one of the largest and most financially successful kibbutzim in Israel, making it a high-profile target.
Recent Activity
On March 11, 2026, Handala claimed to have wiped tens of thousands of systems and servers belonging to medical technology company, Stryker. In a statement Handala stated “over 200,000 systems, servers, and mobile devices have been wiped and 50 terabytes of critical data have been extracted,”. The attack allegedly forced offices in 79 countries to shut down. The group did not give details on logistics but declared it targeted the company in “retaliation for the brutal attack on the Minab school” as well as the companies alleged “Zionist” ties. According to media outlets, a Stryker spokesperson announced, “We are currently experiencing a global network disruption affecting the Windows environment.” Originally it was assumed the group used wiper malware but following an investigation Stryker claimed no malware or ransomware was found on their systems.
Following this attack, the Justice Department officially confirmed the connection between Handala and Iran’s Ministry of Intelligence and Security (MOIS). According to the department, the MOIS used the Handala-hack[.]to domain to carry out the Stryker attack. This led to seizure of four domains used by the group (Justicehomeland[.]org, Handala-Hack[.]to, Karmabelow80[.]org, and Handala-Redwanted[.]to).
On March 27, Handala claimed it had breached the personal email account of FBI Director Kash Patel: “All personal and confidential email of Kash Patel, including emails, conversations, documents, and even classified files, is now available for public download.” Watermarked personal photos and documents were subsequently released, including email correspondence from Director Patel’s time prior to assuming the role.
The attack appeared to be carried out in retaliation for the FBI’s seizure of Handala-linked domains after its earlier cyberattack on medical technology company Stryker. In their statement regarding the breach of Director Patel’s personal email account, the FBI reiterated that the Department of State’s Rewards for Justice program is offering up to $10 million “for information leading to the identification of the Handala Hack Team out of Iran.” The seized information appeared to be historical, and the FBI claimed that no government information was acquired or breached.
Tactics, Techniques, and Procedures (TTPs):
Handala’s operations are less about flashy, cutting-edge exploits and more about what works. As seen in their claims regarding the attack on Israel’s Iron Dome, the group appears to have overstated its impact to project capabilities beyond what it actually achieved. This pattern is consistent with broader hacktivist behavior, where exaggerated claims and unverified assertions are used to amplify perceived effectiveness. Similar tactics have been observed among pro-Iranian groups such as Ababil of Minab and APT Iran, both have blended propaganda with cyber operations.
The group blends destructive malware with social engineering and practical intrusion techniques, creating a toolkit that’s both effective and adaptable. Instead of chasing novel vulnerabilities, they rely on a mix of commercially available tools, custom-built payloads, and “living-off-the-land” methods, leveraging legitimate system features to stay under the radar.
This pragmatic approach gives them a high degree of flexibility. They can quickly adjust tactics depending on the target while still achieving their core objective: disruption. As evidenced by their spear-phishing campaigns, the group has reached hundreds of thousands of individuals but achieved minimal success beyond the initial contact stage. Just as importantly, their campaigns are designed to have a psychological edge, amplifying the impact beyond the immediate technical damage.
Conclusion
The activities attributed to the Handala Hack Team highlight the evolving nature of modern cyber warfare. Operating under the appearance of grassroots hacktivism, the group has been linked to actions that blur the line between data theft, psychological pressure, and disruptive digital attacks. Their operations ranging from wiping large numbers of corporate devices to exposing personal information of individuals tied to defense and security sectors. All designed to create both reputational damage and operational disruption.
As geopolitical tensions increasingly extend into cyberspace the broader message is difficult to ignore, digital infrastructure and personal data are becoming central targets. Whether the target is a corporation, a government-affiliated organization, or a high-profile individual, the boundary between physical and digital conflict continues to erode. As the war with Iran persists Handala will remain an active threat.
During this webinar, Jennifer Ewbank, DarkOwl Board Director and Former Deputy Director of CIA for Digital Innovation, and DarkOwl’s Chief Business Officer, Alison Halland, explore darknet data’s threat-intelligence capabilities across government and enterprise environments.
In this interview-based session, attendees gained:
A forward-looking view of how regulatory frameworks and intelligence practices will reshape cyber-defense requirements over the next decade.
First-hand perspective on how darknet intelligence informs national-level investigations.
Deep insight into criminal ecosystem behaviors and the evolving tactics threat actors rely on within anonymous networks.
NOTE: Some content has been edited for length and clarity.
Jennifer – I’ve really been looking forward to this conversation with Alison and great to have all of you who’ve dialed in and welcome to those who watch later in recorded version. To kick us off, I just wanted to observe that I think most people think of the dark web as a place where criminals and conspiracy theorists gather – and I suppose that’s true. But the real story is maybe a bit more interesting and the reason we’re here today is that there’s a bit more utility in it all as well.
So today, we want to pull back the curtain a bit on what’s actually there in the darknet, how serious investigators are using information that is collected there, and why increasingly it matters to all sorts of organizations that may really think that this dark corner of the internet has nothing to do with them. It probably does. So Alison Halland is Chief Business Officer of DarkOwl.
DarkOwl is a fantastic company that maintains the world’s largest commercially available index of darknet content. They turn it into insights and intelligence for governments and enterprises and others who track these things. So, this hour together is a conversation. It’s not a lecture. Please do pop your questions into the chat. We want to know what’s of interest to you, what catches your attention.
So with that preamble, we’re going to turn to a question to kick it off. And really, maybe we should start at the beginning because not everyone spends a lot of time studying the dark web. So, let’s start with the basics, Alison. When we say darknet or dark web, what are we actually talking about? And how does DarkOwl collect from that hidden corner of the online world?
Alison – Yeah, thank you, Jennifer. And a big thank you to Jennifer, who has been so helpful as a board member to DarkOwl and helped us steer both our collection and our product in a way that’s going to help folks conduct these investigations. So, this slide in the background summarizes where DarkOwl collects data from.
So, Jennifer’s direct question was, what is the darknet? And interestingly, we’re in a space where I’m not entirely sure there’s consensus on that. I would say most people would agree that Tor is kind of the tried-and-true darknet source. However, DarkOwl’s take is if there are conversations or criminal activity or, you know, interesting back and forth going on, that is an area that we want to collect from.
So, our definition of dark web and dark web adjacent is sometimes broader than some others in the space. I would directly point to this lower right-hand corner, our direct messaging platform collection. There is no doubt that Telegram is our most requested data source today. Just given that community, what they the talking about, the transient nature of it.
We also get a lot of requests for our marketplace and forum data. That I would definitely highlight as well as an area that, historically, we have a strong collect here – part of that is a reflection of our history and some of the personas that we’ve honed over the years. This is quite frankly a difficult, meaning time consuming, expensive place to collect from. It takes a manual work at the onset. Sometimes other providers will defer away from this area, whereas DarkOwl has traditionally hung our hat on really making sure that we have collected from those forums and marketplaces to make sure that we can illuminate that space for the folks coming in and doing investigations.
Jennifer – Great. Well, thank you so much.
Back where I started, I think most people I talked to about the dark web assume that it’s largely going to be drug dealers and ransomware gangs who operate there. And they do, don’t get me wrong. But is that still really the reality or has this changed in recent years? And what does it look like today?
Alison – It is absolutely an ever-changing ecosystem. The groups and categories you just described flourish in the space, but so do a lot of others. One great example is when people think of dark web marketplaces, they immediately go to narcotics – and narcotics is the most reflected marketplace listing by category in our dataset. However, at least at my time at DarkOwl, the range in what people are selling has grown exponentially. So, you can buy anything from someone’s AWS keys to, I mean, it’s just exploded in terms of what’s being listed there. So, Jennifer, I do think you’re correct that people tend to have a pretty narrow view, but there are so many uses for this data, both on the government and commercial side in terms of understanding how the criminals are acting in this environment. I’m sure there’s folks on this call that have a ton of experience in this space.
And as everyone knows, 2025 was a pretty big year of upheaval for the dark web and, you know, this ecosystem in regards to just so many changes. I mean, when the XSS forum got taken down by Europol, I mean, people don’t just give up – they then move to a different platform, a different forum. There are so many conversations happening in the background at DarkOwl around where are we collecting from next? Are we try to move to the next platform or the next Telegram channel and understanding what those flows and data movements look like is extremely important, as you know, from your previous work, Jennifer.
Jennifer – That’s so true. I just think that the diversity of activity that’s represented on the dark web these days is really noteworthy. I imagine there are those who maybe aren’t as familiar who’d be surprised by some of the entities that are that are operating there, and what they try to do. It’s everything as we’ve said from the criminals to, you know, hacktivists, to you name it, all sorts of bad guys.
Alison – And it’s reflective of like real world events too. When the conflict broke out in Iran, within three or four days DarkOwl added about 140 Telegram channels to our collection. These were either channels that had just sprung up or had kind of recategorized their their purpose and they were reflective of both sides of the war and obviously those are conversations that are pretty pertinent to a lot of use cases.
Jennifer – And you mentioned, you didn’t use this word but how sites come and go, right and this almost is ephemeral nature where they’re moving targets is is that the reality these days to you know authorities kind of glom on to some sort of criminal activity and then they what rebrand move. How do you track that?
Alison – And part of that is we try and be a member of that community so that we understand where things are going, but that is that is absolutely the reality – everything is shifting and changing. Some of these marketplaces will gain a huge following, a huge transaction volume and then overnight they’ll be an exit scam and and those you know that entire marketplaces is gone and those sellers are trying to relocate and a lot of that conversation on where to go, what to do, happens in some of the areas that we’re collecting from. So, we try and be a part of that and follow right along.
Jennifer – I think that’s where your tradecraft and your history really come into play, where you’re able to maintain that collection over time and the insights derived from it. One little kind of asterisk I’ll put on the conversation about what’s out there is just to highlight for folks how the marketplace on the dark web for deep fakes and synthetic personas has just exploded in the last couple of years along with technology developments that make it much more achievable, easily so and less expensive to create fake personas, face images, faces, voices, you name it, entire video packages that you can purchase in an online marketplace just as if it were a regular online store with customer reviews and money back guarantees and all of that kind of stuff. I say that kind of funny way but the reality is pretty grim – how easily one can acquire really sophisticated tools that can defraud a financial entity that can defraud people and then there’s a whole scope of just really personal tragedy out there with non-consensual intimate imagery which is for sale on the dark web. So, lots of things happening there, very little of it good.
Alison – And like the speed of creation with AI on the table is so much faster and you know I think a lot of times folks kind of giggle at the fact that some of the same, all the same marketplace dynamics, are in place like especially in a criminal environment where the only thing you can hang your hat on is you know your reviews or your reputation. So, everything matters in the same way it does if you were transacting legal goods: reviews, reputation, all of that’s really important, so we see a lot of that in terms of how vendors are trying to promote their listings.
Jennifer – Crazy. So, when I was still in government, of course we looked across all these various open source areas as a place where we’re just trying to find some kind of signal in all of that volume of noise, right. We used to talk about a tsunami of data out there and really just trying to figure out what is happening how can you derive insights that are helpful. In the commercial world, of course I see that now every day with companies I’m working with. The thing about the darknet data that I found interesting and that I still find really interesting is just how much, and you’ve touched on this, how much behavioral insight is there, like how do organizations form, how do they operate, how do their businesses operate, and all of that goes far beyond just “hey I’m selling this illegal product.” So, the collection posture I think is really important here and DarkOwl has done a really fantastic job of maintaining those insights.
Let’s go just a bit deeper and think about how darknet intelligence works in practice right. So, you’ve defined what it is given us some examples of the kinds of information that’s out there, the kinds of actors who operate there. I want to think about how the data actually get used – how does darknet intelligence contribute to open-source intelligence investigations and, maybe for me and for all of those who’ve signed in, can you walk us through what an analyst is doing when they’re looking for this information and analyzing it?
Alison – I think a pretty typical workflow is coming into the darknet data set with some sort of indicator or an entity. So, trying to identify a person of interest that may be behind and they may come into that investigation having gotten a username off of traditional social media or an email address from a data leak and then taking that breadcrumb and putting it into the DarkOwl dataset can often be the puzzle piece that’s missing. A lot of the investigations previously, 10-15 years ago, weren’t including this dataset. I think given the structure of the dark web and the fact that folks know that there is some obfuscation happening and that their identity is somewhat protected I think oftentimes they’re a little more loose on what on what they’re sharing or or presenting.
Coming into the dataset with let’s say it’s a username, J EWBANK, and then you pop that into the DarkOwl data and lo and behold there’s a vendor on a marketplace that goes by that same name, or an iteration on it, or there happens to be a Telegram channel that’s focusing on extremism and has a user in there with a similar name and now all of a sudden you have a user ID and you can pivot from there. So, oftentimes it’s coming into the data with an entity and then grabbing one more that you didn’t have previously and either taking that through a different dataset or continuing to follow those breadcrumbs within our data and finding additional pieces of information. There is a whole, especially with the onset of AI and looking at bigger datasets more quickly, there is a whole workflow here around just like migration in conversations and movement and you know obviously there’s not a geolocation ability within our dataset in the traditional fashion but you can do a lot through language detection and you know a lot of other techniques as well to figure out where people might be physically located.
Jennifer – Thank you. You may have already alluded to this, but I think of the darknet as this kind of you know, as this cavernous area with little corners and dark rooms and alleys, and bad dudes and vendors hiding there in the shadows, but is there a particular corner these days somewhere out in there in the darknet that you’re finding particularly productive in terms of supporting investigative activities?
Alison – Yeah, I would point right back to Telegram. That’s just become such a critical collection target for us and we’ve seen a growth in just in terms of volume around records that are being collected. We also interestingly, I will say that, oftentimes a prospect will ask you know how many Telegram channels do you have and my response is often it’s it’s not so much the quantity but the quality because there are groups being stood up for you know non-criminal reasons and making sure that you have eyes on the subset that you’re interested in can be crucial because there is a lot of noise. So, I would point to Telegram absolutely and some of the techniques that we’re using to try and get into those channels. You know these are workflows that can be cumbersome if you’re trying to do it in a manual fashion one-off versus we’re trying to aggregate and use some of those skills so that we can park all that data in a central location and people can query across all different channels versus having to do that in a one-off basis.
Jennifer – That makes a lot of sense, that’s really where I think expertise comes into play because you could see where somebody might just think it might want to have access to like I want them all that that’s not necessarily going to be helpful I think you can be overwhelmed that way – so the quality of the data is always critical.
A related question – the way you’ve described Telegram, it almost seems to me like it’s now serving as different, let’s say different layers of this ecosystem, right accomplishing different things. It used to be just you know hey we’re going to communicate in something that’s relatively private. So, is it a place where for example, when a site goes down, do people kind of bump to Telegram for a while? Is it a place where you see indicators of bad actors planning, and of course it’s a marketplace too, but like do you think of it in that way? Do you think of it as as layers or different functions, or is it just the case that, and this is powerful, but with your collection you can kind of accomplish all of that and you just make sure you’re focused on the high quality data?
Alison – No, I think there’s definitely categories that emerge across it. The three that jump to mind that I know our analysts talk about a lot is the signal layers, so around people signaling hey we are going to do this or have some sort of action, and then there’s definitely a migration layer, when marketplaces go down or forums you know where are we moving what like that becomes the communication channel on you know where are we gonna migrate, and then like you said there is a whole I think of Telegram outside of the dark camp marketplaces, but I probably shouldn’t. There’s so much transaction happening in Telegram channels as well where the sole purpose is to sell in a marketplace fashion, whether it’s, you know, stealer logs or narcotics. So, I would say those three, the signal layer, the migration layer, and then also the marketplace layer would be the three, I think my analysts would highlight.
Jennifer – It’s fascinating because there’s so many different paths that an investigation could take. And I think of the signal layer as being kind of an almost an intelligence layer where you can see what will happen in a sense, right? I think a migration, as an investigative layer, like what’s happening now and the marketplace layer could probably be a forensic layer later. I mean, there are lots of different uses, but I think about them also in a temporal fashion like how do you lay that out across an investigation.
So anyways, fascinating stuff. Let’s go back to the marketplace topic where we kind of landed. And I know that you and your team mentioned to me that you’ve expanded your dark web marketplace collection pretty significantly and you have a new capability that you’re calling ‘Darkmart’, if I’m not mistaken. I’m wondering if you can, oh, there it is. If you can give us a sense of kind of what that is and more importantly for those who are thinking about how open-source intelligence can support investigations, what does this kind of data tell you? What does it reveal?
Alison – We did do a big revamp to our Darknet Marketplace Content, and what I mean by that is our collection was always strong in these areas, but the structure behind the data made the workflows somewhat manual and challenging to say, okay, well, I’m interested in this vendor on this one marketplace. So, what are the first 10 questions you want to ask? Like, well, what other markets are they on? What country do they ship from? What category are they? Do they have listings in? So we have taken all that data on our historical collect and put a lot more structure around it.
There’s an oversight view that I think has been, and this was from direct feedback from our users that has been really powerful in our launch of ‘DarkMart’, which is our word for these darknet marketplaces. And to your direct question, doing these investigations in lieu of the structure was a time consuming process. So, now if you just look at some and choose any one bullet on here, just the ability to sort and sift through all of this marketplace data is a lot easier and more compelling. And what we heard from some of our government clients is there are use cases you could be at, you know, be on the drug enforcement side of the house and you’re specifically tasked with a specific drug versus you could be someone who’s law enforcement in a small five eyes country that’s just trying to view what’s being sold coming out of their country. And those exact asks pre-structuring were hard to discern, whereas now with the marketplace data restructured within DarkOwl, you can do that much more quickly. I could even jump in and show an example of that. But the ability to sort and sift through this has just become so much easier with our new ‘DarkMart’ release.
Jennifer – Well, that’s really powerful, as you say, without structure around the data, you have a richness, the riches of all the collection, but without the ability to gain the insight and I think, or at least not to do it conveniently, and if you’re not an expert, right, you’re, your analysts are all experts can do that, not every company, every entity, every government agency has people who are deeply experienced in that. So, having an interface to help you get there is really important.
Here’s a funny question because people talk about the dark web and the marketplace and such, what did the listings contain? Like, what does that look like? And, and then maybe pivot off that, it’ll become obvious, but how does an investigator use that data?
Alison – So I’m now in our platform right now. So, this is a live view into just the subset of our data that we call ‘DarkMart’. So, we have about half a million listings showing up right now and you can see that we have 83 markets that we’re now capturing in this new structured format. We still have a lot of markets that we’re moving over into this. It’s definitely an evolution. But for instance, if you wanted to just come in and see, you know, you were interested in what category and I mentioned earlier, like most of the listings are in narcotics, but I think all these other subsets are definitely growing in quantity as well.
But let’s see, let’s pop into one market. So, this marketplace, Prime, has categories and vendors selling across all different subsets. So, to answer your direct question, you know, what do the actual listings look like? So, let’s actually wanted to pull up a more expensive one. So, here we have someone. So this, this is a good representation of how we’ve restructured this data.
So, within two clicks, we’re able to see, okay, here’s a vendor that goes by this username. And they were first seen on January 8th of this year. They last changed their listing a couple of weeks ago. And this is what they claim to have the, some source code for Bitcoin. They have a listing. You can contact them. Let’s do business. Not business. So this, this would be pretty typical of a listing. There are also some that contain reviews and we always capture what currencies they’re operating in. So, as we think about this from like a country standpoint, in terms of, what people’s mission is this can be helpful as well.
Jennifer – It’s literally vendor drugs for cheap.
Alison – Yeah. You can also go out into the live market and see what imagery vendors are presenting and what categories are growing. And I think this speaks back to your earlier, kind of that signals layer around, you know, what categories are growing from a marketplace standpoint, which would point to, you know, going back to those items and being like, what are we doing from a protection standpoint that we’re missing if these are so easily fraudulently being sold?
Jennifer – I think that’s another benefit of the restructuring of the data and the interface for users is to get a sense of where the trend lines are and get that insight earlier in the cycle so that you, whatever your role might be somewhere, you can really start planning for it.
Alison – In pretty short order, you can see the use cases both across government and commercial in terms of just what these listings look like. And as you mentioned earlier, and, you know, I won’t spend the time digging through a lot of these, but you can pretty quickly find someone for very cheap selling, you know, deep fakes, like you said, or access and all of these vendors are starting to specialize just like we do in industrial economy. So, that time to execute is so much shorter.
Jennifer – Crazy. So, you mentioned earlier, I can’t remember the name of the vendor you mentioned, but you mentioned one of the big ones that was taken down in ’25. And so what happens when a major vendor does get taken down? I mean, I assume they pop up again somewhere else, but what do you see? What’s the normal pattern there?
Alison – Yeah. I just clicked on one of our vendors that we have in our marketplace. You can see that this vendor is, we believe, is active on 25 different markets. And you can see the number of listings as well. So, you know, the hypothesis there under the scenario you just described would be that if any one of these markets was either taken down by law enforcement or had a exit scam that those listings would migrate somewhere else. So, with this new restructuring, that is something we can absolutely track as things ebb and flow. And you can do it both at the vendor level. We’ve also had some of the shipping companies ask us to do it across and we have an awesome blog on our site around what is the preferred shipping method for criminals, which if you are, you know, working at one of those companies, whether it’s government backed or commercial, understanding why you’re being selected to ship those drugs versus someone else is important. The aggregation of this data can be really powerful and is something you can do today that wasn’t as easy prior to our data restructuring.
Jennifer – That’s awesome. It’s both scary but also really fantastic that the capability exists and that there are smart people working on all this stuff. I think also passing earlier, you mentioned Infostealer, kind of malware and it’s one of the big stories in cybersecurity is really the explosion in this kind of malware. I’m wondering, could you maybe spend a moment and let our colleagues online here understand what is DarkOwl seeing on the dark website of all of that dynamic?
Alison – Yeah, absolutely. I mean, the number we are asked about Infostealer logs on multiple times a day and that is an emerging space. I have some stats written down here that Infostealer has infected over 11 million machines in 2025, estimate that it produced about 3 billion stolen credentials. And that’s such a easy way for people to transact and probably the most traded commodity on the darknet. And the thing about the Stealer logs is they can bypass MFA entirely. I think there’s a lot of movement happening around people trying to protect against that. But in the meantime, the understanding that data is out there is very timely because they can be exploited almost instantaneously. So yes, Infostealers is a huge category. And I don’t see that decreasing. If anything, I think it will continue to grow and grow as people move away from traditional passwords.
Jennifer – Yeah, I think the credential side is where a lot of the action is. And is, so, you know, everything is as a service these days? So, is this an area as well? Have they jumped on the bandwagon? Is it malware as a service and all that?
Alison – Yeah. I don’t have it handy right here, but there’s malware as a service subscriptions that start as low as $30 a month. So yeah, the specialization and the execution and frankly the price is coming down precipitously.
Jennifer – You see that I think across all of these, let’s just say more nefarious corners of the web where the “as a service” is exploding. You’ve had ransomware as a service. Now malware as a service, specifically credentials, deep fakes as a service. Everything’s a service these days. Even criminals are innovating, right?
Alison – Yeah. There’s, I mean, we have one of, I would say probably one of our most frequently visited, or some of our most frequently looked at telegram channels are those that are selling, stealer log subscriptions. And you and I in preparation for this call, were talking about how as recently as January, there was a researcher that discovered that database containing like 150 million login password pairs. And they think it was compiled entirely from Infostealer operations. So, that gives you a sense for the scale.
Jennifer – So I, you know, intuitively, I gather that there’s a specific connection here in the supply chain for ransomware. And I’m wondering, you know, what, what does that supply chain look like for, for bad actors in the ransomware, ransomware world? Say that three times fast.
Alison – Yeah, in the same way that all the market dynamics work on the customer service side, you know, the same exists from a supply chain standpoint. think a pretty typical supply chain workflow would be that the infostealer harvest, like they grab the credentials, then the initial access broker would like package those up and sell them on a marketplace or on one of those telegram channels. And then the ransomware operators buy those, that access. And then they get in and grab the files and then, you know, approach company and say, yeah, here’s what I have and, and pay the ransomware. So, it’s definitely, and we talked about this earlier, the specialization is happening in the same way it’s happening for all of us on the right side of the fence.
Jennifer – Yeah, exactly. Thank you.
Like all things, I have to assume that the dramatic improvements in generative AI are having a big impact in this area. Is that correct? I mean, is that accurate to assume that AI is also fueling this pipeline?
Alison – Yes, absolutely. And you know, they also have the advantage of not having to ensure that those AI deployments are being done in an ethical or safe or sort of consumer-friendly way. So, some would argue that, that speed of adoption is even faster in this ecosystem.
Jennifer – Let’s scope out a little bit, zoom out. Around the world, we’re seeing a lot of interest in regulatory action around the space. Leak, you know, legislation, like Europe’s been very active in these, these related categories with all sorts of protections on data and the models that are used for AI and lots of other things. And in here in the States, of course, the SEC has its own filing requirements for those who will fall prey to ransomware and other cyberattacks. But I’m just wondering if one does agree that there’s an upsurge, uptick in interest in regulatory and legislative actions in this space. Does that change the calculus for companies, organizations, government agencies and departments on the kinds of intelligence or insights that they would want to collect from the darknet?
Alison – I think there’s a shift happening or it’s already happened from a reactive to more of a proactive intelligence posture. I’m going to date myself a little bit, but I’ve been at DarkOwl coming up on either 10 or 11 years, and I remember one of the first demos I ever did was with a CISO and, and she said to me, I don’t think I want to know if the information’s out there. And, you know, I think that was, knowing was not, knowledge was not power at that time. That was potentially, oh, no, we haven’t done our job as an organization, or we haven’t protected our information. Whereas in today’s world, you can just walk the floors of any cyber conference, the number of TPRM and third-party risk management providers has skyrocketed. So, the responsibility and the onus to know not only what’s out there, but how it got out there, and have that proactive angle of like, I’m hiring a vendor in this category. You know, are they reputable? Do they have exposure is becoming the norm? Compared to what it was previously.
Jennifer – Now, that makes a lot of sense. Ultimately, it just seems wherever one is in this ecosystem on the right side of the fence, as you say, your ultimate goal is to collapse the timeline between exposure of data and vulnerability, and the bad actor’s ability to use it against you. And having that insight, particularly from deep collection and kind of an interface and analytic framework around it would be super helpful. And unlike the CISO that you met years ago, I think more and more CISOs and cyber defenders today are eager to get those insights so that they can be prepared before the bad day happens. That makes me think though, because you mentioned the CISO and others working in cyber defense and risk. Is there something about the darknet threat landscape that you think they consistently or that many consistently underestimate?
Alison – Um, yeah.
Jennifer – You know, some key aspect of it, you wish people would understand better or maybe they just don’t have the insight yet.
Alison – It’s that the old methodology is we just need to kind of protect our own four walls, batten down the hatches and whatever’s happening outside is not telling or informative. And that is not the case. The darknet can be very much a leading indicator of what that exposure looks like, where those vectors of attack might be coming from. Demonstrating and making sure that people have visibility is extremely important, not just that they responded correctly to an attack.
Jennifer – And attacks are far more, intrusions are far more, sophisticated and subtle and multi-layered than they were even just a few years ago and I think understanding the threat environment and the threat environment around all of your partners and vendors and anything in your supply chain is really critical because you’re only as secure as the weakest link in that chain.
Alison – Yeah, not only like the weakest link, but the speed at which that stolen data moves from exposed to exploitation is fast.
Jennifer – That timeline is collapsing pretty dramatically. I think if you go back just a few years when a vulnerability was identified and publicized in order to get patches, you had time, right? Today that timeline is really collapsed with the power of AI and how bad dudes can manipulate that to get an exploit out of a vulnerability through reverse engineering. It’s really, really rapid.
So lots of value out there in this kind of information. And I think really relevant to investigators and analysts across a broad range of functions. So, we’ll turn to our friends and colleagues who’ve dialed in in a moment, but maybe last kind of question forward-looking, right? So, let’s look out over the next couple of years and if you had to, your crystal ball, how does that threat landscape evolve? And as we’ve touched on once or twice already, how does AI fit into that picture? Both for, let’s say the threat actors who are out there, how is it gonna help them? But also for defenders because we want to defend.
Alison – My short answer would be that this category of data will continue to be a very integral part of investigations. I think historically has been either overlooked or bypassed because it was hard to aggregate and look through this data alongside other data, but that’s where AI is gonna be so powerful in that respect. Do I think if we did the same webinar five years from now that Telegram would be where everyone was communicating? Probably not. I think that where all that happens, I think we’ll continue to flux, but there will, I don’t see any scenario where this data isn’t an important piece of the puzzle. And I think looking at the bigger puzzle is a much easier task with some of the amazing developments that are happening in AI, so that organizations like the one you work for aren’t that timeline to figuring out or getting some intelligence that could lead to an action or investigation should be shorter as well, not just the criminals are gonna benefit from AI.
Jennifer – Yeah, thank you. We don’t want them to benefit but the defenders need to benefit. So, we’ve spent about 45 minutes and we’ll turn to questions here in a moment, but if let’s just say it for the folks who’ve dialed in and maybe later for those who watch on the platform, is there something you think that someone should go do? Like if they return to the office, is there something that they might take away from this conversation? Is there an action that would be helpful for them?
Alison – The low hanging fruit is out there. Go get a dark web risk assessment done, understand what information both of your own as an individual or your organizations is out there. And that will give a lot of insight into where, I think that would be the one task I would do in short order. And then if there are folks on the phone that are doing investigations in this space, I would just think about time and energy spent having someone who can aggregate this information and make it searchable and queryable is gonna be a good use of that skill set so that those analysts continue to connect the dots but aren’t spending 20 minutes waiting for a tor page to load.
Jennifer – Yeah, exactly. So, I wanna encourage anyone who’s on the call to drop a question in the chat. I have it up on my screen here, we’ll watch for those.
You know, not every organization is big with a wealth of resources, right? And a lot of small organizations out there that might have more limited both capabilities due to fewer staff and resources in terms of money. But is there an entry point for smaller organizations when it comes to darknet data and intelligence?
Alison – Absolutely, and oftentimes, from a just pure economic standpoint, the price point of a dedicated darknet tool for a smaller medium business might not be feasible but there is dark web data going into everything from larger thread intel platforms to MSSPs. I think we all know that those small and medium businesses are oftentimes the target just as much as the bigger ones, just given that actors know that they don’t have the security posture of a bigger firm. So, I do think there is, not only can this data help a small and medium business, but I think there are more ways for them to get that today given that this data is being fed through a lot of different layers, not just directly.
Jennifer – Now, I think the vulnerability of small and medium size enterprises is really something that needs much more attention and I add into that group, charitable organizations, hospitals, schools, community colleges, lots of places that you wouldn’t think should be huge targets but they’re lucrative targets for the ransomware world because they’re often less defended and criminals go back there because they’re successful. So, a really important area, I think, for dark web data to help give insights into what the threat landscape reveals about their organizations.
There are a lot of companies out there who offer a variety of different kind of threat intelligence insights. And everyone’s kind of packaged differently, they do different things. Is there differentiation there? I mean, there are some big names out there that I won’t mention, but how in that environment are these capabilities differentiated or are they all the same?
Alison – No, they’re definitely not all the same and I think it comes down to, you know, depth of collection in any one area and the structure and usability of that data. And there’s some, there are a lot of folks aggregating threat intel from all different data sources. I think DarkOwl, one of the reasons I love our mission is that we are so committed to staying focused on this space and continuing to provide compelling data. It comes off the dark web and not trying to spider into other areas. So, we’re often turned to fill that plug for other organizations. But yes, everyone has pros and cons. I mean, it’s a big Venn diagram and we’re a data provider and there’s gonna be overlap with others, but there’s oftentimes a delta between a lot of the different providers.
Jennifer – Awesome. I’m gonna ask maybe another question. While we wait to see if anybody has something that is burning in their minds. So, I don’t mean this one to sound like a challenge, right? But I’ve heard this question. So, you talked about personas and the collection and over time. Are you ever asked about the legality of all of that? And I know more.
Alison – Yes. All the time, oftentimes from people applying to jobs, how are you able to legally do this? You know, we’re, I think the title of this webinar and the tech expo that we’re attending next week, it’s all around OSINT, open-source intelligence and DarkOwl skill resides on the fact that this data is hard to get to and it’s hard to find and it’s time consuming to get to. But at the end of the day, it is open-source information. So, we are able to legally collect this because it’s defined as open source. It may be hard to get to. You may have to create a login or become part of a community, but that’s the definition and we follow DOJ guidelines and we don’t purchase stolen data. We don’t go behind firewalls. So the data that we hold is ethically collected and considered open source.
Jennifer – Great. I knew that, of course, being on the board. But I just wanted others who might have that question, because I’ve heard that question before too. So, I just wanted others to hear directly from you.
And then maybe as a final question just because of the world I came from before coming into the private sector, my sense is that nation-state actors out there use a lot of the same darknet infrastructure as the criminals do. A, I guess, is that accurate? And B, are there areas where those two worlds overlap most directly?
Alison – I mean, yes, in terms of targeting the US. I was in preparation for this looking up some stats and IBM X-Force produced a report that said that North America is now the most attacked region for the first time in six years. So, from a nation-state perspective, there is no doubt that the targets on our back may be more so than ever an understanding that all of these ecosystems support those nation-state actors as well as the reality.
Jennifer – I think that reflects a growing sense that I’ve had or insight that I had in government too. But it’s clearer now that how a lot of these activities, these illicit activities against companies and organizations in the country really have a national security flavor to them these days and kind of teasing apart what is a national security threat, what is a commercial threat, what’s an economic threat. These days, that’s harder and harder because it’s just, it’s all interconnected in a way that’s really powerful today.
So, I think we are nearing the end. Maybe Allison, is there any last bit of advice or observation you want to offer for those who’ve dialed in?
Alison – I do want to share with folks that we, DarkOwl, will be attending the OSINT Tech Expo next week, which is being hosted by Carisoft at their office in Reston, Virginia. So, if anyone on the call is attending, and correct me here, Gabi I think if they’re a government employee, they’re able to attend either a free or at a reduced cost. But anyway, I just wanted to highlight that. We will be attending. And if any folks want to see the data set live, I’d be more than happy to do that for anyone.
Jennifer – Well, that’d be fantastic. In the notes, I’m going to call an audible here and ask if maybe Gabi can help us in the notes afterwards just to make clear, to specify how people can look for that expo. I see it’s on the screen here, but maybe in the notes later, it’ll be helpful as well. OK, so I want to say thanks to Alison who sat here through an interrogation for almost an hour and answering question after question. I really thank all of you as well who signed in to listen today and then welcome those who watch on the platform later.
And I should take a special note here as well for Carahsoft for hosting and organizing the webinar. And if folks walk away with maybe one thing, there’s lots in what Alison had to say. But I think for me, I would just note that the dark web is no longer, dark web data is no longer something just for a few specialized investigators. I think with the advent of new tools and ability to query and analyze the data, I think it becomes a much more useful capability for a broader range of folks in government and in industry. And so it’s kind of your live feed, if you will, on how the criminal ecosystems are changing and how the threat landscape is changing. And ultimately, whether you’re in government or industry, it should give you a better optic into how you protect yourself. You monitor the threat landscape in order to protect yourself and your friends and allies. So, we will make sure that there are links to all the DarkOwl resources in the notes later. And as Gabi said, if somebody has a question that didn’t get answered during the webinar, DarkOwl will be happy to answer it after. And everyone hopes to see as many of you as possible at the OSINT Expo being hosted by Carahsoft at the end of the month. So OK, I think with that, I’ll turn it over to you.
Alison – Thank you, Jennifer. I just want to thank you personally. You’ve been so helpful to DarkOwl and the pace at which you operate in a post-retirement state and amount of businesses and speaking engagements and you still have your finger on the pulse and I’m very grateful that you’re on our board. So, thank you.
Jennifer – Oh, thank you. It’s a pleasure, and you’ve got a great team. Great team, great product.
Our analyst team shares a few articles each week in our email newsletter which goes every Thursday. Make sure to register! This blog highlights those articles in order of what was the most popular in our newsletter – what our readers found the most intriguing. Stay tuned for a recap every month. We hope sharing these resources and news articles emphasizes the importance of cybersecurity and sheds light on the latest in threat intelligence.
1. Iran-Linked Hackers Disrupt U.S. Critical Infrastructure by Targeting Internet-Exposed PLCs – The Hacker News
The Cybersecurity and Infrastructure Security Agency (CISA) announced advanced persistent threat (APT) actors are conducting “exploitation activity targeting internet-facing operational technology (OT) devices, including programmable logic controllers (PLCs) manufactured by Rockwell Automation/Allen-Bradley.“ Specifically, the activity has caused PLC disruptions across multiple U.S. critical infrastructure sectors through malicious project file interactions and manipulation of HMI and SCADA display data. These attacks have targeted Rockwell Automation and Allen-Bradley PLCs used in government facilities, water and wastewater systems, and the energy sector. Following initial access, the threat actors launch C2 using Dropbear, Secure Shell (SSH) software, on victim endpoints to enable remote access. Read full article.
2. FBI confirms hack of Director Patel’s personal email inbox – Bleeping Computer
On March 27, the Iranian hacking group Handala claimed it had breached the personal email account of FBI Director Kash Patel. “All personal and confidential email of Kash Patel, including emails, conversations, documents, and even classified files, is now available for public download” the group stated. Watermarked personal photos and documents were subsequently released, including email correspondence from Director Patel’s time prior to assuming the role. The attack was carried out in retaliation for the FBI’s seizure of Handala-linked domains after its earlier cyberattack on medical technology company Stryker. Article here.
3. North Korea’s APT37 Uses Facebook Social Engineering to Deliver RokRAT Malware – The Hacker News
The North Korean hacking group APT37 has been running a social engineering campaign on Facebook, using direct messages to build trust with targets before ultimately delivering the RokRAT malware. Using two separate accounts the threat actor employed a pretexting tactic, pretending to share encrypted PDF files with technical details about military weapons via Facebook Messenger or Telegram. They then convinced recipients to install a specialized PDF viewer in order to access the documents. The malware uses Zoho WorkDrive as a control server. This allows it to take screenshots, run commands remotely, gather information about the infected computer, and explore the system. It can also avoid being detected by security tools like Qihoo’s 360 Total Security while hiding its malicious activity within normal-looking traffic. Read more here.
4. Stolen Rockstar Games analytics data leaked by extortion gang – Bleeping Computer
Rockstar Games is the latest company reportedly targeted by the hacking group ShinyHunters, which has claimed responsibility for a recent data breach. The information was obtained following a security incident with Anodot, a data anomaly detection company. ShinyHunters discovered the information from “Snowflake environments using authentication tokens stolen during a recent Anodot security incident.” The group published over 70 million records from Rockstar Games data that included “in-game revenue and purchase metrics, player behavior tracking, and game economy data for Grand Theft Auto Online and Red Dead Online.” Read here.
5. Iran-Linked Password-Spraying Campaign Targets 300+ Israeli Microsoft 365 Organizations – The Hacker News
Check Point Researchers are tracking an ongoing password-spraying campaign that targets Microsoft 365 environments primarily in Israel and the UAE. The activity was carried out in three waves of attacks that took place throughout March 2026. The campaign unfolded in three distinct stages. It begins with aggressive scanning or password-spraying attacks launched from Tor exit nodes to identify vulnerable accounts. Once access is gained, attackers proceed with the login process, establishing a foothold in the system. In the final phase, they exfiltrate sensitive data, often including entire mailbox contents, completing the breach. Learn more.
6. Fake Ledger Live app on Apple’s App Store stole $9.5M in crypto – Bleeping Computer
A fake Ledger Live App, available via the Apple App Store, has stolen $9.5 million in cryptocurrency from 50 victims. The victims were tricked into entering their seed/recovery phrases into the app, giving attackers full access to their wallets and allowing them to spend digital assets. Investigators claim, “the attackers used several wallet addresses to receive funds across multiple chains, including Bitcoin, Ethereum, Tron, Solana, and Ripple.” The stolen accounts were laundered through 150 deposit addresses on KuCoin. The company announced the accounts were frozen until April 20. Read full article.
7. Lotus Wiper Malware Targets Venezuelan Energy Systems in Destructive Attack – The Hacker News
Lotus, a data-wiping malware, was uploaded to a publicly accessible platform in December 2025 and subsequently used in targeted attacks against energy and utilities organizations in Venezuela. Two batch scripts initiate the destructive phase of the attack and prepare the environment for execution of the final wiper payload. Upon execution, the wiper neutralizes recovery mechanisms, overwrites physical drive contents, and recursively deletes files across affected volumes, leaving systems nonfunctional. No embedded extortion or payment instructions are present, indicating a non-financial motive. Read full article.
8. Researchers Detect ZionSiphon Malware Targeting Israeli Water, Desalination OT Systems – The Hacker News
The malware, ZionSiphon, was designed to target Israeli water treatment and desalination systems. The virus was first discovered following the Twelve-Day War between Israel and Iran in June 2025. Once executed, ZionSiphon scans the local subnet for devices, attempts communication via Modbus, DNP3, and S7comm, and alters configuration parameters such as chlorine dosing and pressure. The Modbus attack path is the most developed, while DNP3 and S7comm components remain incomplete, suggesting ongoing development. It can also spread via removable media and will self-delete on systems that do not meet its targeting criteria. Numerous implementation flaws suggest the malware has either been prematurely deployed or still in a developmental stage. Learn more.
Make sure to register for our weekly newsletter to get access to what our analysts are reading on a weekly basis.
Recent activity from Handala Hacking Team and Ashab al-Yamin highlights a growing overlap between cyber operations, influence campaigns, and real-world incidents. While these actors are not necessarily coordinated, their activity reflects similar patterns across Telegram and affiliated platforms, where claims, media, and narratives move quickly through a shared ecosystem.
Analysis for this report was conducted using DarkOwl Vision, leveraging keyword-based searches and targeted monitoring of Telegram channels to identify relevant activity and amplification patterns.
Handala Rebrands and Expands Targeting Scope
On April 26, 2026, the Handala hacking group announced a rebrand to The Handala Popular Resistance Front (HPR), signaling a potential shift in both branding and operational focus.
In the same announcement, the group claimed responsibility for an attack targeting an office allegedly linked to a company associated with the Shabak’s Iran Desk in Israel. The claim was posted twice to Handala’s official Telegram channel and included links to a bot designed to recruit potential insiders in Israel. This indicates a more deliberate effort to facilitate human-enabled access rather than relying solely on external cyber intrusion.
Figure 1: Handala Telegram Post + Insider Recruitment Bot
The content was rapidly reshared across affiliated Telegram channels, including accounts that have historically been aligned with Iranian Ministry of Intelligence messaging and insider recruitment advertisements:
Iranian Intelligence Voice (English)
Iranian Intelligence Voice (Arabic)
Figure 2: Resharing Across MOI/IRGC-Aligned Channels
This announcement followed a data leak released approximately 24 hours earlier across Handala-linked surface websites, including Handala-Hack and Handala-Redwanted. The leak allegedly exposed sensitive information tied to more than 100 Israeli personnel, including individuals allegedly associated with the IDF’s Maglan Unit, a specialized commando unit responsible for covert and high-risk operations.
Figures 3 & 4: Handala Leak Data / Maglan Unit Exposure
In a separate but related release on April 28, 2026, Handala also claimed to have exposed personal information tied to 2,379 U.S. Marines stationed in the Gulf region. The accompanying messaging emphasized surveillance capabilities, including identities, routines, and personal details, while framing the release as a limited demonstration of broader access. The tone of the post focused heavily on psychological pressure, warning of future escalation and reinforcing the perception of persistent monitoring.
While the veracity of these claims remains unconfirmed, the messaging reflects a clear expansion in targeting scope, extending beyond Israeli entities to include U.S. military personnel. This aligns with broader narrative patterns observed across Iran-aligned ecosystems, where exposure of personal data is used not only as proof of access, but as a mechanism for deterrence and intimidation.
Figure 5: Handala Claim of U.S. Marines Exposure
Handala’s recent activity shows a clear progression from leaking sensitive information to rapid amplification, to issuing targeting claims, and ultimately to encouraging insider recruitment. Recent claims involving the exposure of both Israeli and U.S. military personnel further suggest an expansion in targeting scope. This sequence reflects more than opportunistic hacktivism. It aligns with structured influence and access-enablement playbooks observed across Iran-aligned operations, where cyber activity is used to support both psychological pressure and real-world targeting narratives.
While direct command-and-control relationships remain unverified, the consistency in messaging, targeting focus, and amplification pathways suggests integration into a broader proxy-aligned ecosystem rather than isolated activity. Attribution across this ecosystem is intentionally diffuse, but the operational patterns remain consistent.
Ashab al-Yamin Activity Amplified in Near Real-Time
April 29, 2026 (0500 MST) – A knife attack in London was first reported via Telegram by the Al Faqaar channel as a text-only alert.
Al Faqaar functions similarly to established IRGC-aligned media outlets such as Sabereen News, acting as an early dissemination node for emerging incidents. As Ashab al-Yamin has moved away from centralized official channels, Al Faqaar increasingly operates as a primary publisher, often posting first and shaping how events are framed across the broader network.
Figure 6: Initial Al Faqaar Text Post
Following the initial alert, Al Faqaar published a series of updates between 0500 and 0830 MST, providing near real-time coverage of the incident, including developments related to the attack and the subsequent arrest.
Video of Knife Attack
Figure 7: Attack Footage
Video of Arrest by Police
Figure 8: Arrest Footage
Final Official Video Release
Figure 9: Branded Ashab/Al Faqaar Media Output
Notably, the messaging in the final video frames the attack as being carried out by “lone wolves,” introducing ambiguity in how the operation should be interpreted. This framing may suggest the attackers were self-directed individuals acting without direct operational control. However, the speed and structure of the subsequent media release and amplification indicate the incident was either anticipated or quickly incorporated into a broader narrative framework.
Rather than demonstrating direct coordination, the use of “lone wolf” language may reflect a deliberate strategy that allows groups to claim or amplify attacks while maintaining plausible deniability. In this model, the line between inspiration, opportunistic amplification, and operational involvement remains intentionally blurred.
Shortly after the release of the final video, the same content was reshared across at least 25 Telegram channels associated with the broader Islamic Resistance and Axis of Resistance ecosystem. In this instance, Al Faqaar appears to have served as the initial distribution point before wider propagation.
This activity reflects a decentralized dissemination model where speed, redundancy, and narrative control take priority over centralized branding. Channels such as Al Faqaar function as early distribution nodes within a wider media architecture that exhibits consistent coordination patterns without relying on a single authoritative source. The rapid propagation across aligned channels reinforces a pattern in which content origin is less important than how quickly it is amplified, enabling near real-time narrative shaping across a broader network of aligned actors.
Key Takeaways
Hybridization of Threat Activity: Handala’s evolution highlights the convergence of cyber operations, influence messaging, and physical-world targeting.
Escalation via Insider Recruitment: The use of Telegram bots to solicit insiders signals movement toward enabling real-world access.
Proxy-Aligned Propagation: Handala and Ashab-related content are consistently amplified through channels aligned with Iranian intelligence and proxy media ecosystems, even where formal attribution remains unclear.
Speed Over Attribution: Decentralized Telegram networks enable near real-time dissemination, allowing narrative shaping to outpace verification.
Structured Ambiguity: Attribution is deliberately obscured, but coordination patterns remain observable across platforms.
This blog explains what CIRCIA requires, which organizations are subject to compliance, and how DarkOwl’s dark web intelligence platform positions covered entities to meet their obligations proactively—before an incident ever occurs.
WHAT IS CIRCIA?
CIRCIA—the Cyber Incident Reporting for Critical Infrastructure Act of 2022—grants the Cybersecurity and Infrastructure Security Agency (CISA) authority to mandate reporting of cyber incidents and ransomware payments from owners and operators of critical infrastructure. The law tasks CISA with developing and enforcing a rulemaking process that creates standardized, time-sensitive reporting obligations across the private and public sectors.
Reporting Requirements
Substantial Cyber Incidents: Covered entities must report significant cyber incidents to CISA within 72 hours of reasonably believing an incident has occurred.
Ransomware Payments: Any ransomware payment made by a covered entity must be reported to CISA within 24 hours of the payment being made.
These requirements are not merely informational. Organizations must demonstrate that they have the infrastructure and processes in place to detect incidents, assess their significance, and report within these tight windows. Failure to report carries legal consequences, including subpoena authority granted to CISA.
WHO MUST COMPLY?
CISA estimates that approximately 300,000 entities will be subject to CIRCIA’s reporting requirements once the final rule takes effect. Coverage spans all 16 critical infrastructure sectors designated by the Department of Homeland Security:
Defining ‘Covered Entities’
The final rule will define specific thresholds and criteria for which organizations within each sector qualify as “covered entities.” Based on the NPRM and public comments, covered entities are expected to include:
Private sector organizations operating systems or networks integral to critical infrastructure functions
Government contractors and subcontractors supporting critical infrastructure programs
Importantly, covered entity status is not limited to large enterprises. The breadth of the estimated 300,000-entity scope reflects CISA’s intent to create comprehensive visibility across the critical infrastructure ecosystem, from utilities and hospitals to transportation networks and financial institutions.
HOW DARKOWL HELPS ORGANIZATIONS COMPLY
CIRCIA’s reporting obligations create a fundamental challenge: organizations cannot report what they cannot detect. The 72-hour window for substantial cyber incidents and the 24-hour window for ransomware payments demand that covered entities have continuous, proactive threat detection capabilities—not reactive, post-breach discovery processes.
DarkOwl provides dark web intelligence and credential exposure monitoring that directly addresses this challenge. Our platform enables organizations to identify indicators of compromise, data exposure, and threat actor activity before they escalate into reportable incidents—or to detect them the moment they do.
Dark Web Monitoring for Early Incident Detection
Threat actors frequently surface intent, tooling, and stolen data on dark web forums, marketplaces, and encrypted channels days or weeks before a formal attack is launched or discovered by the target organization. DarkOwl’s continuous monitoring of these environments provides covered entities with:
Early warning of data exfiltration, including stolen credentials, proprietary documents, and sensitive internal communications appearing on dark web markets
Detection of ransomware group communications referencing an organization or its vendors, often preceding deployment of ransomware payloads
Identification of threat actor reconnaissance and targeting activity associated with specific sectors or infrastructure types
Alerting on newly compromised credentials that may indicate an active breach or imminent attack
This intelligence directly supports the 72-hour reporting window by giving security teams a head start—enabling them to investigate, scope, and assess the significance of potential incidents before the clock starts.
Credential Exposure Services
Credential theft is among the most common precursors to significant cyber incidents. Compromised usernames and passwords—particularly those tied to privileged accounts, VPNs, or cloud infrastructure—frequently appear on dark web forums and criminal marketplaces following data breaches at third-party services.
DarkOwl’s credential exposure monitoring enables covered entities to:
Continuously scan for employee and customer credentials appearing in dark web breach compilations and stealer logs
Receive actionable alerts when new credential exposures are detected, enabling rapid password resets and account lockdowns
Attribute credential exposure to specific breach events, supporting incident scoping and regulatory notification decisions
Maintain an ongoing audit trail of exposure detection and response actions—critical documentation for demonstrating compliance due diligence
CIRCIA does not simply require organizations to report incidents—it implicitly requires that they have the detection infrastructure capable of identifying those incidents within compressed timeframes. Regulators and legal counsel will increasingly ask whether covered entities exercised reasonable diligence in monitoring for threats.
By deploying DarkOwl’s platform, organizations create a documented, auditable record of proactive threat intelligence activity. This serves multiple compliance functions:
Evidence of reasonable cybersecurity diligence in the event of a regulatory inquiry or breach litigation
Structured detection workflows that align with incident response plans and reporting procedures
Intelligence feeds that can integrate with SIEM, SOAR, and incident response platforms to accelerate detection-to-reporting timelines
Sector-specific threat intelligence relevant to each of the 16 critical infrastructure categories
Vendor and Supply Chain Risk Intelligence
CIRCIA’s scope extends to organizations that are integral to critical infrastructure operations—including technology vendors, managed service providers, and supply chain partners. A breach at a third-party vendor can create a reportable incident obligation for a covered entity, even if the covered entity’s own systems were not directly compromised.
DarkOwl supports supply chain risk management by monitoring for dark web activity associated with key vendors and third-party partners, providing covered entities with a broader view of their threat exposure across the entire organizational ecosystem.
CONCLUSION
CIRCIA represents a fundamental shift in how the U.S. government expects critical infrastructure operators to approach cybersecurity. Mandatory reporting obligations, compressed timelines, and broad sectoral coverage create both regulatory urgency and strategic imperative: covered entities must build proactive threat detection capabilities or face significant compliance risk.
DarkOwl’s dark web intelligence and credential exposure monitoring platform is designed precisely for this environment. By surfacing threats early—often before they escalate into reportable incidents—DarkOwl enables covered entities to meet their CIRCIA obligations, demonstrate proactive due diligence, and strengthen their overall security posture.
How can DarkOwl help your company prepare for CIRCIA compliance? Contact Us.
Cybersecurity might as well have its own language. There are so many acronyms, terms, sayings that cybersecurity professionals and threat actors both use that unless you are deeply knowledgeable, have experience in the security field or have a keen interest, one may not know. Understanding what these acronyms and terms mean is the first step to developing a thorough understanding of cybersecurity and in turn better protecting yourself, clients, and employees.
Push bombing, also known as “MFA Fatigue” or “MFA Spamming,” is a deceptive social engineering tactic in which an attacker repeatedly triggers MFA push notifications to the victims device. Multi-factor authentication (MFA) has long been considered a cornerstone of modern cybersecurity. By requiring users to verify their identity through an additional factor—like a push notification to a mobile device—organizations have significantly reduced the risk of account compromise. Multifactor authentication is not invincible. As always, attackers adapt. Attackers increasingly exploit user behavior instead of cryptographic weaknesses. And this is where push bombing comes into the scene.
The goal is simple: flood a target with repeated MFA push notifications in the hope that they will eventually “approve” one. At a high level, push bombing is a shortcut. Instead of breaking through authentication controls, attackers pressure users into opening the door for them.
The process usually begins after an attacker has already obtained a user’s valid credentials, often through phishing, credential stuffing, or darknet data leaks. Once the attacker attempts to log in, the system sends a push notification to the legitimate user’s mobile app. When the user denies the request, the attacker immediately triggers another, and another—sometimes hundreds of times in a row, often in the middle of the night when the victim is less likely to be alert. Attackers often combine push bombing with chat-based impersonation, fake IT support calls, and SMS messages – creating a sense of urgency and legitimacy.
Authentication approvals outside normal working hours
Users reporting repeated push requests they did not initiate
When a user comments, “I keep getting login prompts even though I’m not trying to sign in” that’s not a help desk or internal IT nuisance. It’s an intrusion attempt in progress.
Push bombing is actively used in real-world attacks and breaches by threat actors targeting organizations of all sizes, often as the final step in an account takeover chain. Consequences of a successful push bombing attack extend way beyond the single compromised account. Once inside, attackers can:
Launch impersonation or fraud campaigns
Access sensitive corporate systems
Move laterally across networks
Steal data or deploy ransomware
Uber
In 2022, a threat actor associated with the Lapsus$ group gained access to Uber’s internal systems. After obtaining a contractor’s password, the attacker sent a barrage of MFA requests. When the contractor initially ignored them, the attacker contacted them on WhatsApp, pretending to be from Uber IT, and told them they needed to approve the request to stop the notifications. The contractor complied, giving the attacker full access to the corporate environment.
Cisco
Also in 2022, Cisco fell victim to a series of sophisticated push bombing attacks. After compromising a user’s personal Google account to find stored credentials, the attackers moved to the corporate network. They used a combination of voice phishing (vishing) and MFA fatigue to trick the employee into granting access, eventually allowing the attackers to move laterally through the network.
Protection and Mitigation
What makes push bombing especially dangerous is its simplicity. It doesn’t require sophisticated malware or zero-day exploits—just stolen credentials and persistence.
Of course DarkOwl will always recommend using MFA, but let’s go one step further: choose a phishing-resistant MFA. Not all MFA is equal. SMS codes and push prompts can be bypassed (push fatigue, SIM swaps). Where available, use FIDO2 keys, WebAuthn, and passkeys, particularly for privileged and external-facing accounts for phishing-resistant authentication. Never approve a push you didn’t initiate; report repeated prompts to IT. Ask your org to move critical apps to phishing-resistant MFA.
Push bombing is the second stage of a compromise; the first stage is the loss of credentials. Awareness of when your employees’ or customers’ credentials have been leaked on the darknet can help you stay ahead of these attacks.
Leveraging a continuously updated darknet data index enables organizations to detect security gaps before a threat actor begins a push bombing campaign. By monitoring for leaked usernames and passwords associated with your domain, you can proactively force password resets and invalidate sessions, neutralizing the attacker’s ability to even trigger that first notification.
Curious to learn more about dark web monitoring? Contact us.
The team is excited to share the new capabilities, platform improvements, and notable darknet intelligence collected across January, February, and March.
Q1 was a big quarter for the DarkOwl platform. We’ve been laser-focused on one goal: helping analysts work faster and smarter — surfacing the right intelligence at the right moment, without ever breaking their flow. Here’s a look at what’s new.
Introducing Vendor Context in Market Research
It’s never been faster to assess vendor scale, longevity, and risk — all without leaving the market listing result you’re already looking at. Vendor Context delivers an instant, comprehensive snapshot of any known vendor — directly within a Market Research listing. With a single click, analysts can see:
Total markets and listings the vendor has appeared in
First and last observed activity dates
Top markets where the vendor is most active
Primary shipping sources
The vendor’s five most recent listings across all markets
Vendor Context expands on DarkOwl’s market dataset and features, providing a purpose-built, structured investigative capability specifically designed for darknet marketplace analysis. Markets are among the most operationally significant environments on the dark web—serving as hubs for the sale of drugs, weapons, stolen data, counterfeit goods, and as nexus points for the criminal networks. DarkOwl’s enhanced market holdings now include more than 431,000 listings which extract vendor identity, product description, category, price, accepted payment methods, shipment origin/destination, reviews, and more.
Breaking the Language Barrier
A substantial portion of threat actor activity, forum discussions, marketplace listings, and leaked data originates from Russian, Chinese, Arabic, Farsi, and other non-English-speaking communities. Global threat intelligence means working across dozens of languages. We’ve made that dramatically easier with Translation for search results. Instantly translate any text from search or alert results inline, now covering all 52 languages supported by Vision UI. No external tools, no copy-pasting — just highlight, click, and read. And because we know it matters for sensitive environments: translation runs entirely within the DarkOwl platform, with no data leaving our closed environment.
Deeper Intelligence and Streamlined Analyst Workflows
Expanded Site Lexicon and Context — Data Sharing and File Repository are now recognized site categories, with full Site Context enabled across results — making it easier to identify and investigate these areas of the darknet. Key press releases, law enforcement actions, and major news coverage are now linked directly within a new media reporting field in Site Context.
Export by Date Range — Generate time-based reports from Case Findings to share only the most relevant data or align exports with reporting or investigative timeframes.
Save as Finding Snippet — Highlight any text in a result, click “Save as Finding Snippet,” and the Add Finding panel opens automatically. Analysts can save both the original and translated text as separate snippets within the same Finding — ideal for reporting, collaboration, and evidence tracking.
Additional UX improvements — A Case Overview redesign to ensure critical alerts are now front and center; easier navigation in Actor Explore; additional fields on results from Paste sites.
Vision API Updates
For teams building on the DarkOwl API, Q1 brought expanded data access and improved developer experience:
Paste-specific fields now available in Search API: author, postDate, expires, and key
Media Reporting in Context API for sites
Updated API documentation for a smoother integration experience
Collection Stats
Our data collection team continues to astonish us with the quantity of data made available across all DarkOwl products. Let’s highlight just some of that growth year over year:
21% increase in credit card numbers
20.5% increase in email addresses
9% increase in IPs
Notable Content Collected
Our collection and research teams had a busy quarter. Here’s a snapshot of some of the most significant data leaks and original research that happened in Q1.
Original Research
Dark Web Reactions to the Israel–Iran Conflict
In March 2026, our team published an in-depth analysis of how dark web and adjacent communities responded to the escalating conflict between Iran, Israel, and the United States. Hacktivist groups launched over 149 DDoS attacks against 110 organizations—107 of them in the Middle East—within days of the strikes. Jihadist communities on Telegram and Rocket.Chat used the conflict to amplify recruitment narratives, including a call for “global cyber jihad” from a group claiming al-Qaeda ties. Iranian-aligned militia channels circulated target lists and operational claims, while a notable crossover emerged between extremist ideological communities as groups linked to Nihilistic Violent Extremism blurred traditional political lines. DarkOwl continues to monitor these ecosystems as the conflict evolves.
Leaks of Interest
BreachForums 2026
Posted on January 9, 2026, this leak exposed personal data for approximately 324,000 BreachForums users. The exposed data includes usernames, email addresses, and IP addresses for a large population of actors who may participate in buying and selling stolen data. The data came from a database backup dated August 11, 2025, inadvertently left in a publicly accessible directory during a site restoration. A 4,400-word manifesto attributed to a threat actor using the pseudonym “James” accompanied the data, framing the leak as deliberate retaliation against the forum’s users following attacks on French infrastructure.
Harvard University
Posted on ShinyHunters on February 4, 2026, this dataset purports to contain 1 million records from Harvard’s Alumni Affairs and Development systems. The breach originated from a vishing campaign in November 2025 where attackers impersonated support staff and bypassed Multi-Factor Authentication in real time. Researchers describe the exposed data as a “map of influence”—including private home addresses and mobile numbers for prominent individuals alongside sensitive donor contracts and internal strategy documents. The combination of donor financial data, direct contact information, and internal strategy documents creates a rich target for spear-phishing, fraud, and reputational exploitation across a high-profile institution’s network. For security teams evaluating their own exposure, this is immediately relevant to how they think about vishing defenses and privileged access to constituent or membership systems.
LexisNexis
Posted to DarkForums on March 3, 2026 by threat actor FulcrumSec, this breach exploited an unpatched React application on LexisNexis AWS infrastructure via a React2Shell vulnerability combined with a weak RDS master password. The actor claims to have exfiltrated over 2GB of data including plaintext credentials and contact details for 118 U.S. government employees—including federal judges and DOJ attorneys. LexisNexis characterizes the data as largely pre-2020 legacy records. FulcrumSec frames the attack as separate from a 2024 breach that prompted a class-action lawsuit and states it was not geopolitically motivated, but intended to highlight a “sustained pattern of negligence.” For organizations that rely on LexisNexis—law firms, financial institutions, government agencies—exposure of the underlying records is a direct concern. The inclusion of federal judiciary and DOJ contact information in a publicly accessible darknet post significantly elevates risk.
Curious how these features and data can make your job easier? Get in touch!
A previously unknown group calling itself Harakat Ashab al-Yamin al-Islamia (Ashab al-Yamin) has recently emerged, claiming responsibility for a series of attacks across Europe and quickly attracting attention from analysts and media outlets. Reporting by CBS News, citing researchers from Tech Against Terrorism and others, has highlighted the group’s sudden appearance and raised questions about whether it represents a genuine operational network or a rapidly assembled media construct linked to broader geopolitical dynamics.
The group’s presence appears largely confined to Telegram, where it publishes a mix of attack claims, propaganda, and geopolitical commentary. Its Telegram footprint is fragmented, with limited persistent content and much of its activity preserved through secondary or supporter accounts.
Rather than evaluating Ashab al-Yamin as a standalone entity, a closer examination of its Telegram activity suggests a different framing. Patterns of shared content, cross-channel distribution, and overlapping narratives indicate that the group operates within a broader, loosely connected ecosystem of Iranian-aligned channels. This ecosystem overlaps with networks commonly associated with the “Islamic Resistance,” where claims, media, and messaging circulate across multiple accounts rather than originating from a single source.
This raises a central question: is Ashab al-Yamin a distinct organization, or a visible node within a broader networked ecosystem? Let’s dive in.
Telegram Activity and Content Patterns
As of early April 2026, the group’s primary Telegram channel, Harakat Ashab al-Yamin al-Islamia, appears to have been removed or banned from the platform. The most recent identifiable content, dated April 4, included a video claiming responsibility for an attack targeting a building associated with Christians for Israel in Nijkerk, Netherlands. No clear successor channel has been identified at the time of writing, further reinforcing the group’s fragmented and unstable presence across Telegram, where continuity appears dependent on redistribution rather than sustained ownership of a single channel.
As a result, much of the group’s observable activity is derived from secondary or supporter channels, such as صفي الدين, which continues to circulate attack claims, propaganda, and related content attributed to the group.
Initial review of these channels suggests they do not function solely as claim-of-responsibility outlets. Instead, they operate as hybrid media nodes, combining attack claims, geopolitical commentary, and propagandistic amplification of broader regional narratives.
For example, content includes battlefield or intelligence-style analysis, such as satellite imagery purportedly showing damage to U.S.-linked air facilities in Bahrain and Kuwait following Iranian strikes. The accompanying text describes specific targets such as hangars, fuel storage, and drone infrastructure.
Figure 1: Satellite imagery / strike analysis post
This style of posting is consistent with content observed across pro-Iranian Telegram channels, where content blends battlefield updates, geopolitical commentary, and narrative amplification alongside claims of responsibility for attacks in Europe.
Figure 2: London ambulance attack claim video
One such example includes a video documenting an arson attack in London targeting ambulances associated with a Jewish community organization. The accompanying Arabic-language caption frames the incident as an operation carried out by Ashab al-Yamin, referencing a synagogue in the British capital and linking the action to broader anti-Israel narratives.
More recent content attributed to the group includes claims related to an attack targeting a commercial center in Amsterdam. One such post states:
Figure 3: Amsterdam attack video from Ashab al-Yamin
حركة أصحاب اليمين الإسلامية تتبنى استهداف المركز التجاري العالمي في أمستردام، وتدعو شعوب أوروبا إلى الابتعاد عن المصالح الأمريكية والصهيونية فوراً.
Translation: “The Islamic Movement of Companions of the Rights claims responsibility for targeting the World Trade Center in Amsterdam and calls on the peoples of Europe to immediately distance themselves from American and Zionist interests.”
The limited availability of such claims on the group’s official channel, combined with their continued circulation across secondary and affiliated channels, complicates efforts to assess a single point of origin. Instead, messaging is distributed across multiple accounts, where content persists through redistribution rather than consistent publication from a single source.
Content Origination and Cross-Channel Linkages
One particularly notable detail is the presence of Sabereen News branding within video content that was previously reposted by Ashab al-Yamin’s official Telegram channel.
Figure 4: Ashab al-Yamin post showing Sabereen News watermark; London attack
Sabereen News is a Telegram-based media outlet widely associated with Iranian-aligned networks, with multiple analyses pointing to links with Iran’s Islamic Revolutionary Guard Corps–Qods Force (IRGC-QF) and Iran-backed militia groups. Research by the Washington Institute for Near East Policy notes “strong indicators” of IRGC-QF connections and highlights that the channel first appeared on Telegram in January 2020. More recent reporting from Iran International similarly reflects its position within IRGC-linked messaging networks.
The visible Sabereen News watermark within the footage of the London ambulance attack suggests that the video was either sourced from, or circulated through, an Iranian-aligned media channel prior to being reposted by Ashab al-Yamin. Rather than serving as definitive proof of origin, this overlap indicates participation in a shared media pipeline where content is reused and redistributed across channels.
This interpretation is further supported by activity observed on Sabereen News channel, which regularly publishes operational updates, threat messaging, and geopolitical narratives aligned with Iranian interests.
Additional Sabereen content illustrates this narrative.
Figures 6 & 7: Sabereen News corporate targeting / company list
In this example, Sabereen News publishes a list of Western companies, including technology firms, financial institutions, and defense-related entities, framing them as potential targets linked to broader geopolitical events. While this is not a direct claim of responsibility, it reflects a broader pattern of signaling and narrative shaping seen across affiliated channels.
Additional recent content from Sabereen News further illustrates its role as a central distribution node within this ecosystem. In some cases, this aggregation extends beyond Iranian-aligned actors.
For example, Sabereen News has been observed resharing content attributed to Sunni jihadist groups, including material linked to Ajnad Bayt al-Maqdis. The original post appears to have been published by a Telegram account operating under the name “hamid alqawsi,” before being redistributed through Sabereen. The group’s recent pledge of allegiance to al-Qaeda, dated February 2026, coincides with broader regional escalation reinforcing patterns of opportunistic emergence tied to major geopolitical events. This further illustrates how content moves across distinct networks through centralized amplification channels.
Figures 8 & 9: Original Telegram post from “hamid_alqawsi” account and subsequent repost by Sabereen News
In a separate example, the channel reposts video footage attributed to Hezbollah depicting a missile strike on the Israeli town of Kiryat Shmona. While not directly linked to Ashab al-Yamin, this type of cross-group content aggregation highlights how Sabereen functions as a broader amplification hub, circulating material from multiple actors and reinforcing shared narratives across the network. Channels such as Sabereen News therefore remain key points of observation for tracking how new identities emerge and reappear within this network.
Figure 10: Sabereen News Telegram post reposting Hezbollah-attributed missile strike footage targeting Israel
An earlier Telegram channel, Haraka Ashab Al Yamin, identified as one of the first to publish content associated with the Amsterdam attack, appears to have been removed or banned from the platform, further complicating efforts to trace content back to a single point of origin.
Across posts, several additional patterns emerge that reinforce this ambiguity. The language is primarily Arabic, with no observable use of Farsi despite speculation of Iranian association, and messaging consistently incorporates anti-Israel and anti-Western themes aligned with broader regional narratives. Taken together, these characteristics further complicate attribution and raise questions about the group’s structure, consistency, and underlying coordination, which become more apparent when examining its claims and media output more closely.
Indicators of Authenticity vs Narrative Construction
The available Telegram content presents a mixed picture of Ashab al-Yamin’s credibility as an operational group. While the channel attempts to project visibility through attack claims and messaging, it lacks several features typically associated with more established militant organizations.
Unlike known Iranian-aligned and PMF-affiliated groups, Ashab al-Yamin does not consistently produce formalized statements, leadership messaging, or a clearly defined media structure. Its presence appears limited in scale, with no clear evidence of sustained or centralized coordination.
At the same time, the quality and style of its media output vary noticeably, with some videos appearing more refined and others more rudimentary. This inconsistency likely reflects contributions from multiple actors rather than a single coordinated media wing. This aligns with assessments from analysts cited in CBS News, who note that such output may be designed to generate psychological impact rather than demonstrate operational sophistication.
The group’s messaging also closely tracks ongoing geopolitical developments, suggesting a degree of responsiveness and an understanding of how to maximize visibility within a rapidly evolving information environment. Taken together, these patterns support the interpretation put forward by the Foundation for Defense of Democracies: that Ashab al-Yamin may function less as a centralized organization and more as a front identity used to claim attacks carried out by loosely connected or externally recruited individuals. This ambiguity becomes more meaningful when placed alongside the wider ecosystem in which the group operates.
More broadly, this model reflects a pattern observed across comparable ecosystems, where decentralization, narrative amplification, and perceived reach are often prioritized over formal organizational structure. In such contexts, visibility and attribution can be strategically leveraged to amplify perceived impact without requiring sustained operational capability.
PMF and Iranian-Aligned Telegram Ecosystem
Rather than viewing Ashab al-Yamin in isolation, its activity is more clearly understood when placed alongside a broader cluster of Telegram channels linked to the “Islamic Resistance” ecosystem.
This ecosystem includes a mix of militia-linked channels, media outlets, and amplifier accounts. Channels such as:
· شباب الإسلام
· أصحاب الكهف
· جيش الغضب
· صفي الدين
· التعبئة الشعبية للمقاومة الإسلامية في العراق ( بسيج العراق)
· القدرات العسكرية الإيرانية
These channels regularly publish claims, updates, and propaganda tied to attacks against U.S. and allied targets, while also forwarding and resharing content from one another. These channels function as an interconnected network, regularly cross-posting and reinforcing shared narratives.
Figure 11: Safee al-Deen / ecosystem connections post
Posts such as the above highlight explicit relationships between multiple groups operating under the umbrella of the “Islamic Resistance,” including Ashab al-Kahf and Jaysh al-Ghadab.
Ashab al-Kahf is an Iraqi militia group aligned with the Islamic Resistance in Iraq, known for claiming attacks against U.S. military and allied targets in the region. Its Telegram presence reflects a structured communication style, including consistent branding, formalized statements, and clearly framed claims of responsibility.
Jaysh al-Ghadab similarly operates within this ecosystem, publishing claims and messaging tied to attacks and broader resistance narratives. Like Ashab al-Kahf, its content reflects a more established and consistent media presence, with recognizable visual identity and integration into a wider network of affiliated channels.
While these groups exhibit more structured branding and communication styles, they operate within the same broader environment as Ashab al-Yamin. Figures 14 and 15 illustrate formalized statements published by Ashab al-Kahf and Jaysh al-Ghadab, both of which were subsequently forwarded by the Shabab al-Islam channel. This pattern highlights how official statements originating from more established actors are redistributed across affiliated channels, reinforcing shared narratives, and expanding reach.
Figures 14 & 15: PMF formal statement example
Both statements follow a consistent format typical of PMF-aligned media output, including religious framing, attribution of attacks against U.S. and Israeli interests, and references to specific operations. For example, one statement claims responsibility for a drone attack targeting Israeli-affiliated infrastructure in Jordan, while emphasizing civilian evacuation warnings and framing the operation within a broader resistance narrative. The second statement similarly adopts formalized language, invoking religious justification, and positioning the attack within the context of ongoing regional conflict. This contrast becomes more apparent when comparing how similar attack-related content appears across different channels within the network.
Figure 16: London ambulance attack claim Ashab al-Yamin TG channel
Figure 17: London ambulance attack claim: Safee al-Deen TG channel
Figures 16 and 17 show the same London ambulance attack being circulated through Ashab al-Yamin and Safee al-Deen channels, illustrating how identical content is redistributed across different nodes within the network, often with variations in framing and presentation.
These examples illustrate how similar content is circulated, reframed, and redistributed across different channels, reinforcing visibility and narrative consistency.
A Networked Playbook
The emergence of Ashab al-Yamin aligns with a broader pattern seen across similar ecosystems: the rapid creation of new identities designed to claim responsibility, amplify narratives, and generate strategic effects. Recent analysis by Militant Wire similarly suggests that the group may function less as a traditional organization and more as an “astroturfed” identity embedded within existing Iranian-aligned networks, leveraging low-cost, high-visibility activity to maximize perceived impact.
Rather than representing the development of a traditional, hierarchical organization, this model prioritizes speed, flexibility, and visibility. New entities can quickly establish a presence, insert themselves into ongoing events, and reinforce narratives already circulating across interconnected channels. As noted in reporting by CBS News, even relatively unsophisticated or ambiguous content can achieve outsized strategic effects. This aligns with analysis from the Foundation for Defense of Democracies, which notes that such models can rely on low-cost, deniable actors and coordinated messaging without requiring a formal organizational structure. Recent research by the Global Network on Extremism and Technology similarly highlights how digital actors across different ideological and operational backgrounds can converge within shared wartime ecosystems, forming loose networks that amplify common narratives and targets.
These dynamics are not limited to militant media channels. Similar patterns can be observed among pro-Iranian hacktivist groups, which use Telegram to promote alleged data breaches and advertise them on darknet marketplaces. For example, “APT Iran” has claimed to possess stolen data from Lockheed Martin, promoting it through Telegram and advertising it on a Russian-language darknet marketplace known as “Threat Market.”
The listing advertises an estimated value of approximately $374 million, with an exclusive buyout price nearing $600 million, alongside tiered pricing for partial data access. While these figures remain unverified, their scale reflects a broader pattern of inflated valuation and narrative amplification, where the perceived significance of a breach is emphasized as much as the underlying data itself.
Figures 18 & 19: APT Iran Telegram post referencing Lockheed; Lockheed leak posted on Threat Market
More recent activity suggests increasing instability and responsiveness to external pressure. Following attention surrounding the alleged Lockheed Martin leak, the actor associated with “APT Iran” appears to have changed its Telegram identity to “Brona
Blanco had begun posting images of purported source code tied to the breach. Concurrent messaging in Farsi references potential law enforcement scrutiny, including warnings about FBI targeting of infrastructure linked to Threat Market and the implementation of contingency measures such as a “dead man’s switch.”
Figure 20: APT Iran Telegram post referencing the FBI targeting Threat Market
Figure 21: APT Iran/Brona Blanco Telegram post referencing Lockheed Martin Source Code
While these claims remain unverified, this shift in tone and behavior reinforces a consistent pattern observed across these actors: rapid escalation in claims, reactive messaging driven by perceived pressure, and an emphasis on perceived impact over independently verifiable outcomes.
This same dynamic is evident in recent claims by a group calling itself “Ababil of Minab,” which has claimed responsibility for a cyber incident targeting Los Angeles Metro infrastructure. As reported by Dark Web Informer, the group used Telegram to publicize the claim, asserting large-scale data exfiltration and system disruption while providing limited verifiable evidence. While attribution remains unclear, the group’s messaging style and distribution patterns reflect characteristics observed across other Iranian-aligned or Iran-affiliated cyber personas.
Figure 22: “Ababil of Minab” Telegram posts claiming responsibility for a cyber intrusion targeting LA Metro
As with other actors in this ecosystem, the framing of the operation emphasizes scale and impact, including claims of hundreds of terabytes of data being wiped and additional sensitive data extracted. This reflects a recurring dynamic in which perceived significance is amplified through messaging rather than confirmed technical outcomes. This interpretation is consistent with emerging reporting on Iran-linked hybrid activity, where analysts have noted coordination across pro-Iranian online ecosystems and raised questions about the authenticity of some groups operating within them.
Conclusion
Harakat Ashab al-Yamin al-Islamia has emerged rapidly, but its fragmented Telegram presence, recycled media, and overlap with Iranian-aligned channels complicate its assessment as a standalone organization.
Instead, it is best understood as part of a broader ecosystem in which content is circulated, repurposed, and reinforced across multiple actors. In this environment, attribution becomes less about identifying a single origin point and more about understanding how narratives move across channels.
This model allows new entities to project visibility and claim relevance without demonstrating sustained operational capability, blurring the line between coordinated activity and opportunistic amplification.
As this ecosystem evolves, tracking how new entities emerge, gain visibility, and integrate into existing networks will remain critical to assessing how influence and perceived operational reach are constructed within these networks.
If 2024 signaled that ransomware was becoming a systemic threat, 2025 confirmed it. Over the course of the year, ransomware evolved into one of the most disruptive forces in the cyber landscape, affecting thousands of organizations and costing billions of dollars in damages. What distinguishes 2025 is not just the scale of attacks, but the speed, accessibility, and industrialization of ransomware operations.
In this blog we will review ransomware attacks in 2025 and how they have evolved.
A Surge in Attacks and Victims
Estimates of global ransomware attacks in 2025 ranged between roughly 7,400 and more than 9,000 incidents, representing a sharp increase, at around 40–50 percent increase over the previous year. On average, attacks were occurring at an almost continuous pace worldwide, with hundreds of organizations falling victim each month.
Victim counts followed a similar trajectory. In some datasets, more than 7,000 organizations were publicly identified as ransomware victims, while others tracked thousands more unreported or undisclosed incidents. Growth rates in victim numbers exceeded 50 percent year over year, and the final quarter of 2025 alone saw record-breaking figures.
What stands out is not just the volume, but the breadth. Ransomware was no longer reserved for high-value, carefully selected targets. Instead, it became a high-frequency, opportunistic threat—impacting organizations across every sector and size.
Who Was Targeted
One of the characteristics of ransomware activity in 2025 was its focus on critical industries. Roughly half of all attacks targeted sectors that underpin modern economies, including manufacturing, healthcare, energy, transportation, and financial services. Manufacturing, in particular, emerged as the most frequently targeted industry, accounting for a significant share of global incidents.
When production lines halt, hospitals lose access to patient systems, or energy infrastructure is disrupted, the pressure to pay a ransom increases dramatically. Cybercriminals have become adept at identifying and exploiting this urgency.
At the same time, small and medium-sized businesses continued to bear a disproportionate share of attacks. With fewer resources to invest in cybersecurity and often relying on outdated systems, these organizations presented attractive, low-resistance targets. Ransomware groups no longer needed to focus exclusively on large enterprises to generate profit; scale alone could drive returns.
Geographically, the United States remained the epicenter of ransomware activity, accounting for roughly half of all recorded attacks. Thousands of incidents were reported across the country, with Europe as a whole, and Canada also experiencing notable increases. This concentration reflects both the density of high-value targets and the interconnected nature of global supply chains.
The Cost of Ransomware
While ransom payments themselves often make headlines, they represent only a fraction of the total economic impact. In 2025, global ransomware damages were estimated at tens of billions of dollars, with some projections placing the figure as high as $57 billion.
The average cost of a ransomware attack, including downtime, recovery, legal fees, and reputational damage hovered around $5 million. Even when companies chose not to pay the ransom, recovery costs alone frequently exceeded $1 million.
Furthermore, a single attack could also impact supply chains, disrupting thousands of dependent businesses. Industry analyses throughout 2025 consistently highlighted the systemic impact of ransomware events, particularly in manufacturing and industrial sectors.
Ransomware Tactics
The tactics used by ransomware groups in 2025 reflected a shift toward greater sophistication and efficiency. Double extortion became the standard model, with attackers not only encrypting data but also exfiltrating sensitive information and threatening to release it publicly. This ensured leverage even when victims had reliable backups.
In some cases, the data was not even encrypted with victims being extorted purely on the basis of the risk posed by having their data exposed. This approach reduced operational complexity while maintaining high pressure on victims.
Artificial intelligence also played an increasingly important role. AI-driven phishing campaigns enabled attackers to craft highly convincing, personalized messages at scale, dramatically improving success rates. Automation allowed cybercriminals to launch and adapt attacks more quickly than ever before, compressing timelines and overwhelming traditional defenses. There were also the beginnings of AI being used to develop ransomware or utilize it which has been observed in early 2026.
Underlying all of this was the continued growth of ransomware-as-a-service (RaaS) platforms. These ecosystems provided tools, infrastructure, and support to affiliates, allowing even relatively inexperienced actors to carry out sophisticated attacks. As a result, the number of active ransomware groups expanded significantly, with well over a hundred groups operating throughout the year. DarkOwl monitors these leak sites so organizations can monitor if any companies in their supply chain have been impacted.
The Most Active Ransomware Groups
In 2025, several groups stood out for their scale and impact. Qilin emerged as one of the fastest-growing ransomware-as-a-service operations, leveraging an affiliate model that enabled rapid expansion and a steady stream of attacks. Its accessibility made it particularly influential in lowering the barrier to entry for new cybercriminals.
Akira was another prominent group, targeting enterprises and critical infrastructure with a high volume of attacks.
RansomHub gained notoriety for sheer scale, reportedly linked to hundreds of victims across multiple sectors.
Meanwhile, Clop continued to execute large-scale campaigns, often exploiting vulnerabilities in widely used software to compromise multiple organizations simultaneously.
In addition to these established groups, 2025 saw the rise of more fluid, collaborative networks—sometimes described as “supergroups”—where actors shared tools, infrastructure, and intelligence. This blurred the lines between distinct organizations and made attribution more difficult.
Conclusion
Ransomware in 2025 was defined by scale, speed, and systemic impact. Attacks reached record levels; victims spanned every sector, and the financial consequences extended far beyond individual organizations. The rise of new groups, maturation of existing groups, and the evolution of attack methods underscored a fundamental shift: ransomware is no longer a niche cyber threat but a core challenge for modern economies.
As organizations look ahead, the lessons of 2025 are clear. Defending against ransomware will require not only stronger technical controls but also a deeper understanding of the threat ecosystem, greater resilience in critical systems, and a willingness to adapt to an adversary that continues to evolve.
Curious how DarkOwl tracks ransomware activity? Contact us.
Imagine this: you throw on a black hoodie, turn off the lights, and sit hunched over your computer while lines of code fly across the screen. Congratulations you’re officially a “hacker.” At least that’s how movies and TV have trained us to picture it.
For decades, pop culture has leaned hard into the stereotype of the mysterious genius typing furiously in the dark, breaking into systems in seconds while dramatic music swells. Most of the time it’s wildly exaggerated, sometimes to the point of being laughable. But every now and then, a show or film comes along that actually gets parts of it right.
In this blog, we’ll review some of our favorite portrayals of hacking in media and what they nailed, what they completely missed, and why some stand out as surprisingly realistic in a sea of blinking screens and instant “I’m in!” moments.
Mr. Robot
When it comes to television series that portray cybercrime with striking realism, USA Network’s Mr. Robot consistently ranks among the best. Airing from 2015 to 2019, the series centers on a young cybersecurity engineer in New York City whose exceptional hacking skills draw him into an underground collective of hacktivists. As he becomes entangled in their mission to dismantle corporate power structures, he evolves into a deeply flawed and morally conflicted cyber-vigilante.
Within the first episodes of the show, Hollywood’s normal treatment of hacking is thrown out the window. What would normally be shown as maniacal keyboard typing was instead focused on social engineering and email phishing. By showing these acts, it aligned more closely with activity seen by real life threat actors.
A component of Mr. Robot’s accuracy is derived from experts behind the scenes. The show consulted with Michael Bazzell, a cybercrime detective with 10 years’ experience with the FBI. In interviews, Mr. Bazzel states that all code used in the show was real and was created by the individuals on the team. If aspects of the hacking were unable to exist in the real world, those storylines would often be scrapped. Many individuals within cybersecurity applauded the show’s accuracy, expressing positive opinions of legitimate attack patterns and authentic hacker methodology.
WarGames (1983)
Released during the Cold War, the 1983 film WarGames follows high school student, David, who accidently hacks into a military computer and wages a war between the U.S. and USSR. After David mistakenly identifies the military supercomputer as belonging to a video game company, two experienced hackers introduce him to the concept of “backdoor passwords.” Using this hidden access method, they can bypass normal security protocols and enter the system, reinforcing the film’s surprisingly realistic portrayal of early computer security vulnerabilities.
Despite a seemingly unrealistic plot, President Reagan ordered a full national security review after viewing the film. This led to a determination by the Joints Chief of Staff that the plot was “technically possible” and 18 months later, President Regan released the first Presidential directive on computer security. Eventually the Computer Fraud and Abuse Act was passed in 1984 with the House Committee making specific reference to the film.
One of the key factors behind the film’s technical credibility was due to the depth of its research. During development, the screenwriters consulted with Willis Ware, author of the influential 1967 paper, Security and Privacy in Computer Systems. Ware confirmed that military computer systems could, in fact, have remote access points — a detail that helped shape the film’s central premise.
BlackHat (2015)
Leveraging the star power of Chris Hemsworth, the 2015 action thriller Blackhat follows a furloughed convict and elite hacker who becomes the only person capable of helping authorities track down cybercriminals responsible for breaching a nuclear power plant. While the film delivers explosive, high-stakes action, many cybersecurity experts have noted that its depiction of hacking techniques reflects a surprisingly authentic approach to real-world cyber operations. While the film eventually departs from realism, many experts praise the setup and the more practical elements presented in its first half.
The characters in the film are trying to prevent a malware attack, based on the Stuxnet attack, targeted at critical infrastructure. The Stuxnet attack refers to the 2009 malware attack that caused substantial damage to the Iran nuclear program after it was installed on computers at the Natanz Nuclear Facility. The malware reportedly destroyed one-fifth of Iran’s nuclear centrifuges.
Viewers also praised the film for its relatively authentic portrayal of hacking. Instead of relying solely on flashy visuals, it depicts Chris Hemsworth’s character working with black terminal screens, command-line arguments, and tools such as Tor and keyloggers. Like many successful tech-focused films, Blackhat relied on multiple consultants during the development and production phases. One of the most prominent was former blackhat hacker turned journalist Kevin Poulsen, who previously served three years in prison and contributed extensively to the film’s technical realism. Some viewers have even speculated that Hemsworth’s character was partially inspired by Poulsen. Another consultant was mathematician Christopher McKinley, known for his analysis and hack of the dating site OKCupid.
What Hollywood Gets Wrong
While researching shows and movies for this blog, one theme repeatedly appeared when discussing believability: time. To maintain pacing and excitement, many portrayals show hacking happening almost instantly. After only a few keystrokes and quick swipes across a screen, the hacker is suddenly inside the most secure government databases. For instance, in the 2001 film Swordfish, the main character is held at gunpoint and forced to hack into the DEA’s system; something he manages to accomplish in just sixty seconds.
A separate scenario seen in entertainment, especially when focused on law enforcement, is when a victim “knows” they are being hacked. The main point of hacking a system is to do so as quietly as possible in the hopes to acquire a large amount of information. Additionally, systems will rarely start displaying UI elements that would notify you that your system is under attack.
A common theme in many cybercrime films and television shows is the choice of targets. These stories often focus on hackers going after the biggest and most powerful entities, such as governments or major financial institutions. In reality, the most frequent victims of cyberattacks are ordinary individuals who often lose personal information when hackers breach databases containing private customer data.
And finally, even though the media often depict someone yanking the power cord from a monitor to stop a hack, remember that unplugging your monitor won’t actually stop an attack on your system.
Conclusion
A trend seen with many of the shows that are praised for being realistic is the use of consulting with experts in the field. Sometimes real-world events are so strange or unbelievable that they feel like they were written for TV. Those moments can make great plot devices and when shows draw from situations that have happened, it can make their stories feel even more realistic.
As demonstrated by the film WarGames, fictional stories can still drive real-world change. President Reagan’s inquiry following the movie prompted intelligence efforts to strengthen the United States’ defensive and offensive cyber capabilities. This underscores one of the many reasons why getting these portrayals right matters – entertainment projects can leave a lasting imprint on history.
DarkOwl is a Denver-based company that provides the world’s largest index of darknet content and the tools to efficiently find leaked or otherwise compromised sensitive data. We shorten the timeframe to detection of compromised data on the darknet, empowering organizations to swiftly detect security gaps and mitigate damage prior to misuse of their data.
